Gadget security requires renewed embrace of policies, authentication

Network administrators must increasingly contend with the challenges fueled by gadget security within their operations.

Like it or not, an increasing number of network administrators are going to have to deal with internet of things, or IoT, devices in the workplace. While they may not be smartwatches or dog-activity monitors, there's a good chance the new television in the conference room or the refrigerator in the break room will have embedded smart technology.

Not concerned about gadget security yet? You should be. October's IoT-leveraged distributed denial-of-service (DDoS) attack notwithstanding, Gartner predicted, by 2020, more than 25% of identified attacks in enterprises will involve IoT devices. IoT thermostats have already been used to breach a facility, and these same devices have been shown to be vulnerable to ransomware. If that is not bad enough, research by ForeScout Technologies Inc. found nearly 75% of enterprises either don't have protection methods for their IoT devices, or they are not aware of what IoT devices are being used. Here are five steps you can use to reduce the risk of IoT devices on your network.

Develop and revise policy

The first place to build a gadget security framework is policy. It's imperative to have proper security policies for IoT devices before they are allowed access to your corporate network. Your existing security policies are the best place to start. Hopefully, they will suffice, or may only need minor modifications. These policies should be written from a standpoint of deny all. Simply meaning, the policy identifies the potential risk and the level of protection that is required before the IoT product or device is allowed. 

With IoT, the difficulty is management, end users and asset owners may see these devices as benign or harmless. You'll need to be able to quantify the risk. This will require that you understand what kind of access the device needs and what type of data it's transferring. As an example, some IoT refrigerators don't properly validate Secure Sockets Layer certificates. The result is an attacker could mount a man-in-the-middle attack against these devices. Data exfiltration and remote access are real concerns.

Restrict access                                          

Next, you will want to consider IoT access. There are entire websites, such as Shodan, that are designed for the sole purpose to search for and find IoT devices. There should be no direct access to the internet. Violating this rule opens you up to an attack that is a matter of when, not if.

IoT devices should be segmented and placed on separate networks or virtual LANs. Practice the principle of least privilege. IoT devices should be explicitly denied access to critical resources, databases and servers that don't need to communicate with these devices. The idea is that even if the IoT device is breached, it cannot be used as a pivot point to gain access to other resources.

Use strong authentication

While it may be convenient to have a default username and password of 'admin admin,' you know this must be changed.

Another real concern is how the IoT device handles authentication. While it may be convenient to have a default username and password of admin admin, you know this must be changed. The Mirai botnet used default credentials against IoT devices to launch the first DDoS attack on Brian Krebs' website in early October, and the malware made a repeat appearance to underpin the DDoS attack against Dyn on Oct. 21, which paralyzed popular websites and organizations. Passwords for IoT devices should fall under that same policy as other credentials and be changed on a periodic basis. Passwords should be complex, and there should be no default authentication allowed.

Verify updates and patches

It's also important to keep these devices up to date by applying patches and updates. Understand how the IoT device manufacturer handles this process. The manufacturer must not only provide updates and patches, but these should be digitally signed to confirm the software author and guarantee the code has not been altered or corrupted. Patches should only be accepted from authenticated sources. The last thing you need is for someone to be able to spoof the update process with malicious code. 

Train your employees

Finally, there is training. This one component aimed at increasing gadget security is often overlooked in that employees must be provided training on policies. Employees must have knowledge of these policies and understand their purpose. There should also be an enforcement mechanism in the policy. What's the penalty for placing rogue IoT or shadow IT devices on the network? This occurs when employees circumvent policy and use unapproved IoT devices. The way to reduce this threat is to train employees on policy and let them know you are there to help them figure out ways to do things right when placing IoT on the corporate network.

Securing IoT devices is a big job, but it is similar in many ways to BYOD and cloud computing in that the policy framework most likely already exists. What's needed is to follow a methodology that reduces risk, isolates the device and keeps the IoT device patched and up to date. Technology is going to continue to change, and networking professionals must be ready to adapt. Support an open-to-consideration policy for IoT devices and help by providing guidance for proper deployment and management of approved devices.

Next Steps

Understanding IoT security issues

Top IoT privacy concerns

Crafting an IoT security strategy

This was last published in November 2016

Dig Deeper on Network Access Control