As IoT devices become more commonplace, there is a need to ensure that they do not represent an unnecessary security risk to standard business operations. Unfortunately, it has already been proven that many of these devices are insecure by design, have unresolvable flaws, and can be leveraged to compromise an entire organization. In this blog I will review five steps every business should do today to keep their networks secure, and offer up some recommendations to take today.
5 Steps to Keep Your Network Secure
1) Segment networks
Using basic capabilities in modern network routers and switches, all IoT devices should be networked using separate wireless networks and VLANS. All communications from IoT networks should be explicitly blocked from critical servers, databases, and workstations that should not communicate directly with the devices. This helps ensure that if an IoT device is compromised, it cannot directly be leveraged to steal critical information. If possible, all IoT network communications should be monitored to the Internet and other trusted networks to identify any anomalous behavior.
2) Change all passwords
Almost all IoT devices ship with default passwords for initial configuration. End users should change all usernames AND passwords on these devices to complex passwords and consider changing them on a regular and periodic basis.
3) Update firmware
Make sure that you maintain the latest firmware and security patches on all IoT devices to mitigate any emerging threats and identified vulnerabilities that could be leveraged against the devices.
4) Don’t place the device directly on the Internet
Never place IoT devices of any type directly on the Internet with public IP addresses. It is just a matter of time before they will be compromised or subject to a DDOS attack. IoT devices are based on very simple networking technology and not robust enough to thwart all the potential IP traffic that contains malicious code on the net.
5) Prevent shadow IT with discovery
Shadow IT is another buzzword for rogue devices and unsanctioned assets. Make sure any IoT devices placed on your network are approved and follow the steps above. Shadow IT based on IoT could easily violate many of your security policies and introduce a threat. Standard network discovery tools can find these rogue devices and help place them under proper management.
3 Recommendations for Today
For any organization planning on introducing IoT, I would strongly consider these three recommendations:
1) Demand a vulnerability SLA
Request from the manufacturer a service level agreement for patching critical vulnerabilities once they are identified. This will help you ensure IoT devices selected for your organization will stand up to regulatory scrutiny and patch compliance initiatives. In addition, make sure these questions are asked during an RFP or procurement process to ensure the vendor has the proper maturity for managing risks.
2) Perform security updates
Document a process to identify vulnerabilities and ensure all IoT devices can be patched in a timely manner if a flaw is found and without extensive disruption to the business. Some devices are very difficult to patch and update and may have hidden labor costs to manage one at a time.
3) Ensure role-based access
Any security model present within these devices is flexible enough to be integrated into Active Directory or a Radius server. As a long term project, all credentialed access to these devices should be centrally managed and properly organized within existing identity and access management solutions. If they cannot, these may present a new risk through rogue accounts and unmanaged identities.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.