Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/26/2017
10:30 AM
Naresh Persaud
Naresh Persaud
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Checklist for Securing the Internet of Things

IoT devices promise endless benefits, but they also come with serious security issues. Use this checklist to make sure your company stays safe.

Hollywood is known for portraying outlandish scenarios. This past summer, The Fate of the Furious depicted scenes in which a cybercriminal controlled thousands of connected cars from an aircraft to create a massive vehicle pile-up on the streets of New York City. While many of the foreboding scenes we see on the big screen will probably never come to life, the number of breaches associated with connected devices is on the rise.

From connected cars to smartphones, some sort of smart device or application links nearly every aspect of modern society. According to Gartner, there will be 8.4 billion connected "things" in use in 2017. Another study from PricewaterhouseCoopers found that more than half of enterprise leaders are not investing in an Internet of Things (IoT) security strategy.

Increasingly, company leaders are seeing the possibilities that IoT provides. A McKinsey report from July found that 92% of executives believe that the IoT will have a positive impact on business over the next three years. Still, many companies are struggling to fully embrace the IoT, in part due to security concerns.

In September 2016, a Mirai botnet distributed one of the largest and most disruptive distributed denial-of-service attacks in history, which stalled service to popular websites such as Netflix. With more IoT devices being added each day, more ways to connect are being created and there are more ways for bad actors to exploit vulnerabilities.

And policymakers have recognized these risks. Recently, the U.S. Senate introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill takes steps toward enforcing stricter cybersecurity regulation for connected devices the government purchases. Similar steps to ensure the security of devices and applications should be taken by private sector enterprises.

Securing the IoT begins with identity management. Every new connected device has an identity that must be authenticated and authorized to protect the security of the device and the networks it touches.

Here's a checklist for securing IoT:

1. Manage the Device Life Cycle
A company would never knowingly give a previous employee access to current corporate data. Likewise, a company should never allow a device to stay on its network after access is no longer needed.

Throughout the life cycle of every device, enterprise IT security teams must manage not only who has access to the device but also what actions the device is allowed to perform at what time. When the device is no longer necessary, the connection should be terminated.

2. Monitor Behavior
When it comes to connected devices, it isn't always clear when a device is compromised. Today, nearly all employees have their smartphones with them at work. These personal devices are often unsecured and could become vulnerable due to malicious applications.

Using risk and behavior analytics, the enterprise can accurately and efficiently monitor how IoT devices are behaving in order to identify whether the device has deviated from its normal limits. Any deviation can promptly signal a compromised device.

We can learn from how the credit card industry addresses fraudulent activity across accounts. When it comes to transactions, once an action is deemed unordinary from the customer's general spending habits, the credit card company restricts access to the card. This entire process is based on behavioral analytics that are used to determine the amount of risk associated with abnormal behaviors.

3. Authorize Device-User Interaction
The nature of IoT devices encourages interaction between devices and users and between the devices themselves. But each of these interactions must be authorized. This means that security teams must be able to authorize not only which users have access to certain devices, but also authorize the actions those devices are facilitating.

4. Authenticate Device Connections
When your family connects to your Wi-Fi router at home, every person uses the same password credentials to gain access. Under this premise, the network believes that every login is the same user.

When it comes to IoT devices, an automated authentication process must be in place to verify a unique identity for each device. In this past year's Mirai botnet attack, default credentials were used to compromise the network and gain access. If security teams can't distinguish between devices based on their identity, then they can't accurately address threats and mitigate risks.

5. Govern User Permissions
Similar to human access, we need the ability to revoke device access and control the level of risk associated with any given device. This is done by controlling the levels of permissions that authorize users to access connected devices.

Governing user permissions is not a one-step process. Enterprises must be able to govern permissions in real time for security and legal purposes. The use of street cameras across the US has sparked a series of lawsuits over the security of the personally identifiable information that is stored in the camera's data. As IoT devices become more widely used, there will be an increased need for governance to ensure private information doesn't get into the hands of the wrong people.

With Gartner estimating that there could be 50 billion connected devices in existence by 2020, our approach to device security must evolve. Approaching IoT with identity in mind will make our connected world — and your enterprise — a safer place to be.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

With more than 15 years of experience in security and identity management across roles in engineering and architecture, Naresh Persaud is responsible for CA Technologies' security products. As a solution architect, Naresh has devoted much of his career to following the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:49:10 PM
Encryption
If I can add one more item to the list I would say use encryption on data in transit and at rest where ever possible.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:47:18 PM
Re: Wonderful Checklist
I agree with this. A list ready to use, great article and very useful.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:45:51 PM
Re: IoT Security
the "managing IoT lifecycle" the requirement to delete associated user accounts I would say this would be quite important, most unused / inactivated accounts are the main risk to the devices.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:42:45 PM
Re: IoT Security
device-user interaction authentication This is like google home recognizing different voices and responding based on that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:42:40 PM
Re: IoT Security
device-user interaction authentication This is like google home recognizing different voices and responding based on that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:40:56 PM
Security in IoT
We are actually late securing IoT devices. This like starting internet without considering security and then trying to secure it with patches.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/28/2017 | 4:40:52 PM
Security in IoT
We are actually late securing IoT devices. This like starting internet without considering security and then trying to secure it with patches.
Mr Phen375
50%
50%
Mr Phen375,
User Rank: Apprentice
10/28/2017 | 1:59:29 AM
Wonderful Checklist
Thanks for this great checklist which I really need.
jdmcgo
50%
50%
jdmcgo,
User Rank: Apprentice
10/26/2017 | 11:46:45 AM
IoT Security
Great read. I'd be interested to hear some recommendations for device-user interaction authentication as well as device authentication. I'd also add to the "managing IoT lifecycle" the requirement to delete associated user accounts. Insider attacks are made even easier when employee accounts are not deactivated. 
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.