Blindsided by the IoT?

An FBI official tells the Boston Fed’s cybersecurity conference that knowing about the Internet of Things and adapting to it are very different things

The Internet of Things (IoT), software-defined networks (SDN), cloud-based services and network virtualization (NV) don’t sound like emerging technologies. They have all been around for more than a decade – that’s multiple generations in the high-tech world.

But according to Dr. James Burrell, deputy assistant director at the FBI, they are indeed still emerging. Burrell told an audience at the Federal Reserve Bank of Boston’s 2016 Cybersecurity Conference that, “what really matters is the rate of adoption and the rate of adaption within organizations. That impacts the risk calculus.”

And he said while everybody is very much aware of the IoT, they are likely not ready, at the adoption or adaption level, for the Internet of Everything (IoE).

Burrell, one of seven speakers at the one-day event, added that this is not just coming from a government official. He cited John Chambers, former CEO of Cisco, who has said the IoE, “will be more impactful in the next five to 10 years than the entire Internet has been to date.”

[ ALSO ON CSO: IoT dangers are real and widespread ]

Technology brings opportunities with it, of course, he said, but the “amazing rate” of advancement in online technology makes it difficult for organizations, “to align the risks and opportunities of technology.”

To do so, he said, will require, “a paradigm shift in thinking.” And that shift has a long way to go to reach critical mass.

The world of designing apps and software technology is, “almost like 20 years ago, with people doing it in their basements and garages,” he said.

“And security is not their No. 1 concern – the demands of consumers is. You can say you won’t buy what they’re making, but your employees and your customers are. You’re going to be forced to deal with it.”

Burrell said when smartphones and BYOD became common a decade ago, businesses were quick to see the opportunities it offered, “but they didn’t understand the security of the technology. And that’s nothing compared to what the IoT is going to do to you if you’re not prepared.”

The billions of devices that make up the IoT – expected to reach 21 billion or more within the next four years, “are not standardized, like mobile devices,” he said. “And the issue is not that somebody knows the temperature of your (smart) refrigerator. It’s that it is a vector – a way to get into your network.”

And he said the price of tools for cyber criminals keeps getting cheaper. “They can get open-source software to override your door locks for zero – nothing,” he said.

The cloud is equally transformative and risky. “I have to convince everyone that the cloud is not just a way to do things faster,” he said. “It’s a game changer. You’ll be able to do things you’ve never been able to do before, but unauthorized cloud use by employees, especially in the storage arena, is a huge risk to your organization.”

Added to that is a lack of fundamental security awareness, even at the IT level, within organizations. He referred to one, unnamed, large company that he said, “had all the best tools, but had them on default configurations, so they got breached.”

Burrell offered a number of recommendations to keep current with risk management. One is to keep current with academic research. “There are thousands of articles,” he said. “It’s worth having one of your people look at the research for finding risk.

Another is to use NICE (National Initiative for Cybersecurity Education) framework for things like improving attack detection in cloud.

Yet another is to use his agency – the FBI – for malware analysis. “We have an auto-analysis and repository system, which can get you a response in two minutes,” he said. “We get trending data that goes on our classified side.

“If you use us, you might not have to hire forensics people, which could cost you $60,000 or more,” he said.

The key, he said, is to try to maintain some control over hardware and software, and then vet the apps used on it. “That’s the way to a more secure environment,” he said.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoCSOFBIindeedNICETechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place