IoT
10/26/2017
10:30 AM
Naresh Persaud
Naresh Persaud
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Checklist for Securing the Internet of Things

IoT devices promise endless benefits, but they also come with serious security issues. Use this checklist to make sure your company stays safe.

Hollywood is known for portraying outlandish scenarios. This past summer, The Fate of the Furious depicted scenes in which a cybercriminal controlled thousands of connected cars from an aircraft to create a massive vehicle pile-up on the streets of New York City. While many of the foreboding scenes we see on the big screen will probably never come to life, the number of breaches associated with connected devices is on the rise.

From connected cars to smartphones, some sort of smart device or application links nearly every aspect of modern society. According to Gartner, there will be 8.4 billion connected "things" in use in 2017. Another study from PricewaterhouseCoopers found that more than half of enterprise leaders are not investing in an Internet of Things (IoT) security strategy.

Increasingly, company leaders are seeing the possibilities that IoT provides. A McKinsey report from July found that 92% of executives believe that the IoT will have a positive impact on business over the next three years. Still, many companies are struggling to fully embrace the IoT, in part due to security concerns.

In September 2016, a Mirai botnet distributed one of the largest and most disruptive distributed denial-of-service attacks in history, which stalled service to popular websites such as Netflix. With more IoT devices being added each day, more ways to connect are being created and there are more ways for bad actors to exploit vulnerabilities.

And policymakers have recognized these risks. Recently, the U.S. Senate introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill takes steps toward enforcing stricter cybersecurity regulation for connected devices the government purchases. Similar steps to ensure the security of devices and applications should be taken by private sector enterprises.

Securing the IoT begins with identity management. Every new connected device has an identity that must be authenticated and authorized to protect the security of the device and the networks it touches.

Here's a checklist for securing IoT:

1. Manage the Device Life Cycle
A company would never knowingly give a previous employee access to current corporate data. Likewise, a company should never allow a device to stay on its network after access is no longer needed.

Throughout the life cycle of every device, enterprise IT security teams must manage not only who has access to the device but also what actions the device is allowed to perform at what time. When the device is no longer necessary, the connection should be terminated.

2. Monitor Behavior
When it comes to connected devices, it isn't always clear when a device is compromised. Today, nearly all employees have their smartphones with them at work. These personal devices are often unsecured and could become vulnerable due to malicious applications.

Using risk and behavior analytics, the enterprise can accurately and efficiently monitor how IoT devices are behaving in order to identify whether the device has deviated from its normal limits. Any deviation can promptly signal a compromised device.

We can learn from how the credit card industry addresses fraudulent activity across accounts. When it comes to transactions, once an action is deemed unordinary from the customer's general spending habits, the credit card company restricts access to the card. This entire process is based on behavioral analytics that are used to determine the amount of risk associated with abnormal behaviors.

3. Authorize Device-User Interaction
The nature of IoT devices encourages interaction between devices and users and between the devices themselves. But each of these interactions must be authorized. This means that security teams must be able to authorize not only which users have access to certain devices, but also authorize the actions those devices are facilitating.

4. Authenticate Device Connections
When your family connects to your Wi-Fi router at home, every person uses the same password credentials to gain access. Under this premise, the network believes that every login is the same user.

When it comes to IoT devices, an automated authentication process must be in place to verify a unique identity for each device. In this past year's Mirai botnet attack, default credentials were used to compromise the network and gain access. If security teams can't distinguish between devices based on their identity, then they can't accurately address threats and mitigate risks.

5. Govern User Permissions
Similar to human access, we need the ability to revoke device access and control the level of risk associated with any given device. This is done by controlling the levels of permissions that authorize users to access connected devices.

Governing user permissions is not a one-step process. Enterprises must be able to govern permissions in real time for security and legal purposes. The use of street cameras across the US has sparked a series of lawsuits over the security of the personally identifiable information that is stored in the camera's data. As IoT devices become more widely used, there will be an increased need for governance to ensure private information doesn't get into the hands of the wrong people.

With Gartner estimating that there could be 50 billion connected devices in existence by 2020, our approach to device security must evolve. Approaching IoT with identity in mind will make our connected world — and your enterprise — a safer place to be.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

With more than 15 years of experience in security and identity management across roles in engineering and architecture, Naresh Persaud is responsible for CA Technologies' security products. As a solution architect, Naresh has devoted much of his career to following the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:49:10 PM
Encryption
If I can add one more item to the list I would say use encryption on data in transit and at rest where ever possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:47:18 PM
Re: Wonderful Checklist
I agree with this. A list ready to use, great article and very useful.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:45:51 PM
Re: IoT Security
the "managing IoT lifecycle" the requirement to delete associated user accounts I would say this would be quite important, most unused / inactivated accounts are the main risk to the devices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:42:45 PM
Re: IoT Security
device-user interaction authentication This is like google home recognizing different voices and responding based on that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:42:40 PM
Re: IoT Security
device-user interaction authentication This is like google home recognizing different voices and responding based on that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:40:56 PM
Security in IoT
We are actually late securing IoT devices. This like starting internet without considering security and then trying to secure it with patches.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:40:52 PM
Security in IoT
We are actually late securing IoT devices. This like starting internet without considering security and then trying to secure it with patches.
Mr Phen375
50%
50%
Mr Phen375,
User Rank: Apprentice
10/28/2017 | 1:59:29 AM
Wonderful Checklist
Thanks for this great checklist which I really need.
jdmcgo
50%
50%
jdmcgo,
User Rank: Apprentice
10/26/2017 | 11:46:45 AM
IoT Security
Great read. I'd be interested to hear some recommendations for device-user interaction authentication as well as device authentication. I'd also add to the "managing IoT lifecycle" the requirement to delete associated user accounts. Insider attacks are made even easier when employee accounts are not deactivated. 
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.