IoT Security 101

The COVID-19 pandemic left its indelible mark across our society. Our work, recreation, healthcare, and even grocery shopping became remote, digital, and reliant on the internet. The eruption of new apps and Internet of Things (IoT) devices proved a tempting target for cyber attackers; that brought security issues new and old to the fore.

IoT Devices are Everywhere

IoT device use was expanding even before the pandemic, with almost 4.8 billion devices. The overwhelming load that the pandemic created with the need for virtual education, telehealth, video conferencing, remote facility monitoring, and other services only expanded this number. These devices are estimated to account for nearly 30% of all endpoints in existence today.

While IoT devices made life bearable during lockdowns and boosted business continuity in the face of a once-in-a-lifetime global plague, the downside is that they are easy targets. Over half of them are vulnerable to medium or high severity cyberattacks. These devices are often-overlooked vulnerabilities lurking on your network, waiting to be exploited by attackers who will capitalize on them and pivot to bigger targets once inside your systems.

BOYD. It’s an IoT Party

Bring Your Own Device – or BYOD – might sound like a call back to your college years with a slightly different spelling. Still, it’s a trend that has saved many organizations, from colleges to companies, thousands in infrastructure and operations costs. Devices such as tablets and smartphones keep employees connected throughout the workday, simplify remote work, facilitate travel, and offer a way for employees to be more productive with their time. However, tablets and smartphones aren’t the only IoT lurking in the office.

IoT in Business Processes 

IoT is ubiquitous in business environments. Its presence in the last few years has only become more prevalent, with increases in spending from $215 billion in 2015 to $832 billion in 2020, according to PwC. These devices integrate into business processes managing security and operations. Organizational uses range from badge checking and monitoring to automatically lighting or controlling HVAC settings. This automation saves businesses money and reduces the cost of day-to-day operations.

The Threat in IoT

IoT devices generate and transmit data regularly in the course of their functions, but this means that each of these connections is yet another target for cybercriminals. A recent report by threat intelligence team Unit 42 discovered that over half of all IoT devices are vulnerable to acute cybersecurity attacks. “We see lateral movements originating from successful phishing attacks targeting IoT systems on the same network and exploiting vulnerabilities remotely. 57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers.”

In a rush to market, device manufacturers often overlook or fail to test for hardware and software security design flaws due to a laser focus on delivering the newest, cutting-edge functionality at the lowest cost.

So how can you protect yourself and your organization from IoT device vulnerability without crippling efficiency?

Is There A Way to Secure IoT?

Implementing some basic steps to manage IoT devices on your network can significantly improve your security posture as an organization.

Identify IoT Devices

Managing IoT in your organization requires first identifying and locating where these devices are on the network. Network administrators can use scanning tools like network monitoring software and vulnerability scanners to detect and map what devices are currently connected to the network. This not only helps to identify IoT devices that are attached but may also uncover Shadow IT. Knowing what technologies are on your network is the first step toward protecting it.

Use Google Password Hygiene

Enforced strong password policies for IoT devices raises the challenge level for attackers and removes an easy target. Just because an IoT device comes with a poor default password does not mean it has to stay that way. Change the default password to one that is more complex and difficult to guess. Consider periodically rotating passwords. This prevents the password from being re-used or reduces the length of usefulness if shared. Implementing strong password policies already commonly in use throughout the industry and is an excellent first step in IoT security.

Limit Access

Once IoT devices have been identified, their overall access to the network needs to be limited. This doesn’t necessarily mean removing all network access; it might simply mean trimming access down to the least privilege. By only giving the access necessary for the device to perform its intended function, you reduce the scope of any potential damage should an attack occur. Access can be limited in a couple of ways. One method is to use network rules that restrict what other systems the device can communicate with and what ports it can use.

Another way to limit access is by creating a virtual local area network (VLAN) that the devices can access. Instead of limiting access on a device-by-device basis, the VLAN can have rules set to regulate communication that passes through it, allowing for easier overall management. It also makes it harder for IoT devices to be targeted by attackers. In the event they are, it reduces the scope of potential damage.

Scan & Monitor

Integrating your IoT devices into your threat prevention and detection process is crucial in securing your network. Vulnerability scanners allow you to detect current weaknesses in your devices, such as configuration issues and known code vulnerabilities. Remediating these issues early on will help make it more challenging for attackers.

The other half of this equation is to monitor your IoT devices for suspicious activity continuously. Overseeing their operations and alerting your team of unusual behavior allows them to respond to incidents and eradicate them from the system quickly. Early detection allows for identifying threats early in the attack chain so they can be stopped well before disrupting operational productivity.

Next Steps

IoT devices are not going away; we expect to see a continued proliferation of these devices as technology advances. But that doesn’t mean you’re saddled with the risk. IoT device security benefits from the initial proactive measures we’ve discussed above, but there are many other measures available to organizations wishing to take their IoT security beyond the basics.

With IoT, vulnerability scanning offers another way for your organization to stay one step ahead of attackers by identifying IoT devices and assessing them for vulnerabilities before the attackers do. 

For more information on how a vulnerability assessment can protect against IoT device risks without crippling efficiency, check out beSECURE.