The introduction of connected devices is complicating an already incredibly complex security environment for infosec professionals. In just two decades, the enterprise has gone from a controlled scenario of one device per user to a situation in which users may have five or more devices connected to sensitive systems and applications. As the IoT becomes more popular it will soon be impossible to quantify just how many internet-enabled, vulnerable points exist within an organization.
In this environment it’s essential that security be a top consideration. Seemingly every day a new story appears about a company falling victim to a data breach, the ramifications of which can be crippling to the business. Most recently, KrebsOnSecurity was hit by a massive distributed denial-of-service (DDoS) attack that’s been reported to be the largest in history. Reports state that the botnet used in the attack consisted of IoT devices such as webcams and routers that are exposed to the internet and protected with default or weak credentials. Although the attack was not successful, it still raises the importance of network security and password security.
So what should companies be mindful of when it comes to securing the IoT? There is a laundry list of considerations, but the most critical can be summarized below:
- Ease of Access. Being connected to the Internet means smart devices are an open portal for exploitation. This is a fairly obvious statement when you think about “traditional” IT systems but less readily apparent when applied to other areas. Do you review the security of appliances in the company kitchen, for example, with the same approach you take to your IT servers? If not—and you have connected appliances— then it’s time to start. By the very nature of their Internet connection, these appliances can be a dangerous and easily accessible tool in the hands of the wrong person.
- Multiple Attack Pathways. The above underscores that more devices on the network represent a significant increase in attack surface. Would-be hackers have new ways to gain entry into the enterprise, meaning companies must respond in kind with new security layers and controls to ensure data protection. The physical equivalent of this can be found in many office buildings today. Trusted employees are able to quickly gain access to the unmanned doors that exist within the building by swiping their badge—which logs a record of their access. Visitors are directed to the building’s central security desk, which then vets them against various criteria and supplies temporary access to the requested floor. Just as this approach prevents unauthorized physical access, controlling the access to connected devices at a single point of ingress/egress is essential to shoring up IoT security.
- Ownership. Another key IoT security concern centers around ownership and control. Who is responsible for maintaining and patching the various technologies? As mentioned above, a number of these devices are often overlooked because they fall outside of IT’s traditional purview. As such, many times companies are unaware this responsibility lies with them, leading to a scenario in which the device ends up on a vulnerability database and is quickly exploited. In other instances, updates might be maintained by a vendor or another third party who has access to the company’s system. If this access is unsecured or if the vendor has access to more systems than they need, this can quickly become a security nightmare.
We can only expect the number of connected devices and access points on corporate networks to increase dramatically in the years ahead. As companies evaluate these technologies, it’s critical that security not be overlooked. While it’s impossible to protect against all of the vulnerabilities introduced by the IoT, the considerations outlined above can go a long way in preventing a potential breach.