Billions products are from reputable companies, providers
Billions of Internet of Things (IoT) devices are already in use, and more than 50% of major new business processes and systems will include an IoT component by 2020 which will increase the number of connected devices to 30 billion, according to Wikipedia. The prediction also indicates that global market value of the Internet of Things is expected to reach $7.1 trillion by 2020. Therefore, it is inevitable that the IoT will be one of the major targets of criminals.Efforts are underway to mitigate the security vulnerabilities of IoT. The Internet of Things Security Foundation (IoTSF) which was launched on 23 September 2015 with board founder from technology providers and telecommunications companies is one good example. The foundation was launched with a mission to secure the IoT by promoting knowledge and best practice.In addition, to minimize the problem that emerges with the technology, securing IoT will also be a good source of income. Big companies have already noticed this and started to invest in it. According to Wikipedia, the overall IoT security market would grow at 27.9% rate during 2016–2022.The effort of researchers and Information Security specialists to educate and aware the consumers are playing a great role in raising the awareness of the public regarding the vulnerability of IoT. Research papers indicate that the awareness of consumers is somehow significant. Recently Intel Security conducted a survey and revealed that users have high expectations for smart technology that 77 % believe that smart home devices will be as universal as smartphones by 2025, but the vast majority, 92%, are concerned about privacy and security issue that comes with it.A list of twelve security tips for both consumers and businesses of IoT devices provided in 2016 by a global information services company, Fingersh of Experiana, is one of the efforts to educate and aware the consumers. The security tips include to ensure that the products are from reputable companies, providers of IoT products to have clear privacy policies, access to these systems is always closely guarded, to be aware of that data from any smart device may make its way to uncontrolled third parties, access to systems should require more than just credentials to prevent unauthorized access, and so on.Regardless of all these best efforts, breaches will happen as there will always be vulnerabilities in some degree. One of the main factors which make security assessment of IoT systems a challenging process is that the complexity of IoT devices and the limited amount of storage and processing capability they have. These small capacities and capabilities contradict to the existing cryptography principles. In order to secure devices and network, applying security intelligence for detecting and mitigating vulnerabilities or issues is not enough. Prediction and proactively protecting against potential security threats is a key role in overall security process of the Internet of Things. Some of the approaches used to predict security issues are threat modeling, applying monitoring tools, and applying artificial intelligence to adjust security strategies.Therefore, authentication and authorization of IoT devices and applying updates as well as patches to hardware and software which run the IoT devices is highly recommended or it is a must to apply process in order to be the beneficiary of the IoT technology with minimum risk to security and privacy. Applying updates and patches regularly is only first step; the next challenge is to secure the communication between the IoT devices and cloud services (system) or applications as it is made up of device sensors and applications. For example, a shipment tracking system with many software uses smart algorithms to help the sensors and devices communicate and ensure the work is done safely and securely.Securing the IoT device’s data while communicating is recommended to be conducted through Transport Layer Security (TLS) as it ensures an encrypted communication to prevent interference and create trust between server and client. This is done by the server certifying the client’s validity and sometimes even validating client-specific certificates.The Internet of Things data is accessed and managed using web, cloud, and application; so they need to be secured in order to make IoT secure. Therefore, as the consumers of IoT are increasing fast and using the service on daily bases, all categories of companies which has a direct or indirect relation to the IoT devices should consider about all the, directly and indirectly, related devices as all of these things work together.Regardless of the efforts to mitigate an information security attack, almost all sectors and systems have been hacked; sales machine, heating and cooling systems, rail transit, and commercial aircraft are some good examples. This clearly indicates that securing connected devices is not successful yet. Encryption has been one of the tools to secure connected devices, but more needs to be done.Considering the complexity of today’s attacks and fast growth in the use of connected devices, there are five steps which are recommended to make IoT secure. Managing security at every level of IoT is the first step to take. Hospitals are a good example; where almost all devices to monitor patients and the system is connected to a network but only a few have some kind of security implemented on them. Each and every device and layer of technology needs some level of security implemented.The second step is to protect the identity of the objects and users. Before 20 years, nobody thought that security would be an issue to the extent it is today. Unfortunately, technology is making consumers more and more vulnerable in line with the benefits it is providing them. Firewalls are no longer enough to protect or mitigate an attack, next-generation technology needs to be built with an identity protection embedded in it.According to Open Web Application Security Project (OWASP), a worldwide non-profit organization, passwords are becoming the targets of attacks as more and more attackers use weak passwords, poor credentials and insecure password recovery mechanisms to launch an attack. Therefore, as a third step eliminating the use of a password and incorporating it with identity seems a timely issue.The fourth step is to implement multifactor authentication. Insufficient authentication is common nowadays in organizations for the fact that it might expose interfaces to the external users. As the password will be eliminated, implementation of multifactor authentication will definitely make the network stronger. Smart card with a provisioned digital certificate is a good example.The last step is to identity protection. With the introduction of cloud-based service, certificates from many vendors are available. So the main emphasis should be on identity and not the gateways as a digital certificate cannot be copied. In addition to the efforts underway, more needs to be done in order to strengthen the security of the IoT. This can be accomplished by conducting in-depth research and deeper discussions among the leading experts, engineers, IoT device manufacturers, as well as IoT security providing companies.