Is the FTC Jumping the Gun on IoT Security?

For months, the security community has been waving a red flag about how the nascent Internet of Things could become a cybercriminal’s paradise. Last week, those admonitions were given some credence when the Federal Trade Commission recommended that the makers of IoT gadgets adopt some “best practices” to protect consumers from potential violations of their privacy and security.

In its report, the agency noted that the IoT is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars, household appliances and other applications.

Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, among other potential benefits, the report added. However, it also warned that connected devices raise numerous privacy and security concerns that could undermine consumer confidence.

“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez said in a statement.

“We believe,” she continued, “that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

Best Practices

The best practices recommended by the commission include:

  • Building security into devices at the outset, rather than as an afterthought in the design process
  • Training employees about the importance of security, and ensuring that security is managed at an appropriate level in the organization
  • Ensuring that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers
  • Adopting a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk
  • Implementing measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network
  • Monitoring connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks

Superficial Analysis

The commission’s recommendations stem from a workshop it held on the IoT in November, as well as public comments submitted to the agency, and while the best practices are mere suggestions without the force of law, critics have already started condemning the move as a backdoor attempt to regulate the IoT.

“At best, this is just another exercise in Workshop Theater; at worst, the FTC is trying to regulate the Internet of Things by stealth,” TechFreedom President Berin Szoka said in a statement.

“Since 2010,” he added, “we’ve seen a radical change. The purpose of FTC workshop reports is no longer to produce a better understanding of complex consumer protection issues. Instead, the chairman and a small number of FTC staffers now seek to use workshop reports to put the agency’s institutional weight behind their own agenda, which is driven more by a neo-Naderite ideology than rigorous analysis.”

Geoffrey Manne, executive director of the International Center for Law & Economics, also found the commission’s analysis of the IoT superficial.

“The Internet of Things is a nascent and fast-evolving area,” he said in a statement. “To make specific recommendations on the basis of little more than staff impressions of cherry-picked comments about theoretical harms from a one-day workshop — without undertaking any real analysis of any meaningful data — amounts to regulatory malpractice.”

Raising Awareness

Others, however, praised the commission’s actions as a temperate approach to what could become an expansive attack surface for Net bandits.

“You don’t want to take the approach that the sky is falling,” said Eset senior researcher Cameron Camp. “You want to educate and talk about the network risks without fear mongering.”

Most consumers and organizations aren’t aware of the risks IoT devices pose to them. “There’s a tendency for people to think of them as toys and not network-connected computers,” Camp told TechNewsWorld. “If they’re compromised, they can be used to attack other things on a network.”

Through its best practices, the FTC is helping to get that message out, Camp noted. Moreover, he added, “They’ve added legitimacy to the conversation.”

“For the FTC to say, ‘This is something real, something we need to think about, something we need to do well as an industry and something consumers need to understand’ legitimizes the question, which is great.”

Stalking Shadow IT

Programs like Dropbox and Salesforce have attracted many happy corporate users — to the chagrin of many IT departments. Those programs are part of something called Shadow IT and because they can be repositories for sensitive corporate information outside the control of IT, they’re seen as a threat to data security.

“None of the existing perimeter security tools have any visibility into what employees are doing inside applications like Salesforce or Google Apps or Box,” explained Adallom vice president for marketing Tal Klein.

“Even if you have the best security software in the world,” he told TechNewsWorld, “the minute a user logs into a SaaS [Software as a Service] application over an outside network, the company is unable to protect its data inside those applications in an effective manner.”

What the Adallom and FireEye solution does is give an organization visibility into the SaaS application — either through the app’s APIs or through a proxy — as well as identify any threats lurking in the app.

While Adallom and FireEye are market leaders now, that lead may be short-lived. “We expect the market to build up over the next year or so as more and more companies adopt cloud applications like Salesforce and Google Apps,” Klein said.

Better With Age

Java will be turning 20 this year, and it appears to have come a long way from the days when it was so riddled with vulnerabilities that security experts and some computer makers were recommending that users stop using it.

A recent analysis by Coverity of eight million lines of open source code in 100 of the top Java projects found only three defects per 1,000 lines of code, which is higher than C/C++’s one defect per thousand, but still pretty darn good.

“One thing we’ve seen in the last couple of years is Java adding additional safe programming techniques to avoid runtime errors completely,” explained Coverity director of product management James Croall.

“It’s ironic because these advancements in Java make our life at Coverity more challenging,” he told TechNewsWorld. “Because Java is becoming safer, that means we have to look harder for defects.”

