• United States




Those devices hidden in your closet CAN hurt you

Dec 11, 20155 mins
Internet of ThingsInternet SecurityMalware

If you take a quick look at the closets and storage rooms in your organizations, you will likely find various networked devices that have been installed, and probably forgotten.

I recently took over responsibility for IT at my church, an urban congregation with around 500 members, just finishing its first year in a new facility. Most of their core network gear is, as with most other smaller organizations, stuck in a closet which is also used for storage. Recently, I surveyed the equipment in that closet, which by appearance did not amount to much. After a more detailed review, the closet actually contained eight networked devices, including three Internet gateways, a firewall, a managed network switch, an access point, and some miscellaneous equipment. 

I also used NMAP to survey the building, and found numerous other networked devices, including the usual mix of printers/copiers, access points, and digital signage displays. Overall, this relatively small church with a staff of 12 had over 40 networked devices, not counting PCs. There was of course no inventory of all of the devices in use. 

In my experience working with customers in the business world, the situation is much the same, with gear in one or more closets, and scattered throughout the organization. The items usually are installed gradually over time, and company personnel quickly lose track of what is connected. 

This ad hoc approach to network management is an issue for various reasons, not the least of which is the possibility of vulnerabilities in the devices exposing the organization to attack. Network devices have in the past been the focus of attacks, but that has been expanding of late, given the advent of what the industry refers to generically as the Internet of Things (IoT). This term refers to all equipment, other than core network gear, that connects to a network. 

Some years ago, DuPont used the slogan “better living through chemistry.” In today’s world, a key slogan seems to be “better living through IoT.” We are told that connecting anything and everything to the network will make our lives happier and better. The potential exposure is bad enough by itself, and made worse because such devices are often user installed without the knowledge or consent of the IT function. 

The increased presence of IoT will likely benefit all of us in some way, and will help fuel business growth for some time. A recent study published by George Mason University projected that the economic impact of IoT would be between $2.7 trillion and $6.2 trillion per year by 2025. I do not dispute the value of IoT in the business world, or at home. My issue with networked devices in general is the assumption that they can be installed and forgotten. 

In fact, any of these networked devices can become a gateway for unauthorized network access, or loss of privacy, if not monitored and maintained. We get warnings about new vulnerabilities, and the firmware releases that fix them, almost daily. These range from major issues with core network equipment, such as the Arris cable modem back doors just discovered, to privacy issues at home, like the hacking of toy company Vtech, exposing the chats by kids, as well as their pictures, to public view.

So, how do you address the problem of such devices, and their vulnerabilities, creeping into the network without being managed?  Here are some thoughts: 

Discover what you have

In the likely event that you have unknown network devices, there is no perfect substitute for a physical survey of the equipment you can visualize. This can be somewhat impractical for a large building, and can miss items hidden well. To help, there are tools, such as NMAP mentioned above, which can can survey your network, and in many cases identify the devices connected. I recommend that both approaches be used. 

Track your devices

Once you know what devices are connected, you need to maintain a list, including model number, address and location. This can be as simple as creating a spreadsheet. For larger and more complex organizations, a variety of tracking tools exist, including functionality built into the venerable Spiceworks

Restrict device connections

One of the challenges related to IoT is the fact that any user can connect a device themselves, which you may not realize until you recheck your network survey. Short of guards at the doors, here is no easy solution for this problem. One possible approach is to use your DHCP server, which issues addresses to devices on a network, to restrict addresses to known devices, based on the MAC address. With this approach, an unauthorized device connected to the network will not function without intervention by the network manager. 

Keep up with firmware and vulnerabilities

Probably the single most difficult aspect of network device management is keeping up with firmware versions and vulnerabilities. This is manageable for one or two devices, but when you have many devices, this can be a major consumer of time. Some devices can be set to upgrade their firmware automatically, which unfortunately has disadvantages as well.  While monitoring each vendor’s website for issues can be useful, vendors are often not the first to report issues. Independent sources, such as US CERT and Security Tracker, provide information for a broad range of products, which you can check against your inventory.  

Bottom line — if you don’t track and maintain your hidden devices, the likelihood of you experiencing a security incident increases daily. As the saying goes, pay me now, or pay me later.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author