5 Steps to Keep Networks Secure in an IoT World

Morey Haber, Chief Technology Officer
July 20th, 2016

IoT Security

As IoT devices become more commonplace, there is a need to ensure that they do not represent an unnecessary security risk to standard business operations. Unfortunately, it has already been proven that many of these devices are insecure by design, have unresolvable flaws, and can be leveraged to compromise an entire organization. In this blog I will review five steps every business should do today to keep their networks secure, and offer up some recommendations to take today.

5 Steps to Keep Your Network Secure

1) Segment networks

Using basic capabilities in modern network routers and switches, all IoT devices should be networked using separate wireless networks and VLANS. All communications from IoT networks should be explicitly blocked from critical servers, databases, and workstations that should not communicate directly with the devices. This helps ensure that if an IoT device is compromised, it cannot directly be leveraged to steal critical information. If possible, all IoT network communications should be monitored to the Internet and other trusted networks to identify any anomalous behavior.

2) Change all passwords

Almost all IoT devices ship with default passwords for initial configuration. End users should change all usernames AND passwords on these devices to complex passwords and consider changing them on a regular and periodic basis.

3) Update firmware

Make sure that you maintain the latest firmware and security patches on all IoT devices to mitigate any emerging threats and identified vulnerabilities that could be leveraged against the devices.

4) Don’t place the device directly on the Internet

Never place IoT devices of any type directly on the Internet with public IP addresses. It is just a matter of time before they will be compromised or subject to a DDOS attack. IoT devices are based on very simple networking technology and not robust enough to thwart all the potential IP traffic that contains malicious code on the net.

5) Prevent shadow IT with discovery

Shadow IT is another buzzword for rogue devices and unsanctioned assets. Make sure any IoT devices placed on your network are approved and follow the steps above. Shadow IT based on IoT could easily violate many of your security policies and introduce a threat. Standard network discovery tools can find these rogue devices and help place them under proper management.

3 Recommendations for Today

For any organization planning on introducing IoT, I would strongly consider these three recommendations:

1) Demand a vulnerability SLA

Request from the manufacturer a service level agreement for patching critical vulnerabilities once they are identified. This will help you ensure IoT devices selected for your organization will stand up to regulatory scrutiny and patch compliance initiatives. In addition, make sure these questions are asked during an RFP or procurement process to ensure the vendor has the proper maturity for managing risks.

2) Perform security updates

Document a process and ensure all IoT devices can be patched in a timely manner if a flaw is found and without extensive disruption to the business. Some devices are very difficult to patch and update and may have hidden labor costs to manage one at a time.

3) Ensure role based access

Any security model present within these devices is flexible enough to be integrated into Active Directory or a Radius server. As a long term project, all credentialed access to these devices should be centrally managed and properly organized within existing identity and access management solutions. If they cannot, these may present a new risk through rogue accounts and unmanaged identities.

Taking these relatively simple steps today can prevent a host of security risks later. For more information on how you can better secure your endpoints, contact us today!

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.