In a recent article on Dark Reading, it was revealed that millions of IoT devices were exposed to a peer-to-peer (P2P) vulnerability. Given how wide-spread IoT devices are, and how device adoption will continue in organizations, it is important to understand the nature of these devices and how organizations can prevent these vulnerabilities from becoming backdoors into the corporate network. Specifically, let’s take a look at how businesses can protect themselves from P2P and IoT vulnerabilities.
With global IoT product adoption continuing to grow, many organizations are trying to tackle the challenge of allowing these devices in while maintaining a strong security posture for the business. How businesses do this varies, but there is some good news for IoT aficionados who hope to deploy some new tech to make their jobs easier.
IoT devices are dangerous! Now, I know what you are thinking, “Justin, IoT devices provide convenience and make many mundane parts of life so much more interesting.” Consider, however, that many of the IoT devices on the market are designed with little care or interest in security. So, what should be considered before you bring a shiny new IoT device onto your network? Let’s explore.
IoT checklist—what to consider before you deploy
IoT devices are one of the most vulnerable devices that can be deployed on a network. They are usually put on the network as trusted devices, are rarely updated—if updates are even an option for the device—and are built to be deployed quickly, so security is often an afterthought. Because of this, IoT devices are extremely vulnerable to attack, and malicious actors love when IT professionals deploy them on corporate networks. After a short period, the devices remain without updates, and hackers exploit known vulnerabilities.
Because these devices are on the network, often with full access to many or all shared resources, the hackers begin their assault. The IoT devices have become the proverbial Trojan Horse, and the IT team has walked it right into the network.
When you are looking for a connected device that will solve a problem—let’s say connected locks that allow employees to use an app to gain access to a part of the building—you need to be certain of a few things. Namely, you need to understand if the devices are capable of firmware and software updates. Should a vulnerability be exposed, you need to have a way to update devices. Talk about the irony of your connected locks being the key to your entire network. Additionally, you must understand the security built into the devices. Are all communications over a secure, TLS channel? Does that encryption use industry standards with appropriate key sizes? While some of this information will be difficult to understand before purchase, it is certainly something you can find out by deploying a test device in a lab to understand the communications it has. This is an important step to understanding if deploying the device is relatively safe or if the device will become that Trojan horse.
Okay, you now know how bad IoT devices are, and you understand that malicious actors will use these devices as much as possible to wreak havoc on your network. You also understand some of the security features built into the devices, and you want to deploy the device on the network. Now what?
IoT devices still should not be trusted. They need to be in isolation as much as possible, with only critical connections allowed. Additionally, they need to be monitored. Network traffic analytics is the best, first step to understanding what these devices are doing, and when they are compromised provides an effective way to find where hackers are trying to gain access. Network traffic analytics allows for scoring and monitoring of these devices at all times. According to Barracuda Networks, “IoT products should be scored constantly, and their security posture be published in the same way as motor vehicle safety ratings are, to enable businesses and consumers to make informed decisions when choosing products.”
To fully understand what your IoT devices are doing on your network, download a free trial of Scrutinizer today.
It’s that time of year again. Employees have gone away from the office to spend time with friends and family. They will, of course, return shortly in the new year, many of whom will have new devices that they will want to join the corporate network to stay connected. Many of these devices include smartphones, televisions, watches, phones, tablets, etc. The technology provides an exceptional level of convenience for the user, but it means that more information is being shared with third-parties, and new threat surfaces are being created as more devices are added. With these new devices, the security of the information they collect (and in fact the security of the devices) is not perfect. So, what can you do to make sure you secure your devices, data, and network? Let’s take a look! Read more
With mere days until Hanukkah and less than a month before Christmas, retail organizations are starting to see a spike in online and in-store purchases. This is the “most wonderful time of the year” for retail because it means ending the year with a big boost in sales. However, this is also a time when malicious actors are interested in breaking into your network to steal the vast amount of customer data you’ve collected, or siphon the credit card information as it passes through your point-of-sale (POS) gateway. A new study from ACI Worldwide shows a projected fourteen percent increase in fraud attempts during the 2018 peak holiday season, and overall volumes of purchases are expected to rise 18 percent. With that in mind, what can you do to protect your retail business from malicious actors?