If you think our security sitch is bad now, wait till you get a load of the internet of things

There seems to be news of a new massive security breach every day — the latest being the eBay(s ebay) mess. The good news is that because of these snafus, people are starting to get that bad browsing behavior and non-updated software on their smartphones, tablets and PCs can lead to problems.

But, there’s a rash of shiny new devices connecting to the internet that are also vulnerable to a remote attack and that requires a new  way to think about security — and this will be a topic at the upcoming Structure show in San Francisco June 18-19.  And then there is an array of less glamorous connected things that predate the IoT hype cycle, and that most people don’t even think about as being vulnerable. Your printer, for example, could be a disaster waiting to happen, said Patrick Gilmore, CTO of Boston-based data center provider Markley Group (and former network architect at Akamai(s akam).)

At MIT’s CIO Symposium on Wednesday, Gilmore asked a roomful of IT professionals: “How many of you would be upset if every document you ever printed was read by someone you didn’t intend to see it?” It’s safe to say 100 percent of that room would be unhappy about that.

When people build printer cards, which have IP addresses, “they’re not thinking bout stack overflow or checking to make sure that the person sending the print command is the person that should be sending that command. These devices need to be secured but are not even considered in most CIOs’ security plans,” Gilmore said.

Broad connectivity, more data = higher stakes

So more data is getting generated and collected by more devices. And to complicate matters, the lines between hacktivists, state-sponsored hackers and industrial spies are disappearing. Consider a scenario where your top competitor could, with the right help, read every document your CEO or CFO or general counsel ever printed. Scary, no?

Joseph Hadzima, senior lecturer with the Martin Trust Center for MIT Entrepreneurship, who moderated a security and privacy panel, painted a scary world where baby monitors get hacked and cars are remotely commandeered. The stakes have certainly changed but the tools used till now to secure our stuff have been overmatched for some time. What does it say when Symantec(s symc), an anti-virus company, admits that anti-virus is dead?

Home appliances, connected home, internet of thingsMark Morrison, SVP and Chief Information Security Office for State Street agreed with Gilmore that two-factor authentication is table stakes now. But companies need to go further.

Morris wants to just nuke passwords altogether. “They’re a complete waste of time,” he said. For one thing, they need to be 14 to 16 characters long to be even marginally useful but at that point people end up writing them down on stickies which obviates the whole purpose.

Enterprises need to proactively monitor threats and make sure their infrastructure evolves accordingly. The message out of MIT was that no one can to stop every attack, but companies can make it less worthwhile, harder and more expensive for bad guys to attempt attacks in the first place. And they need to be acutely aware that a layered security solution has to cover non-traditional gizmos that are connected to the network.

Yes, the printer too.