Incident Response: Getting a Step Ahead of Cybercriminals
by Rishi Bhargava
This article is the second in a two-part series. Read the first part here.
If you are a CISO, it is likely that you are already feeling a chill as you ponder the many different ways that IoT devices can be compromised. Recent studies are probably not going to help you sleep any better. (1)
- A recent study conducted by Hewlett Packard found that 70 percent of the most popular IoT devices were vulnerable.
- The study showed an average of 25 vulnerabilities per IoT device.
- At a conference in 2014, a corporate security consultant revealed that he had hacked the Tesla Model S smart car. Although the car could not be driven, it was relatively easy to locate and unlock the car to steal the contents secured in the trunk and passenger cabin.
- A Linux worm targeting IoT devices infected tens of thousands of connected devices around the world in 2014.
Obviously, the emergence of IoT increases security risks. This means that you will eventually have to respond to an incident related to a connected device — if you have not already suffered such an attack. How, then, can you get a step ahead of the cybercriminals? The following four tips can help you modify your incident response plan to manage IoT-related attacks.
- Identify mission-critical connected devices. If an employee opens an email attachment that is infected with malware, containing the threat may be as simple as removing the computer from the network. If a smart car is compromised, you can simply remove valuable contents and secure the car in a garage. However, suppose you are responsible for a power plant that has a connected turbine? Identifying the connected devices that will have the most disastrous consequences should they be compromised allows you to develop a response plan to minimize the damages.
- Modify the Incident Response Plan to include IoT devices and document it. Consider running table top exercise to make sure that the entire team responsible to response is aware and ready to respond. IoT being a new area, this exercise might be best to conduct few times a year and result analyzed after each exercise.
- Be prepared to modify your incident response plan whenever regulations change. Although most experts consider the healthcare industry to have the most stringent regulations, the fact remains that all industries are subject to a variety of regulations involving the protection of personally identifiable data. As IoT devices become more abundant, expect to see new regulations passed and existing regulations strengthened. Make sure that your response plan can be quickly adjusted to protect your data and maintain compliance, to avoid fines or penalties.
- Invest in the right tools. Your response strategy must be built upon technology, and with technology changing rapidly there is no guarantee that a five-year-old incident response plan incorporates the right tools for today’s threats. Using automation technologies for incident response will help you respond faster and with better accuracy. Security automation platforms such as Demisto can connect with plethora of security tools and respond with speed at the time of attack.
- Make sure your plan includes all of the people who will be involved. IoT security is likely to require incident response to be more of a group effort than an IT function. Your response plan will likely need to include legal, human resources and public relations, but it may also involve plant managers, receptionists and operations personnel. Your incident response plan must account for all of the different people who will be involved. Clearly and effectively define their roles and define expectations.
IoT offers many benefits, but connected devices also increase risks. Connected devices are seldom under your physical control. Users are not likely to be any more security-conscious than they have already demonstrated. Furthermore, BYOD and other adoptions can dramatically increase the categories and numbers of devices you must protect. Perhaps the most important thing to remember is that you cannot prevent all attacks — you can only prepare to respond to them.
Rishi Bhargava is the co-founder and vice president of marketing at Demisto.