IoT
10/26/2017
10:30 AM
Naresh Persaud
Naresh Persaud
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Checklist for Securing the Internet of Things

IoT devices promise endless benefits, but they also come with serious security issues. Use this checklist to make sure your company stays safe.

Hollywood is known for portraying outlandish scenarios. This past summer, The Fate of the Furious depicted scenes in which a cybercriminal controlled thousands of connected cars from an aircraft to create a massive vehicle pile-up on the streets of New York City. While many of the foreboding scenes we see on the big screen will probably never come to life, the number of breaches associated with connected devices is on the rise.

From connected cars to smartphones, some sort of smart device or application links nearly every aspect of modern society. According to Gartner, there will be 8.4 billion connected "things" in use in 2017. Another study from PricewaterhouseCoopers found that more than half of enterprise leaders are not investing in an Internet of Things (IoT) security strategy.

Increasingly, company leaders are seeing the possibilities that IoT provides. A McKinsey report from July found that 92% of executives believe that the IoT will have a positive impact on business over the next three years. Still, many companies are struggling to fully embrace the IoT, in part due to security concerns.

In September 2016, a Mirai botnet distributed one of the largest and most disruptive distributed denial-of-service attacks in history, which stalled service to popular websites such as Netflix. With more IoT devices being added each day, more ways to connect are being created and there are more ways for bad actors to exploit vulnerabilities.

And policymakers have recognized these risks. Recently, the U.S. Senate introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill takes steps toward enforcing stricter cybersecurity regulation for connected devices the government purchases. Similar steps to ensure the security of devices and applications should be taken by private sector enterprises.

Securing the IoT begins with identity management. Every new connected device has an identity that must be authenticated and authorized to protect the security of the device and the networks it touches.

Here's a checklist for securing IoT:

1. Manage the Device Life Cycle
A company would never knowingly give a previous employee access to current corporate data. Likewise, a company should never allow a device to stay on its network after access is no longer needed.

Throughout the life cycle of every device, enterprise IT security teams must manage not only who has access to the device but also what actions the device is allowed to perform at what time. When the device is no longer necessary, the connection should be terminated.

2. Monitor Behavior
When it comes to connected devices, it isn't always clear when a device is compromised. Today, nearly all employees have their smartphones with them at work. These personal devices are often unsecured and could become vulnerable due to malicious applications.

Using risk and behavior analytics, the enterprise can accurately and efficiently monitor how IoT devices are behaving in order to identify whether the device has deviated from its normal limits. Any deviation can promptly signal a compromised device.

We can learn from how the credit card industry addresses fraudulent activity across accounts. When it comes to transactions, once an action is deemed unordinary from the customer's general spending habits, the credit card company restricts access to the card. This entire process is based on behavioral analytics that are used to determine the amount of risk associated with abnormal behaviors.

3. Authorize Device-User Interaction
The nature of IoT devices encourages interaction between devices and users and between the devices themselves. But each of these interactions must be authorized. This means that security teams must be able to authorize not only which users have access to certain devices, but also authorize the actions those devices are facilitating.

4. Authenticate Device Connections
When your family connects to your Wi-Fi router at home, every person uses the same password credentials to gain access. Under this premise, the network believes that every login is the same user.

When it comes to IoT devices, an automated authentication process must be in place to verify a unique identity for each device. In this past year's Mirai botnet attack, default credentials were used to compromise the network and gain access. If security teams can't distinguish between devices based on their identity, then they can't accurately address threats and mitigate risks.

5. Govern User Permissions
Similar to human access, we need the ability to revoke device access and control the level of risk associated with any given device. This is done by controlling the levels of permissions that authorize users to access connected devices.

Governing user permissions is not a one-step process. Enterprises must be able to govern permissions in real time for security and legal purposes. The use of street cameras across the US has sparked a series of lawsuits over the security of the personally identifiable information that is stored in the camera's data. As IoT devices become more widely used, there will be an increased need for governance to ensure private information doesn't get into the hands of the wrong people.

With Gartner estimating that there could be 50 billion connected devices in existence by 2020, our approach to device security must evolve. Approaching IoT with identity in mind will make our connected world — and your enterprise — a safer place to be.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

With more than 15 years of experience in security and identity management across roles in engineering and architecture, Naresh Persaud is responsible for CA Technologies' security products. As a solution architect, Naresh has devoted much of his career to following the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:49:10 PM
Encryption
If I can add one more item to the list I would say use encryption on data in transit and at rest where ever possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:47:18 PM
Re: Wonderful Checklist
I agree with this. A list ready to use, great article and very useful.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:45:51 PM
Re: IoT Security
the "managing IoT lifecycle" the requirement to delete associated user accounts I would say this would be quite important, most unused / inactivated accounts are the main risk to the devices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:42:45 PM
Re: IoT Security
device-user interaction authentication This is like google home recognizing different voices and responding based on that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:42:40 PM
Re: IoT Security
device-user interaction authentication This is like google home recognizing different voices and responding based on that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:40:56 PM
Security in IoT
We are actually late securing IoT devices. This like starting internet without considering security and then trying to secure it with patches.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:40:52 PM
Security in IoT
We are actually late securing IoT devices. This like starting internet without considering security and then trying to secure it with patches.
Mr Phen375
50%
50%
Mr Phen375,
User Rank: Apprentice
10/28/2017 | 1:59:29 AM
Wonderful Checklist
Thanks for this great checklist which I really need.
jdmcgo
50%
50%
jdmcgo,
User Rank: Apprentice
10/26/2017 | 11:46:45 AM
IoT Security
Great read. I'd be interested to hear some recommendations for device-user interaction authentication as well as device authentication. I'd also add to the "managing IoT lifecycle" the requirement to delete associated user accounts. Insider attacks are made even easier when employee accounts are not deactivated. 
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.