Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/6/2017
10:30 AM
Robert Clyde
Robert Clyde
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Workplace IoT Puts Companies on Notice for Smarter Security

Blacklisting every "thing" in sight and banning connections to the corporate network may sound tempting, but it's not a realistic strategy.

The security threats posed by the proliferation of Internet of Things (IoT) devices are top of mind for security practitioners, and with good reason.

Gartner projects 8.4 billion connected things will be in use this year, and that includes far too many devices with vulnerabilities that are a recipe for disaster. IoT devices should have secure passwords that can automatically be updated with the most current patches. Too often, though, that is not the case. In the rush to market, devices are manufactured and shipped with easy-to-guess passwords and outdated operating systems, making devices such as webcams, surveillance cameras, and baby monitors relatively easy targets for attackers.

But it's not just at home where IoT devices can invite disaster. IoT security risks often play out in the workplace. We are a gadget-loving society, especially the younger generations, so it's no surprise to see that employees expect to take their smart watches, fitness devices, and other connected devices to work. Consequently, in ISACA's State of Cyber Security 2017 research, only 13% of respondents indicated their enterprise is unconcerned with IoT in the workplace.

Given the understandable unease, employers may be tempted to take a knee-jerk approach and ban employees from using their connected devices in the workplace, similar to what they did when people started taking smartphones to work. But organizations should avoid that inclination and instead focus on providing clear instructions for how employees can safely and appropriately use their devices in a way that does not put the organization at risk. Otherwise, current and prospective employees may look for a friendlier workplace to take their devices — and their talents.

Putting a sound IoT policy in place — with emphasis on separate network segments for employee-owned devices — is a far better alternative. The policy should address issues such as whether devices will be allowed to connect to the Internet and how to handle devices capable of recording sound or video. If connections to the Internet are allowed, devices should be funneled to a guest or other network segment that is not connected to the corporate network. That way, if those devices are infected or tampered with, they do not spread the infection to the internal network. A monitoring component is also necessary to ensure that unapproved devices are blocked.

There are, however, some connected devices that legitimately rely upon connections to the internal enterprise network — think medical devices at hospitals or clinics that are storing critical data in an internal storage area on the network. These devices should be connected to the enterprise network, but without Internet connectivity that could enable external attacks. Whenever possible, such devices should be locked down so that only trusted apps approved by IT are installed on them.

Organizations committed to sound IoT security also must factor in employee training. If a smart TV is purchased for a conference room, does it need to be connected to the Internet? Should the microphone be turned on? Are staff members allowed to take photos of whiteboards, and if so, to whom could that data eventually be accessible? Most employers would struggle with those answers — and likely not even have thought to ask the questions, underscoring the need for training.

These dynamics are only going to become more pronounced in the foreseeable future. We're still much closer to the beginning than the end of the attack cycle leveraging IoT devices. But as valid as the security concerns are — and I hear them all the time from my colleagues in the industry — blacklisting everything in sight and banning connected devices from the workplace is not a realistic approach.

Instead, having sound policies in place, making effective use of network segmentation, and monitoring the corporate network diligently will position organizations to operate securely, without alienating their workforce.

Related Content:

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Robert Clyde, CISM, NACD Board Leadership Fellow, is vice-chair of ISACA's board of directors and is managing director of Clyde Consulting LLC, which provides board and executive advisory services to cybersecurity software companies. He is the executive chair of the board of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.