It may well be that a hacked IoT device may not be much cause for alarm – yet. But when these are incorporated into a vast botnet such as the Mirai (Japanese for “the future”), these networked devices can become part of large-scale network attacks reaching right into people’s living rooms, home offices, and even giant corporations.
Consider some of Gartner’s recent predictions when it comes to technology and security:
- Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.
- By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.
- By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, which is an increase from less than 30% in 2016
- By 2020, 60% of digital businesses will suffer major service failures, due to the inability of IT security teams to manage digital risk.
- By 2018, 25% of corporate data traffic will flow directly from mobile devices to the cloud, bypassing enterprise security controls.
There are ways programmers, businesses and individuals can get ahead of these predictions. The knowledge that changing an enterprise’s architecture by incorporating IoT will increase threat levels is vital. Enterprises should allocate business ownership of IoT security, focus on vulnerable or unpatchable IoT devices, and increase IoT-focused budgets. Companies will also need enterprise-wide data security governance. Once gaps are identified, it will be easier to close these. Even the purchase of cyber insurance may be critical.
Of course, there are already security protocols in place. Oracle, which purchased Java from Sun Microsystems, for instance, regularly offers critical patch updates (CPUs) for multiple security vulnerabilities. They state on their website, however, that there are periodic reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply these specific patches. The responsibility rests more than ever before on the consumer/programmer to check that all CPUs are applied.
In its most recent version, Java security technology includes a large set of Application Program Interfaces (APIs), tools, and implementations of commonly used security algorithms, mechanisms, and protocols. The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols were developed to help protect the privacy and integrity of data while it is transferred across a network. TLS, and its predecessor SSL, support many different methods for exchanging keys, encrypting data, and authenticating message integrity. Furthermore the connection is private and secure because symmetric cryptography is used to encrypt the transmitted data. Through the TLS handshake protocol, the keys for the encryption are created specifically for that connection, negotiated secretly at the beginning of a session between the server and client. Public-key cryptography is also used to authenticate the communicating parties. There is also a message integrity check using a message authentication code to prevent the date being changed in any way as it is being transmitted. Another TLS property, with the correct configuration, is forward secrecy, which ensures that if the encryption keys are disclosed later they cannot be used for past communications. In addition, the Java Secure Socket Extension (JSSE) enables secure internet communications.
The APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control. This is relevant across a multiplicity of industries. For example, TLS is a security method used by PokerStars algorithms to guarantee data quality of the system. It cannot be denied that now, more than ever, data, and the protection of data remains an overwhelming priority. Companies must compete not only on their offering, but also on their ability to steadfastly protect the privacy and details of their clients.