author photo
By Nathan Wenzler
Tue | Jun 20, 2017 | 4:25 AM PDT

I attend a lot of security conferences every year. Probably more than I wish to admit.

In attending so many events, it gives me an opportunity to sit through a number of talks given by industry executives and luminaries. Since the vast majority of talks at security conferences are related to how to solve today’s Internet of Things (IoT) problem, I’ve also seen a lot of proposed solutions coming from many different sources.

Of course, if you ask any security tools vendor, they’ll also tell you that they’ve got the one-size-fits-all solution to solve your IoT griefs. It’s the same marketing angle we’ve heard for every other security threat that’s dominated headlines in the past few years.

But for all the emphasis on trying to solve the problem directly by arguing about how to build a more secure refrigerator, there’s plenty that can be done now with all the security tools most organizations already have in place to protect their environment.

So…what’s really the problem with IoT devices?

These lightweight devices are typically running tiny operating systems that are stripped down to provide basic connectivity and management features. So, the current consensus is that they’re not inherently secure, there’s no access control, encryption or other basic security features, and so, they’re going to give up everything and there’s nothing anyone can do about it. While I would agree with the assessment, I’m not yet convinced that the last part is accurate.

Yes, these devices aren’t typically manufactured with security in mind, but, their risk is primarily in providing additional points of entry for an attacker to gain access to your network. Which is no different than where we stand today, with the only difference being the volume of attackable devices we may have on our networks.

The problem isn’t new; however, it does add an increased scope that many may not be prepared to handle. Look at any article on current threats and exploits, and you’ll most likely see that they’re targeting old vulnerabilities that have been around for ages. The issue is that  we’re not resolving those older problems today, but instead, we’re spending time and resources fixating on the “new” problems.

Let’s solve this by getting back to basics and resolving the long-standing issues that already exist in our environments. Aside from endpoint protection software, the same security protocols you’re leveraging today will help protect your critical assets against an IoT device becoming compromising. Consider things such as:

  • Network segregation – Internal firewalls and access control lists (ACL) will help isolate your critical areas from those which are not as critical. If you’re implementing IoT devices, isolate those networks from being able to reach your data servers or other mission critical infrastructure.
  • Protect administrator accounts – Hackers commonly break into workstations and other endpoints as a staging ground to launch more attacks. Usually, they’re after administrator credentials which can net them access to other systems. IoT devices can be used to stage some of these attacks, so be sure to change the passwords of any administrator credentials on a regular basis, limit the number of those accounts in use, and limit where these credentials can be used from.
  • Patch everything – Patching systems and applications limits the number of exploits and vulnerabilities that an attacker can use to break into other areas of your network from a compromised IoT device. It’s a long-established best practice, but many organizations are still not patching comprehensively. Doing so will minimize your attack surface from any asset, including IoT devices.
  • Monitor your network – SIEM tools and other behavioral analysis programs are becoming increasingly advanced and can monitor for a wide range of anomalous use. Most organizations already have these systems in place, and it should be trivial to add rules or monitoring criteria to alert if an IoT device does anything other than communicate to its appropriate central control point. This doesn’t require special plug-ins or IoT-specific tools, as these devices still use standard network protocols to do their job.

Solving the IoT problem doesn’t require new, expensive or overly complex solutions, despite what vendors may tell you. The tools and techniques are already in hand and available in most every organization out there. We just need to focus on those fundamental security controls to build a stronger platform of security everywhere, protecting us from not just those older, outstanding issues, but to also keep us secure when IoT devices or whatever the next technological trend comes along.

Tags: IoT Security,
Comments