Nowadays, most people own some type of “smart” device – from smart watches to smart cars to smartphones. These revolutionary technologies encompass the next wave of “Internet of Things,” and signal the future attack surface. Like anything new, we need to understand what Internet of Things (IoT) is and how we can utilize it in a secure manner.
What is IoT?
IoT describes the network of physical objects—“things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated industrial tools. By using low-cost computing, the cloud, big data, analytics, and more, physical things have the capability to collect and share data with minimal human intervention. This hyperconnected world allows digital systems to record, monitor, and adjust each interaction between connected objects. It can be thought of as a cooperation where the physical world meets the digital world. It’s easy to imagine that this can be quite convenient in many ways, but also comes with a cybersecurity risk in others. It’s easy to imagine that this can be quite convenient in many ways, but also comes with a cybersecurity risk in others. There are now more than 14 billion IoT devices currently in use, and experts forecast the number will grow to 22 billion by 2025. How does this affect businesses? Who might be listening in from your office printer or smart light bulb?
Risks of Implementing IoT
Everything connected to the internet is vulnerable to a cyberattack, and IoT products are no exception. Our hope is that you’ll give these devices security attention just as you do computers. The most consequential risks of IoT environments include the following:
- Inability to discover all IoT devices. Being able to discover and configure other IoT devices in the environment is a capability IoT tools and practices must have. Undiscovered devices can introduce attack vectors for bad actors to access the network as they are considered unmanaged devices. In other words, IT leaders and admins must be able to discover and control all devices on the network.
- Weak or absent access control. Having proper authentication and authorization in each device is what IoT security depends on. It is important to configure each IoT device for least privilege. This means that devices will be able to access only the network resources that are essential to perform their task. In addition, adopt strong passwords and enable network encryption for every IoT device to reinforce other security measures.
- Ignored or overlooked device updates. Periodic patching to internal software or firmware can be required by IoT devices. These devices can become vulnerable to intrusion or hacking if those updates are ignored. Consider updating protocol when designing an IoT environment.
- Poor or weak network security. IoT deployments can add numerous devices to a Local Area Network. Each new device carries the risk of a potential access point of intrusion for attackers. Organizations with an IoT ecosystem often implement additional network-wide security measures, including intrusion detection and prevention systems, tightly controlled firewalls, and comprehensive anti-malware tools. Segmenting the IoT network from the rest of the IT network is another practice organizations may opt to implement.
- Lack of security policies or processes. Any proper network security must have policies and processes in place. This consists of the combination of proper documentation that is used for configuration guidelines and rapid reporting along with tools and practices used to configure, monitor, and enforce device security across the network.
IoT Security Best Practices
It’s often the case that IoT devices are too convenient, efficient, or innovative to avoid. If you are using any number of IoT devices in your personal or professional ecosystem, there are certain best practices you can implement to protect yourself:
- Always change default router settings
- Pick a strong password
- Don’t use Universal Plug and Play, this allows devices on the same network to automatically discover and communicate with each other.
- Keep software and firmware updated
- Implement a zero trust model
Cowbell’s Risk Engineering department offers its policyholders assistance with their IoT devices. We care about helping each and every policyholder with continuous risk improvement. Our policyholders can set up a meeting with one of our dedicated risk engineers and receive assistance with securing their IoT devices and implementing security best practices. Please feel free to reach us at [email protected].