A Guide To Addressing Corporate IoT Security

The benefits of the Internet of Things are potentially great and can be achieved with less risk of harm by following these steps. The Internet of Things (IoT) promises benefits for companies, including rich supplies of data that can help them more effectively serve their customers. There’s also a lot to be worried about.

Because so many devices, products, assets, vehicles, buildings, etc. will be connected, there is a possibility that hackers and other cyber-criminals will try to exploit weaknesses.

“In IoT ecosystems, where myriad device types, applications and people are linked via a variety of connectivity mechanisms, the attack vector or surface is potentially limitless,” says Laura DiDio, principal analyst at research and consulting firm ITIC.

“Any point in the network, from the network edge/perimeter to corporate servers and main line-of-business applications to an end-user device to the transmission mechanisms [is] vulnerable to attack. Any and all of these points can be exploited.”

As a result, IoT security ranks as a big concern for many companies. Research firm 451 Research recently conducted an online survey of more than 600 IT decision-makers worldwide and found that 55% rated IoT security as their top priority when asked to rank which technologies or processes their organisations considered for existing or planned IoT initiatives. The very nature of IoT makes it particularly challenging to protect against attacks, the report says.

What can enterprises do to strengthen the security of their IoT environments? Here are some suggested best practices from industry experts.

Identify, track, and manage Endpoint Devices
Without knowing which devices are connected and tracking their activity, ensuring security of these endpoints is difficult if not impossible.

“This is a critical area,” says Ruggero Contu, research director at Gartner Inc. “One key concern for enterprises is to gain full visibility of smart connected devices. This is a requirement to do with both operational and security aspects.”

For some organizations, “this discovery and identification is about asset management and less about security,” says Robert Westervelt, research director of the Data Security Practice at International Data Corp. (IDC).

“This is the area that network access control and orchestration vendors are positioning their products to address, with the added component of secure connectivity and monitoring for signs of potential threats.”

Companies should take a thorough inventory of everything on the IoT network and search for forgotten devices that may contain back doors or open ports, DiDio says.

Patch and remediate Security Flaws as they’re discovered
Patching is one of the foundational concepts of good IT security hygiene, says John Pironti, president of consulting firm IP Architects and an expert on IoT.

“If a security-related patch exists for an IoT device, that is the vendors acknowledgement of a weakness in their devices and the patch is the remediation,” Pironti says. “Once the patch is available, the accountability for the issue transfers from the vendor to the organisation using the device.”

It might make sense to use vulnerability and configuration management, and this would be provided in some cases by vulnerability-scanner products, Westervelt says. Then do the patching and remediation. “Configuration management may be an even bigger issue opening weaknesses than patching for some enterprises,” he says.

It’s important to remember that IoT patch management is often difficult, Contu says. “This is why it is important to do a full asset-discovery to identify where organisations are potentially vulnerable,” he says. “There is as a result the need to seek out alternative measures and models to apply security, given that patching is not always possible.” Monitoring network traffic is one way to compensate for the inability to apply patches, Contu says.

Prioritise Security of the most valuable IoT Infrastructure.

Not all data in the IoT world is created equal. “It is important to take a risk-based approach to IoT security to ensure high-value assets are addressed first to try and protect them based on their value and importance to the organisation that is using them,” Pironti says.

In the case of IoT devices, an organisation might have to contend with exponentially more devices then it did with traditional IT gear, Pironti says. “It is often not realistic to believe that all of these devices can be patched in short periods of time,” he says.
Pen Test IoT hardware and software before deploying

If hiring a service provider or consulting firm to handle this, be specific about what type of penetration testing is needed.

“The pen testers I speak to do network penetration tests along with ensuring the integrity of network segmentations,” Westervelt says. “Some environments will require an assessment of their wireless infrastructure. I believe application penetration testing is a slightly lower priority within IoT for now, with exception for certain use cases.”

Penetration testing should be part of a broader risk assessment program, Contu says. “We expect an increasing demand for security certification [related to] these activities,” he says.

If an actual IoT-related attack occurs, be ready to act immediately. “Construct a security response plan and issue guidance and governance around it,” DiDio says. “Put together a chain of responsibility and command in the event of a successful penetration.”

Know how IoT interacts with data to ID anomalies, protect Personal Information
You might want to focus on secure sensor-data collection and aggregation. This could require both cyber security and physical anti-tampering capabilities, depending on where the device will be deployed and the device’s risk profile.

“It may require hardware and/or software encryption, depending on the sensitivity of the data being collected, and PKI (public key infrastructure) to validate device, sensors and other components,” Westervelt says.

“Other IoT devices like point-of-sale systems may require whitelisting, operating-system restrictions and possibly anti-malware, depending on the device functionality.”

Don’t Use Default Security Settings
In some cases, organisations will choose security settings according to their unique security posture.

“If a network security appliance is being implemented in a critical juncture, some organisations may choose to deploy it in passive mode only,” Westervelt says. 

