5 Steps to Secure Your Network for the Internet of Things
IT departments in businesses small and large have been forced to deal with two major influxes of unexpected attack vectors in the past decade.
First, there was BYOD–the Bring Your Own Device trend where users began to bring in their own laptops and smartphones and use them to connect to the corporate network and access sensitive data and servers. Without corporate security controls, many of those devices were inherently at risk and brought in many infections and resulted in significant data compromises.
Now, there is the Internet of Things–a broad movement by manufacturers of all types of devices and tools to add networking and data features to the most innocuous of objects, from refrigerators to thermostats.
Typically, these devices come with little technical documentation and almost no built-in security standards. The interfaces they expose can be obscure and their capabilities sometimes unexpected. For IT departments already under siege, the IoT may seem like the final wave.
But there are five steps that any IT department can take to help manage the security threat the IoT represents.
Build Internal Awareness
Although user education has been one of the great windmill-tilting events of all time for IT security experts, there is some evidence that after a generation of constant badgering about passwords and device security, the average use is starting to become more sophisticated in matters of data protection.
Now, the message needs to change: those users need to be made aware that their space heater, the office coffee pot, the smart refrigerator, can also become points of compromise for their computers. Ensure that they know not to simply plug in a new device or provide the corporate wifi network key without having a conversation with IT about it first.
The insidious part of IoT devices is that they integrate with your internal network easily and seamlessly, without users fully realizing that they have just put their new smartwatch on the same Ethernet segment as your corporate trade secrets. A compromised snooper integrated into an IoT device may be all but undetectable.
IT departments must begin to think more seriously about encrypting internal network traffic as well as data going outside the firewall. Using internal end-to-end encryption is not easy, but it may be the only way to protect data from unauthorized monitoring.
Default Denial at the Firewall
Although this is a best practice for many, many other reasons, it’s a good idea to revisit your firewall rules to ensure that most traffic heading out into the world is denied by default.
It is not an easy policy to implement because it requires examination and justification for port openings and stageful packet inspection rules, but since the goal of most IoT devices is to connect to the Internet, the firewall is the last place to stop them.
In most cases, these connections would be innocuous, but in those circumstances the endpoint can be identified and added to the ruleset without issue. It is the illicit traffic that needs to be stopped, and a default deny rule will do it.
Ensure Consistent Updates
Like most other security holes, holes in IoT devices are often found and fixed by the manufacturer well ahead of any exploits by hackers. The problem is typically the lag between when the fix is issued and when you install it.
If you allow IoT devices inside your security perimeter, make sure that they are set to receive regular patches and updates from their manufacturer.
Create an Internal IoT Platform
Device manufacturers themselves are well aware of the security concerns coming along with the Internet of Things, and some of them are engaging in proactive approaches to help IT departments secure their systems.
Platforms such as Google’s Brillo or Qualcomm’s AllJoyn are industry efforts to create a common set of protocols and systems for integrating, securing, and managing IoT devices in your network.
Although such platforms do little to help harness devices that do not subscribe to them, setting a standard and encouraging or mandating its use is one way for IT departments to integrate the beneficial aspects of IoT devices while still managing the security risks.
Like BYOD, IoT is a trend that is not going to go away anytime soon. IT departments will be forced to manage the threat proactively, or be left to clean up the mess at the end.