Securing the Internet of Things
Some steps businesses can take to better secure their own organization as well as their customers and employees
The Internet of Things (IoT) is the practice of taking devices, such as vehicles, building automation and industrial technology and integrating them with electronics and software that allow them to be networked for remote control and the exchange of data. Essentially these are small, but very capable computers.
In the last few years, IoT has grown exponentially. According to Gartner Research, there are 6.4 billion IoT devices in use worldwide, a number estimated to exceed 13.5 billion by 2020.
As with any hot technology, companies have been racing to enter the market. Unfortunately, security is often being overlooked during this gold rush. Certain key security requirements, such as access control, vulnerability/patch management and security monitoring, are non-existent in many of these IoT devices. There also are privacy concerns with what personal data may be collected, transmitted and stored without proper controls.
This introduces a number of security concerns and risks, such as personal data leakage/theft/misuse, malware infection allowing the device to be used as an attack platform and, most concerning, the potential to disrupt critical infrastructure where IoT is deployed, such as in telecom, power and water treatment facilities. As such, these devices are being increasingly targeted by threat actors such as cybercriminals, nation states and hacktivists.
While securing IoT devices is one of the toughest challenges the cybersecurity industry faces today, there are steps businesses can take to better secure their own organization as well as their customers, employees and other key stakeholders.
• The holidays mean more things in the Internet of Things: The first thing to be aware of is that there will most likely be a number of IoT devices at your organization after the holidays. This is the time of year many people get new smart phones, tablets and other devices (toys, drones, web-connected watches, etc.) to play with. The holidays can be a great time to remind employees of bring-your-own-device policies or to institute those policies for the first time.
• Beware of ransomware and phishing: One of the most common ways devices become compromised is via phishing campaigns, which are fake emails that look legitimate. Click the wrong link, and your account could be at risk, opening up the possibility of outsiders accessing your other accounts.
Today, we are seeing more and more instances of ransomware — a type of malicious software that encrypts the victim’s data until a ransom is paid to the attacker — that typically are delivered via phishing emails. Pay extra attention during the holidays, as new devices you may receive or give as gifts may not have proper security measures. Make sure to install proper security measures — anti-virus software and strong passwords, for example — on those shiny holiday devices before using them to read email or browse the web.
The best way to deal with phishing and malware is to educate your employees on how to identify suspicious emails before opening them. An email that appears to be from your bank but asks for account information online should be treated as suspect. The same goes for emails that look to be from law enforcement, political campaigns or even loved ones. If you get an email that looks like it is from someone you know but isn’t written in their normal tone and asks for personal or financial info, the easiest thing to do is make a phone call or send a text message to that person to confirm they actually sent it.
• What to do if you’ve been infected: It can be difficult to know when your device has been infected with malware. If you suspect you are a victim, the easiest route to remove it is a factory reset. Just beware that a factory reset can result in the loss of information and settings.
Often, hackers go after weak points as a way to gain access to more devices. A home router, for example, is often an individual’s only form of defense. If that router were to be compromised, the attacker could access other devices using that connection. If a smartphone, for example, were then compromised and brought into an office setting, further damage could be done.
Treat security around every device with a password – video game consoles, phones, routers, television accessories, tablets – seriously. It may seem innocuous, but a compromised web-connected thermostat can lead to much larger problems.
Many manufacturers now provide remote update capabilities to account for emerging security threats. Apply updates when available and if you have the option, have them set to apply automatically.
IoT is intimidating, even for security professionals. There are billions of internet-connected devices, all of them with varying stages of security safeguards, waiting for hackers to manipulate. But, as with many security practices, it all starts on an individual level. Beginning with the steps outlined above, we can all play our part in being safer in a more connected world.
Thomas DeFelice of Optiv Security is based in Wilton.