“Remember that with industrial processes, where we are seeing IoT sensors and devices being deployed, there may be no tolerance for false positives. Blocking something important could cause an explosion or even trigger a shutdown of industrial machinery, which can be extremely costly.”

Changing the security settings can also apply to the actual devices connected via IoT. For example, there’s been a distributed denial-of-service attack that arose from the compromise of millions of video cameras configured with default settings.

Provide Secure Remote Access
Remote-access weaknesses have long been a favorite target of attackers, and within IoT a lot of organisations are looking for ways to provide contractors with remote access to certain devices, Westervelt says.

“Organisations must ensure that any solution that provides remote access is properly configured when implemented, and other mechanisms are in place to monitor, grant and revoke remote access,” Westervelt says “In some high-risk scenarios, if remote access software is being considered, it should be thoroughly checked for vulnerabilities.”

Segment Networks to enable Secure Devices Communication 
Segmenting IoT devices within networks enable organisations to limit their impact if they are found to be acting maliciously, Pironti says.

“Once malicious behavior is identified from an IoT device, it can be isolated from communicating with other devices on the network until they can be investigated and the situation remediated,” he says.

When segmenting IoT devices, it is important to implement an inspection element or layer between the IoT network segment and other network segments to create a common inspection point, Pironti says. At this point, decisions can be made about what kinds of traffic can pass between networks, as well as a meaningful and focused inspection of traffic. This allows organisations to direct inspection activities at specific traffic types and behaviors that are typical to the IoT devices instead of trying to account for all traffic types, Pironti says.

Remember People and Policies
IoT is not just about securing devices and networks. It’s also crucial to consider the human element in securing the IoT ecosystem, DiDio says.

“Security is 50 percent devices and protection, tracking and authentication mechanisms and 50 percent the responsibility of the humans who administer and oversee the IoT ecosystem,” she says. 

“It is imperative that all stakeholders from the C-level executives to the IT departments, security administrators, and the end users themselves must fully participate in defending and securing the IoT ecosystem from attacks.”

In addition, review and update the existing corporate computer security policy and procedures. “If the company policy is more than a year old, it’s outdated and needs revision to account for IoT deployments,” DiDio says. 

“Make sure that the corporate computer security policy and procedures clearly specify and articulate the penalties for first, second and third infractions. These may include everything from warnings for a first-time offense up to termination for repeat offenses.”

NetworkWorld

You Might Also Read: 

Fraud And The Internet of Things:

The IoT Will Bring Cyberwar Close To Home:


 

 

« Former UK Spy Boss Say Russia Is 'live testing' Cyber-Attacks
13 Ways Cyber Criminals Spread Malware »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Surrey Centre for Cyber Security (SCCS)

Surrey Centre for Cyber Security (SCCS)

The Centre focuses on three main research directions - Privacy and Data Protection, Secure Communications, and Human-Centred Security.

ASU Online - Information Technology Program

ASU Online - Information Technology Program

The Information Technology program at ASU Online provides you with the expertise to design, select, implement and administer computer-based information solutions.

Dubex

Dubex

Dubex is Denmark's leading business-oriented IT security specialist.

Parsons

Parsons

Parsons has developed a converged security offering that combines cybersecurity, integrated network solutions, and critical infrastructure protection.

SureVine

SureVine

Surevine builds secure, scalable collaboration solutions for the most security conscious organisations, enabling collaboration on their most sensitive information.

Corrata

Corrata

Corrata is an award-winning provider of mobile security and data control solutions for enterprises.

CipherBlade

CipherBlade

CipherBlade specializes in blockchain forensics, data science and transaction tracking.

SimSpace

SimSpace

SimSpace is the visionary yet practical platform for measuring how your security system responds under actual, sustained attack.

Curtail

Curtail

Curtail keeps businesses running by using live traffic analysis to identify defects before software goes live, and detect and isolate security threats before they impact systems.

Start Left™ Security

Start Left™ Security

Start Left™ Security's Tauruseer Platform is the patented data-driven security posture management solution that provides a complete life cycle approach for proactive security in one place. 

Cynalytica

Cynalytica

Cynalytica deliver pioneering cybersecurity and machine analytics technologies that help protect critical infrastructure, securely enable Industry 4.0 and help accelerate digital transformation.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

Davinsi Labs

Davinsi Labs

Davinsi Labs helps companies achieve Digital Service Excellence with specialized Security Intelligence and Service Intelligence solutions.

Willyama Services

Willyama Services

Willyama Services is a certified Information Technology and Cybersecurity professional services business providing services to government and private sector clients.

Lodestone

Lodestone

Lodestone partners with clients to help them mitigate business and reputational risk, through our human-based, approach to cyber security, digital forensics and incident response.

AuthenticID

AuthenticID

Our mission at AuthenticID is to combat fraud worldwide and help businesses protect their enterprise and valuable data assets.