Home > On-Demand Archives > Talks >
Comprehensive Cyber Hygiene of IoT Systems
John Gallagher - Watch Now - EOC 2020 - Duration: 29:53
Security cameras are the most deployed “IoT” devices according to IT managers in a recent study by Spiceworks and Cradlepoint. Security of IoT devices is the highest concern of these IT managers. In addition, according to a recent Harvard Business Review survey of facilities managers, more than 60% of successful cyber attacks against organizations come through IoT building systems, with video surveillance the number 2 place for such attacks to be launched from. Despite the clear and urgent imperative for comprehensive cyber hygiene of physical security systems, it is not happening very quickly. There are both new processes that need to be added, and existing processes must become more automated. While many organizations are aware of the need to update firmware, they are not yet aware of other cyber hygiene capabilities like using TLS or 802.1x certificates at the device level, or having a comprehensive password management process. The learning objectives for this session will be to understand that comprehensive cyber hygiene must incorporate management of passwords, firmware, and certificates, and to best achieve that at scale.
Hi Brian -
Thanks for the great question. In most cases the firmware does not have any "trust" associated with it; IP cameras for example do not come signed by any authority. We've built in a step where the firmware is checked-in and tested on one device; if it is successful it can then be entered into a library of valid/trusted firmware. Only from that trusted library can firmware be deployed. It is a one-time operation, and we have some integrators/MSPs who do that for the end-user so it is not such a burden. Also, most organizations do not have an infinite number of device types; for the limited number they have this is a good approach as it can be operated at scale (e.g. a customer who has 20 types of IP cameras, 1000 total, and updates the firmware would have to set up 20 profiles initially; a lot of time savings compared to 1000 cameras being manually updated). As more firmware comes signed or with other trust associated with it that process can be improved.
Very interesting, thanks!
Thank you for the informative presentation!
Thanks for putting together a very interesting presentation. Regarding your process for firmware management (slide 18), I note that you begin with defining the desired f/w version for each IOT device make and model; however that process of definition is surely a major non-trivial exercise. I can't believe that every f/w release is accepted from each manufacture without a certain level of due diligence. How can a particular release be trusted to work, to not compromise security and be free of malware? Does Viakoo get involved in the quality analysis of f/w releases or is this left to customers?