Breach Diary

  • Jan. 26. Hacker group known as Lizard Squad defaces Malaysian Airlines website and vows to release data stolen from the site. Airline denies any data was taken from its computers.
  • Jan. 26. LexisNexis Risk Solutions releases annual True Cost of Fraud report that includes finding that every US$100 of mobile payment fraud cost merchants $334 in 2014, up from $283 in 2013.
  • Jan. 26. ISO 27001 publishes infographic that includes finding that data breach incidents increased 27.5 percent, from 614 in 2013 to 783 in 2014.
  • Jan. 26. Former CIA employee Jeffrey Sterling convicted of violating U.S. Espionage Act.
  • Jan. 27. U.S. District Court Judge in St. Louis caps at $500,000 the amount Schnuck Markets must pay processing companies due to data breach affecting super market chain from December 2012 to March 2013.
  • Jan. 27. House Committee on Commerce, Manufacturing and Information holds public hearing on “What Are the Elements of Sound Data Breach Legislation?”
  • Jan. 27. SailPoint releases survey that includes finding that one in seven employees would sell their corporate password for as little as $150.
  • Jan. 28. Google states it fought to lift all gag orders relating to WikiLeaks from January 2011 to 2014, when it was given permission to notify three journalists working for WikiLeaks that their emails and other data was sought by the U.S. government.
  • Jan. 29. Reps. Joe Barton (R-Texas) and Bobby Rush (D-Ill.) file bill authorizing Federal Trade Commission to set nationwide data security standards for companies handling sensitive data, such as full names, Social Security numbers, ID information and credit card information.
  • Jan. 30. Verizon Wireless offers customers opt-out option for targeted advertising program that uses perpetual tracking “supercookies.”

Upcoming Security Events

  • Feb. 3. Data Privacy & Protection Day Town Hall. Bryan Cave LLP, 1290 Avenue of the Americas, 35th Floor, New York City. Registration: morning town hall and breakfast, $20; afternoon workshop, $275.
  • Feb. 4-5. Suits and Spooks. The Ritz-Carlton, Pentagon City, 1250 South Hayes Street, Arlington, Virginia. Registration: $675.
  • Feb. 5. Data Privacy & Protection Day Town Hall. Holland & Knight LLP Conference Center, 800 17th Street N.W., Washington, D.C. Registration: morning town hall and breakfast, $20; afternoon workshop, $200.
  • Feb. 6-7. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • Feb. 7-8. #Disastertech Hackathon. Ernest N. Morial Convention Center, New Orleans. Registration: free, but limited to 50.
  • Feb. 10-12. International Disaster Conference and Exposition (IDCE). Ernest N. Morial Convention Center, New Orleans. Registration: government, nonprofit, academia, $150; private sector, $450.
  • Feb. 11. SecureWorld Charlotte. Harris Conference Center, Charlotte, North Carolina. Open sessions pass: $25; conference pass: $165; SecureWorld plus training: $545.
  • Feb. 12. President Obama’s New Personal Data Notification & Protection Act: Overview, Analysis, and Challenges. 3 p.m. ET. webinar sponsored by ID Experts. Free with registration.
  • Feb. 17. Cyber Threat Spotlight: Social Domains–Fraud’s New Frontier. 1 p.m. ET. BrandProtect webinar. Free with registration.
  • Feb. 19. Third Annual 2015 PHI Protection Network Conference. The DoubleTree – Anaheim-Orange County, 100 The City Drive, Orange, California. Registration: before Jan. 2, $199; after Jan. 1, $249.
  • Feb. 19. Secure Because Math: Understanding Machine Learning-Based Security Products. 2 p.m. ET. Black Hat webcast. Free with registration.
  • Feb. 21. B-Sides Tampa. The Museum of Science and Industry, 4801 E. Fowler Ave., Tampa, Florida. Free.
  • Feb. 21. B-Sides Indianapolis. DeveloperTown 5255 Winthrop Ave., Indianapolis, Indiana. Fee: $10.
  • March 4-5. SecureWorld Boston. Hynes Convention Center. Open sessions pass: $25; conference pass: $175; SecureWorld plus training: $545.
  • March 12. B-Sides Ljubljana. Poligon Creative Centre, Tobačna ulica 5, Ljubljana, Slovenia. Free.
  • March 12-13. B-Sides Austin. WinGate Williamson Conference Center, Round Rock, Texas. Fee: $15/day.
  • March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: $25; conference pass: $295; SecureWorld plus training: $695.
  • March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 1. SecureWorld Kansas City. Kansas City Convention Center, 301 West 13th Street #100,Kansas City, Mo. Registration: open sessions pass, $25; conference pass, $75; SecureWorld plus training, $545.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Md. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.

1 Comment

  • IoT presents a mix of opportunities and risks ( after all it creates a much broader landscape with numerous potential entry points. And, by nature this seamless network will play host to an abundance of potentially valuable data. Bottom line is that IT needs to evolve its security approach and continue to educate the user base on the best practices.

    Peter Fretty, IDG blogger working on behalf of Cisco

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels