Imagine a world of things that serve you. Sensors and machines that collect information about everything: your environment, your presence, your calendar and your diet. At the same time, it is impacting your business including your people and how they perform their roles within your processes. Every device, every sensor, can share information no matter who built it. Every one of those things will have a name (a uniquely identifiable identification), and anyone can find it anytime for any reason.
Believe it or not, this world is already here.
But there is a key foundational element that should be keeping all of us up at night but rarely does because we are too busy and the devices are too convenient: We need to understand fully what our risk is and the methods we use to mitigate or prevent risk. The threat is exacerbated by the temptation. Being first to market for a vendor is huge; this trumps security. Convenience, for a consumer or end user, trumps security.
So how does this apply to our industry (vendor/manufacturers, integrators, end users)? There is a problem. And we need to own it!
More and more companies are beginning to regularly audit their corporate IT infrastructure to determine their risk. And they are beginning to discover that the devices they have put on their corporate network have a few problems either with the way they were specified and purchased (their intended use), the way they were deployed, or the way they are persistently managed.
I’d like to tell you a story that underlines the challenge we have.
A company was going through their corporate IT audit performing internal checks and identifying potential risks. IT wanted to know why the IP address on the access control system’s controller had changed. There was no record of it anywhere.
This would be a challenging question for many Value Added Resellers of security devices. They need a policy for handling default passwords provided by the manufacturer. They need to train their people to change the password at deployment. They need to train their people how to protect their clients’ passwords. And they need to provide a regular service for checking the network protection of their installed security devices.
The end user would have to do the same. And ensure if they switch vendors that the password is changed.
Other “loop holes” can be found in deployment policy and practice as well. For example: Ports are being left open, password limitations of four characters are being found, devices offered by manufacturers are responding to common protocols, and audit scans can automatically change the password on a device.
Security Risk Management Services (SRMS) providers are now having to be proactive by addressing the concern up front in organizational risk assessments, asking questions about the company’s audit practices and whether they have included cyber testing as part of their technology assessments.
The SRMS providers need to look at contracts, proposals and their own IT infrastructure as well. Their clients may not have a language yet for describing what they want or need. But they need to ask the right questions of their practices, the technology vendor’s practice and their own practices.
This is not the Insecurity Profession. It is the risk, resilience and security profession. As an industry, we need to move quickly to secure the core before we rush to innovate with new devices and new solutions.