Missing the mark on IoT security

RSA 2017 is well and truly behind us now, but the conference theme du jour has dominated headlines for the past year or two: “Internet of Things (IoT) devices are the biggest security threat, and there’s nothing you can do!”

Well, almost nothing. Since the vast majority of talks at RSA (and most other conferences these days) is related to how to solve the IoT problem, there’s a lot of proposed solutions from a lot of different sources. Of course, if you ask any security tools vendor these days, they’ll also tell you that they’ve got the one-size-fits-all solution to solve your IoT woes. It’s the same marketing angle we’ve heard for every other security threat that’s dominated headlines in the last several years.

But for all the emphasis on trying to solve the problem directly by arguing about how to build a more secure refrigerator, there’s plenty that can be done now with all the security tools most organizations already have in place to protect their environment.

Let’s step back for a moment, though. What’s really the problem with IoT devices? These lightweight devices are typically running tiny operating systems that are stripped down to provide basic connectivity and management features. So, the current consensus is that they’re not inherently secure, there’s no access control, encryption or other basic security features, and so, they’re going to give up everything and there’s nothing anyone can do about it. And while I would agree with the assessment, I’m not yet convinced that the last part is true.

Sure, these devices aren’t built with security in mind, but, their risk is primarily in providing additional points of entry for an attacker to gain access to your network. Which, if you think about it, is no different than where we stand today, with the only difference being the volume of attackable devices we may have on our networks.

The problem isn’t new (ask any network admin what they’re doing about rogue wireless access points of other random devices getting connected to their network), but it does add an increased scope that many may not be prepared to handle. Look at any article on current threats and exploits, and you’ll most likely see that they’re targeting old vulnerabilities that have been around for ages. The problem isn’t new, but we’re not resolving those older problems today while we spend time and resources fixating on the “new” problems.

So what are you doing to secure endpoints in your environment today? Aside from endpoint protections software, of course, the same security protocols you’re leveraging today will help protect your critical assets against an IoT device becoming compromising. Consider things like:

• Network segregation – Internal firewalls and access control lists (ACL) will help isolate your critical areas from those which are not as critical. If you’re implementing IoT devices, isolate those networks from being able to reach your data servers or other mission critical infrastructure.
• Protect administrator accounts – Hackers commonly break into workstations and other endpoints as a staging ground to launch more attacks. Usually, they’re after administrator credentials which can net them access to other systems. IoT devices can be used to stage some of these attacks, so be sure to change the passwords of any administrator credentials on a regular basis, limit the number of those accounts in use, and limit where these credentials can be used from.
• Patch everything – Patching systems and applications limits the number of exploits and vulnerabilities that an attacker can use to break into other areas of your network from a compromised IoT device. It’s a long-established best practice, but many organizations are still not patching comprehensively. Doing so will minimize your attack surface from any asset, including IoT devices.
• Monitor your network – SIEM tools and other behavioral analysis programs are becoming increasingly advanced and can monitor for a wide range of anomalous use. Most organizations already have these systems in place, and it should be trivial to add rules or monitoring criteria to alert if an IoT device does anything other than communicate to its appropriate central control point. This doesn’t require special plug-ins or IoT-specific tools, as these devices still use standard network protocols to do their job.

Hit the mark with your comment on our Facebook page.