A Guide To Addressing Corporate IoT Security

Uploaded on 2018-06-27 in TECHNOLOGY-Key Areas-Internet of Things, NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Resilience

The benefits of the Internet of Things are potentially great and can be achieved with less risk of harm by following these steps. The Internet of Things (IoT) promises benefits for companies, including rich supplies of data that can help them more effectively serve their customers. There’s also a lot to be worried about.

Because so many devices, products, assets, vehicles, buildings, etc. will be connected, there is a possibility that hackers and other cyber-criminals will try to exploit weaknesses.

“In IoT ecosystems, where myriad device types, applications and people are linked via a variety of connectivity mechanisms, the attack vector or surface is potentially limitless,” says Laura DiDio, principal analyst at research and consulting firm ITIC.

“Any point in the network, from the network edge/perimeter to corporate servers and main line-of-business applications to an end-user device to the transmission mechanisms [is] vulnerable to attack. Any and all of these points can be exploited.”

As a result, IoT security ranks as a big concern for many companies. Research firm 451 Research recently conducted an online survey of more than 600 IT decision-makers worldwide and found that 55% rated IoT security as their top priority when asked to rank which technologies or processes their organisations considered for existing or planned IoT initiatives. The very nature of IoT makes it particularly challenging to protect against attacks, the report says.

What can enterprises do to strengthen the security of their IoT environments? Here are some suggested best practices from industry experts.

Identify, track, and manage Endpoint Devices
Without knowing which devices are connected and tracking their activity, ensuring security of these endpoints is difficult if not impossible.

“This is a critical area,” says Ruggero Contu, research director at Gartner Inc. “One key concern for enterprises is to gain full visibility of smart connected devices. This is a requirement to do with both operational and security aspects.”

For some organizations, “this discovery and identification is about asset management and less about security,” says Robert Westervelt, research director of the Data Security Practice at International Data Corp. (IDC).

“This is the area that network access control and orchestration vendors are positioning their products to address, with the added component of secure connectivity and monitoring for signs of potential threats.”

Companies should take a thorough inventory of everything on the IoT network and search for forgotten devices that may contain back doors or open ports, DiDio says.

Patch and remediate Security Flaws as they’re discovered
Patching is one of the foundational concepts of good IT security hygiene, says John Pironti, president of consulting firm IP Architects and an expert on IoT.

“If a security-related patch exists for an IoT device, that is the vendors acknowledgement of a weakness in their devices and the patch is the remediation,” Pironti says. “Once the patch is available, the accountability for the issue transfers from the vendor to the organisation using the device.”

It might make sense to use vulnerability and configuration management, and this would be provided in some cases by vulnerability-scanner products, Westervelt says. Then do the patching and remediation. “Configuration management may be an even bigger issue opening weaknesses than patching for some enterprises,” he says.

It’s important to remember that IoT patch management is often difficult, Contu says. “This is why it is important to do a full asset-discovery to identify where organisations are potentially vulnerable,” he says. “There is as a result the need to seek out alternative measures and models to apply security, given that patching is not always possible.” Monitoring network traffic is one way to compensate for the inability to apply patches, Contu says.

Prioritise Security of the most valuable IoT Infrastructure.

Not all data in the IoT world is created equal. “It is important to take a risk-based approach to IoT security to ensure high-value assets are addressed first to try and protect them based on their value and importance to the organisation that is using them,” Pironti says.

In the case of IoT devices, an organisation might have to contend with exponentially more devices then it did with traditional IT gear, Pironti says. “It is often not realistic to believe that all of these devices can be patched in short periods of time,” he says.
Pen Test IoT hardware and software before deploying

If hiring a service provider or consulting firm to handle this, be specific about what type of penetration testing is needed.

“The pen testers I speak to do network penetration tests along with ensuring the integrity of network segmentations,” Westervelt says. “Some environments will require an assessment of their wireless infrastructure. I believe application penetration testing is a slightly lower priority within IoT for now, with exception for certain use cases.”

Penetration testing should be part of a broader risk assessment program, Contu says. “We expect an increasing demand for security certification [related to] these activities,” he says.

If an actual IoT-related attack occurs, be ready to act immediately. “Construct a security response plan and issue guidance and governance around it,” DiDio says. “Put together a chain of responsibility and command in the event of a successful penetration.”

Know how IoT interacts with data to ID anomalies, protect Personal Information
You might want to focus on secure sensor-data collection and aggregation. This could require both cyber security and physical anti-tampering capabilities, depending on where the device will be deployed and the device’s risk profile.

“It may require hardware and/or software encryption, depending on the sensitivity of the data being collected, and PKI (public key infrastructure) to validate device, sensors and other components,” Westervelt says.

“Other IoT devices like point-of-sale systems may require whitelisting, operating-system restrictions and possibly anti-malware, depending on the device functionality.”

Don’t Use Default Security Settings
In some cases, organisations will choose security settings according to their unique security posture.

“If a network security appliance is being implemented in a critical juncture, some organisations may choose to deploy it in passive mode only,” Westervelt says. 

