Moving into the fourth quarter of the year is an excellent time to take inventory of your accomplishments — and your IoT. With many being PnP (plug-and-play) ready, their (ideally) seamless integration into your personal and or business life may unwittingly cause oversights in both security and resource management.
In this article, we will discuss a few items you might not have checked in on recently, some examples of vulnerabilities IoT brings, and simple methods to maintain or improve your security once they are integrated. The vast majority of these recommendations will apply to both personal and business, with a few additional callouts to business specific considerations.
Before we dive into the “how” and “why,” let’s define the “what” by covering a few essential terms:
There is little doubt that the state of cybersecurity is under a constant barrage of criticism and gloom. From bad press affecting the very livelihood of businesses, and misanthropic-like attitudes toward technology in general, we can forget about the inclusiveness that this same technology brings. The innovation of capabilities like adaptive gaming controllers and or software that level the field for persons with disability is arguably one of the best vision executions of improving life. You are invited to witness a child seeing colors, hearing, being able to play a game, or actually communicating with loved ones more readily for the first time in their life if you do not agree. Actually, you are invited to witness this in general, it will undoubtedly brighten your day and outlook.
Yet, these same marvels of human creation appear often to be developed with security as an afterthought. This is not a sentiment meant to disparage our innovators. The internet is still the wild west, and we need to recognize that suddenly instituting proper security on all levels is no easy task, for many reasons. Slowing down in development to incorporate and test can interfere with not only the scope of a project and its time to market, but also may wreak havoc on the creative genius that brings new IoT devices to life at all.
Unfortunately, until our DevSecOps discussions and pipelines feel as natural as putting on a seatbelt before driving down the road, threat actors will take advantage of security flaws inadvertently served up on a platter. We do not have to search far or wide to find real-world examples of IoT gone wrong. Certainly we have all heard reports of compromise involving:
The consequences of a successful compromise are no secret by now. Spyware, ransomware, and data exfiltration/manipulation/destruction services unfortunately have active markets, and their vendors operate under varying degrees of perceived morality and tactics. Even our healthcare providers are not exempt from attack, and alarmingly, are increasingly targeted. Fax machines, printers, and workstations are notoriously harvested for PII, but further, IoMT devices as unassuming as IV pumps are landing on exploitation radars as well.
The basic truth is that IoT devices are often simple purpose devices and do not possess the kind of built-in security that something so integrated in our personal and business networks should have. Much ado could also be made about the apps they include for our convenience, which leave alarming gaps in security. In fact, simple purpose apps in general (for example the recently disclosed WiFi Mouse App RCE exploit) can quickly ruin the integrity of any otherwise secure network . With compromises as far-reaching as the aptly named Ripple20, no industry or use-case seems immune.
The list highlighting potential security failures for IoT devices includes but is not limited to:
The implications of the list by itself is worrying enough, and when any element of that list potentially applies to every IoT device you may interact with daily (or is continuously connected to the network), the task of security may seem daunting. Consider the following common or increasingly common potential targets beyond basic networking devices (servers, routers, and access points):
With great integration comes great responsibility. For the 18th year running, October is declared to be Cybersecurity Awareness Month. This year’s theme as promoted by CISA and the NCA is “See Yourself in Cyber”. One consideration that this campaign highlights is that every individual has a role in contributing to their security online by, as CISA puts it, making “smart decisions whether on the job, at home or at school – now and in the future.”
Taking action as a smart decision maker can occur in a variety of ways. Consider the following recommendations:
Note that many will update themselves regularly, but not all. For those applications and devices that do not automatically update, locating and bookmarking vendor websites will streamline keeping current with critical patches and firmware updates. Remember, do not use a third party website for this. Take it a step further by setting a calendar reminder to periodically check these, a simple task that could save you a headache down the road.
This could be as simple as Identifying the device, the OS, version, and the IP/MAC addresses. This simple act will greatly improve monitoring your network in a variety of ways which is covered more in depth here. Regulations on businesses for security controls should be followed per official documentation.
Organizations are recommended to enroll in security and response focused services like those provided by an MDR business, which use powerful security tools (like SentinelOne) to institute endpoint protection for regular monitoring of managed (and to a degree, unmanaged) devices.
Promptly removing unused devices and properly removing deprecated or unused devices (and applicable accounts) from any network access will help keep your network secure. Ensure that those devices are properly wiped of your data when they are no longer used.
Beyond Geo-IP blocking, (which essentially only deters bots and script kiddies), review ACLs and consider implementing connections from bastion hosts only. This ensures that access to these devices is ONLY allowed through specified internal hosts and users.
MFA is a critical piece of internet and password security. Enable it. Require it.
No cybersecurity recommendation article is complete without specific reference to consulting NIST resources. Their IoT Program offers standards and guidance relevant across industry, agency, and consumer integrations. Further, an older but still relevant NIST publication dives into incorporating IoT as a safe and responsible member of your household.
The heart and soul of technology is about easing the burden surrounding tasks and communication. Peacetime innovations such as IoT capable devices should be celebrated as we safely integrate them into our lives, not shrouded in fear or met with repugnance. It will take some time for the hurdles of security integration in IoT development to be overcome, and devices -as well as access to them- will always need to be carefully managed. In that spirit, we would like to leave you with some additional quick-wins for security that go a long way. Let us all truly see our place in cyber no matter our industry, role, or experience. We wish you a happy and informative Cybersecurity Month 2022!