Securing IoT devices is an important but often overlooked aspect of enterprise security. IoT devices can seem innocent, but some have severe security issues that can offer a quick and easy entry point for attackers into a network. If not properly secured, an attacker can quickly move laterally from an IoT device and spread throughout an environment. Ensuring that IoT devices are robustly secured is critical to any organization.
IoT Security Issues
IoT devices are often overlooked in traditional enterprise networks and aren’t always considered in older security plans. Additionally, IoT devices aren’t always built with best security practices in mind, and don’t always receive regular security updates from the vendor. That said, IoT devices can become easy targets for compromise, and used to pivot into a network to compromise traditional assets like workstations and servers. A great example is the recent headline about attackers breaking into a smart thermostat in a casino’s fish tank, and using the compromised IoT device to spread laterally and exfiltrate over 10GB of the casino’s database records.
IoT devices aren’t just limited to doorbells and voice assistants. Many consumer and enterprise devices are having IoT functionality added to them, and these devices need to be identified and protected as they are installed. In 2020 almost every organization has some kind of IoT device in their environment, whether they know it or not. Here’s a list of “non-traditional” IoT devices that are often overlooked:
- Smart TVs
- HVAC Units
- Security Cameras
- Kitchen appliances (e.g. refrigerators, coffee machines, etc.)
- Video Conferencing Solutions
- Employee devices (e.g. smart watches)
Securing IoT Devices
There are a number of ways to secure IoT devices, but the four most effective ways are to:
- Audit existing IoT devices,
- Assess risk when purchasing new devices,
- Isolate IoT devices from the rest of the network,
- Ensure that IoT devices are kept up to date.
Audit Existing IoT Devices
The first step to securing IoT devices is to perform an audit to identify and record all devices currently in the environment. Since IoT devices aren’t typically registered to a domain or other inventory system, a device discovery solution is recommended to sweep the environment and find all devices present. For each device, record physical and network location, device manufacturer and model number, relevant serial numbers, software versions, and any other relevant information to create an inventory of all IoT devices. This can be used to create device profiles and is useful for identifying potential security issues, as well as aiding in manual updating of firmware if needed. Once a complete inventory is taken, evaluate the security risk of each device based on network exposure, last updated firmware date, known security vulnerabilities, and other organization-relevant risk factors of the device. If there are security concerns for a device, consider removing the device or replacing it with a newer or more secure alternative.
Assess Risk Before Purchase
Evaluating the risk of an IoT device before purchase can save your organization from headaches and potential security issues down the road. When considering a device, determine the reliability and reputation of the manufacturer, and the length and level of support for past devices. This can serve as an indicator of how well a manufacturer is likely to support devices with security patches and updates in the future, which is a critical aspect of IoT security. Additionally, try to find third party security research on the device to ensure that manufacture claims about security are accurate. Make sure to consider privacy and surveillance risks of devices – especially if they have a camera or microphones. When you purchase new IoT devices, do not forget to add device to the IoT inventory.
Isolate IoT Devices from Network
Isolating IoT devices from the rest of your network is one of the best things you can do to prevent a threat actor from moving laterally into the rest of your network if they compromise an IoT device. Creating an isolated IoT network segment with separate wireless networks and IoT VLANs is the best way to reduce the network exposure of IoT devices and isolate IoT network traffic from other systems. Follow the principle of least privilege when creating access and firewall rules, making sure that the IoT segment is as locked down as possible while still maintaining functionality. Since most IoT devices cannot accept traditional endpoint security and logging solutions, monitor the IoT network traffic to detect abnormal activity that could indicate a breach. IoT breaches can be hard to detect, so implementing network monitoring is crucial for stopping an attacker before they can move laterally.
Keep IoT Devices Up to Date
Some IoT devices do not have the capability to automatically download and install software updates and security patches, so manual security patches are sometimes required. Regularly review the IoT inventory and look for updates or security patcher for the vender, and check for any newly discovered vulnerabilities of the device. Make sure to update any security controls if there are feature updates for IoT Devices, as they may require additional services. If no recent updates have been issued for a device or the manufacturer has stopped supporting the device, you may want to investigate replacing it with a newer device still in support.
Ensuring IoT devices are properly secured is critical to protecting your organization from cyber threats, and an essential part of any infosec program. As your trusted end-to-end security provider, NuHarbor is ready to bring your security to the next level. If you need a gap assessment, security program review, or just want to speak with an expert, get in touch with us today!
by: Hayley Froio
Information Assurance Team Member at NuHarbor Security
Follow us on Social Media for more information: