We as humans like patterns. We like trends, labels and buzzwords. We like to fit our problems into a category that can be easily solved by one answer and when this can’t be done, the labels by which we categorize our problems become more and more complex. The Internet of Things (IoT) is nothing new. It’s something that’s been around ever since computers were first connected to each other and as the space evolved, networked devices, phones, servers – anything you connect to the network – all became a part of the Internet of Things. In its simplest form, IoT is just another connected device and while a new buzzword has emerged to define it, it is no different from a network as it was many years ago.
What has changed?
So, if IoT is something we have been trying to secure since the 1960s, why has no utopian technology taken the helm to protect our networks? Ultimately, the functionality of the devices that are connected has drastically progressed as well as the tasks they are meant to carry out. While in the past it was computers that had the ability to be programmed or changed to carry different functions – whether it be a web application or some type of financial application – today devices and hardware are now carrying out more specific functions, more targeted and simpler tasks.
What’s the risk?
From a security perspective, we also tend to look at IoT in the wrong way. With every new device, we assume the technology will be vulnerable with a very high risk of compromise. The reality is that most IoT devices have a very low risk individually, but their functionality is what leaves them susceptible. Is it a data processor? Is it a data collector? Is it a data correlator? The device’s actual role in the network needs to be vetted to understand the risk posed. Here are 3 questions you should ask when evaluating the risk of an IoT device:
- Is it something that could potentially attack the network? An availability attack!
- Is it something that could have data poisoning? In other words, could the data that it is generating be manipulated? An integrity attack!
- Is it providing an access point for an attacker to gain entry to the network? A confidentiality attack!
By changing how we define IoT devices to focus on functionality, we can begin to conduct better risk assessments and better understand how malicious actors may abuse any security gaps to their advantage.
How can you secure IoT?
At the ground level, securing IoT must first come with holding manufacturers to a minimum standard of security by design. Governments and industries are responsible for defining these standards, whereas manufacturers in turn must be held accountable for ensuring the devices include security best practices and endorse customers who enable and use them. Simple measures include ensuring default passwords are not used, data is encrypted at rest and in transit, as well as ensuring that security patches and updates get installed as soon as possible. It must also be clear when selling such devices how long the manufacturer will support security updates, a standard that governments must push for. Incentivizing consumers to use security by giving discounts, etc., is another effective way to add an additional layer of defense.
Many organizations are spending blindly on IoT devices as suppliers do not make it clear what security features are available and they mostly focus on ease of use, sacrificing security by design. Regulations are surely coming and will likely force vendors to display, inform or even go as far as ensuring security best practices are easy to enable and use. For organizations, the best way to protect and secure IoT devices is to enable strong privileged access management controls that change passwords regularly and enhance security controls to ensure only authorized users can access and configure them.
5 Tips for users
The consumer is the last line of defense when it comes to the security of an IoT device. At a time when many employees are working from home IoT security has become more critical and important. Here are some good standards to abide by when engaging with the online realm:
- Turn on the security features and use them. The biggest issue with IoT is that most devices by default have security turned off in favor of ease of use, along with default credentials that never get changed, which creates the perfect playground for cybercriminals to take advantage of an IoT devices’ lack of cybersecurity.
- Keep IoT devices, such as a Ring device, on a separate Wi-Fi network and use a password management solution to ensure that you change default or weak passwords by selecting complex system generated passwords for your Ring Accounts.
- Use Two or Multi-Factor Authentication for the Administrator access to the device.
- Read the instructions and understand what security features are available.
- Turn the device off when it is not being used – if it is completely powered off it cannot be hacked or abused.
About the author
Joseph Carson is a cyber security professional with more than 25 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist & Advisory CISO at Thycotic. He is an active member of the cyber security community and a Certified Information Systems Security Professional (CISSP). Carson is a cybersecurity adviser to several governments, critical infrastructure organizations, and financial and transportation industries, and speaks at conferences globally.
Shiv has over 8 years experience working on Internet of Things and an avid user of Drones