“Remember that with industrial processes, where we are seeing IoT sensors and devices being deployed, there may be no tolerance for false positives. Blocking something important could cause an explosion or even trigger a shutdown of industrial machinery, which can be extremely costly.”

Changing the security settings can also apply to the actual devices connected via IoT. For example, there’s been a distributed denial-of-service attack that arose from the compromise of millions of video cameras configured with default settings.

Provide Secure Remote Access
Remote-access weaknesses have long been a favorite target of attackers, and within IoT a lot of organisations are looking for ways to provide contractors with remote access to certain devices, Westervelt says.

“Organisations must ensure that any solution that provides remote access is properly configured when implemented, and other mechanisms are in place to monitor, grant and revoke remote access,” Westervelt says “In some high-risk scenarios, if remote access software is being considered, it should be thoroughly checked for vulnerabilities.”

Segment Networks to enable Secure Devices Communication 
Segmenting IoT devices within networks enable organisations to limit their impact if they are found to be acting maliciously, Pironti says.

“Once malicious behavior is identified from an IoT device, it can be isolated from communicating with other devices on the network until they can be investigated and the situation remediated,” he says.

When segmenting IoT devices, it is important to implement an inspection element or layer between the IoT network segment and other network segments to create a common inspection point, Pironti says. At this point, decisions can be made about what kinds of traffic can pass between networks, as well as a meaningful and focused inspection of traffic. This allows organisations to direct inspection activities at specific traffic types and behaviors that are typical to the IoT devices instead of trying to account for all traffic types, Pironti says.

Remember People and Policies
IoT is not just about securing devices and networks. It’s also crucial to consider the human element in securing the IoT ecosystem, DiDio says.

“Security is 50 percent devices and protection, tracking and authentication mechanisms and 50 percent the responsibility of the humans who administer and oversee the IoT ecosystem,” she says. 

“It is imperative that all stakeholders from the C-level executives to the IT departments, security administrators, and the end users themselves must fully participate in defending and securing the IoT ecosystem from attacks.”

In addition, review and update the existing corporate computer security policy and procedures. “If the company policy is more than a year old, it’s outdated and needs revision to account for IoT deployments,” DiDio says. 

“Make sure that the corporate computer security policy and procedures clearly specify and articulate the penalties for first, second and third infractions. These may include everything from warnings for a first-time offense up to termination for repeat offenses.”

NetworkWorld

You Might Also Read: 

Fraud And The Internet of Things:

The IoT Will Bring Cyberwar Close To Home:


 

 

« Former UK Spy Boss Say Russia Is 'live testing' Cyber-Attacks
13 Ways Cyber Criminals Spread Malware »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jones Day

Jones Day

Jones Day is an international law firm based in the United States. Practice areas include Cybersecurity, Privacy & Data Protection.

Advenica

Advenica

Advenica develops, manufactures and sells innovative cybersecurity solutions for encryption and secure information exchange.

Global Forum on Cyber Expertise (GFCE)

Global Forum on Cyber Expertise (GFCE)

GFCE is a global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity building.

Silicon:SAFE

Silicon:SAFE

Silicon:SAFE develops impenetrable hardware solutions that prevent bulk data theft during a cyber-attack.

APT Search

APT Search

APT Search is a recruitment company specialising within the Legal Technology, Cybersecurity and Privacy sectors.

CNS Group

CNS Group

CNS Group provides industry leading cyber security though managed security services, penetration testing, consulting and compliance.

Mayhem

Mayhem

Mayhem, by ForAllSecure, is a developer-first application and API security testing solution.

PurpleSynapz

PurpleSynapz

PurpleSynapz provides hyper-realistic Cyber Security Training with a modern curriculum and Cyber Range.

Mindsight

Mindsight

Mindsight is a technology consulting firm with expertise from cybersecurity to cloud, disaster recovery to infrastructure, and collaboration to contact center.

StackHawk

StackHawk

StackHawk is built to help dev teams ship secure code. Find and fix bugs early before they become vulnerabilities in production.

Squad

Squad

Squad provides leading expertise to ensure protection against the most complex cyber threats. Combining the best practices of DevOps and Cybersecurity, we are committed to create a secured cyber space

Cyral

Cyral

Easily observe, control, and protect your data endpoints in a cloud and DevOps-first world. Discover Data Mesh Security with Cyral.

ExchangeDefender

ExchangeDefender

ExchangeDefender provides cybersecurity services that secures your company email and data, and guarantees 24/7 email access.

Solvo

Solvo

Solvo enables security teams and other stakeholders to automatically uncover, prioritize, mitigate and remediate cloud infrastructure access risks.

Winslow Technology Group (WTG)

Winslow Technology Group (WTG)

Winslow Technology Group is a leading provider of IT Solutions, Managed Services, and Cybersecurity Services dedicated to providing exceptional business outcomes for our customers since 2003.

Jitterbit

Jitterbit

Jitterbit integrates critical business processes and enables application development to deliver the experiences and insights needed by enterprises of all sizes to accelerate their digital journey.