The IoT: Time to Get it Right


Somehow the Internet of Things has gone from being a miracle drug for every business, energy, security, transportation, and residential problem to The Plague.

In some dreams, the IoT was the cure-all that would give us everything we wanted to know about a customer based on their shopping pattern, their home activities, and their travels. Those same dreams presented the IoT as the ultimate in an operational efficiency tool for businesses.

Credit: Pixabay
Credit: Pixabay

Are those dreams dashed now that IoT devices have been blamed for the recent distributed denial of service (DDOS) attack on Internet management company Dyn? That attack brought down a lot of websites, particularly in the eastern United States. Maybe it was a sign of a pending return of the Black Death seven centuries later.

Or maybe the IoT needs be to be judged in the same way that pro athletes are evaluated: Not really as good as they are on their best days, and not as bad as they are on their worst.

We will be looking more closely at the IoT throughout November.

However, the analyses of the Dyn incident raised some points that are important to keep in mind as we go through this first week of November with our All Analytics Academy program Data Privacy for All, for You.

The Internet traffic that overwhelmed Dyn often came from relatively low-cost consumer devices that were easily targeted with the malware that joined the attack. They didn't have what some call "baked-in security," protection designed in from the start. If you entrust your home, your business, even your family to something like a $100 security system, you get what you pay for.

Security company Forescout has an interesting paper that details the vulnerabilities of seven common IoT devices. In most cases the vulnerabilities turn out to be pretty apparent, and could be fixed with a little extra work at the design phase: flaws such as weak or non-existent credentials or a lack of encryption on IP-connected security cameras.

This "baked-in security" goes hand-in-hand with our A2 Academy session scheduled for Thursday, when Greg Reber of AsTech Consulting will present best practices in "baked-in privacy". (The Academy program opens today with a presentation on customer privacy by Sagi Leiserov of Ernst and Young). You see, all of those IoT devices that could be used to launch a DDOS attack also could be feeding your private information to someone with evil intents. That information could be your company secrets, personal data about employees, or the financial data of customers.

Greg Reber
Greg Reber

One thing we know about baked-in security or privacy is that it makes sense. It's exactly what we wish the folks at Microsoft had done with Windows many years ago, and what we want from mobile apps, corporate devices, and home automation technologies.

Common sense says that we should have baked-in security, but dollars and cents say that we don't. As tech buyers we are as guilty as those companies that build or sell technology. Whether we are buying for ourselves or a giant enterprise, we want technology to be cheap, easy to use, and available now.

Our rush to buy, our distaste for measures like complicated authentication, and our penny pinching justify our tech suppliers' attitude of "just get it to market".

The sad part about what is happening right now with the IoT is that we've known from the start that the IoT presented an opportunity to do it right. We had a chance to redesign networks, build in authentication, and isolate unrelated devices and applications from each other. Instead, we get to wonder who can see what that security camera sees, and where that retail store beacon data really is going.

Maybe it's not too late to tighten up IoT security, to do it right from the start. Lets get off on the right foot by heeding the advice that Greg Reber shares in the A2 Academy on Thursday. Remember, cheap, easy, and available is no way to go through life.

Related posts

James M. Connolly, Editor of All Analytics

Jim Connolly is a versatile and experienced technology journalist who has reported on IT trends for more than two decades. As editor of All Analytics he writes about the move to big data analytics and data-driven decision making. Over the years he has covered enterprise computing, the PC revolution, client/server, the evolution of the Internet, the rise of web-based business, and IT management. He has covered breaking industry news and has led teams focused on product reviews and technology trends. Throughout his tech journalism career, he has concentrated on serving the information needs of IT decision-makers in large organizations and has worked with those managers to help them learn from their peers and share their experiences in implementing leading-edge technologies through publications including Computerworld. Jim also has helped to launch a technology-focused startup, as one of the founding editors at TechTarget, and has served as editor of an established news organization focused on technology startups and the Boston-area venture capital sector at MassHighTech. A former crime reporter for the Boston Herald, he majored in journalism at Northeastern University.

Searching for Our Lost Analytics Continuum

In our obsession with artificial intelligence, we may have lost sight of how our use of data is supposed to progress, based on hard work and the analytics continuum.

AI in the Workplace: Augment, Instead of Replacing Humans

AI and machine learning won't create massive job losses in the foreseeable future, but some societal issues to come to mind.


Re: baked in security
  • 11/14/2016 7:08:34 PM
NO RATINGS

Lyndon I have to say I am not that surprised I still see so many people without any protection on their cell phone. It's an afterthought rather than a necessity. To Jim's point if our devices came with security embedded it would make everyone safer.

Re: baked in security
  • 11/9/2016 12:07:30 PM
NO RATINGS

..

Kq4ym writes


It was truly amazing how the DDoS was so widespread and long lasted but the public  and device user doesn't yet fully comprehend what's wrong and what needs to be done to prevent future incidents with the barrage of devices now being used and to come massively in future years.


 

Anecdotal evidence suggests to me that the tendency of both designers and consumers is to get that new IoT product on the market and buy that new IoT toy to play with, and worry about sorting out security disasters when you're actually faced with them...

..

 

Re: baked in security
  • 11/9/2016 11:32:58 AM
NO RATINGS

It was truly amazing how the DDoS was so widespread and long lasted but the public  and device user doesn't yet fully comprehend what's wrong and what needs to be done to prevent future incidents with the barrage of devices now being used and to come massively in future years.

Knox Security
  • 11/1/2016 4:09:01 PM
NO RATINGS

I recently saw it on a poster inside the Metro subway train in DC. Samsung is making a big push for using it on government devices. Any chance Greg will speak to it on Thurs.?

baked in security
  • 11/1/2016 9:30:55 AM
NO RATINGS

I couldn't agree more about the importance of baked in security. It has to be part of the initial design and setup -- not just a patch put on as an afterthought. I'm really looking forward to the show on this subject.

INFORMATION RESOURCES
ANALYTICS IN ACTION
CARTERTOONS
VIEW ALL +
QUICK POLL
VIEW ALL +