Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

12/10/2019
09:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

FBI's Portland Office Spies IoT Education Opportunity

The Federal Bureau of Investigation's office in Portland, Ore., uses 'Tech Tuesday' to offer IoT security advice.

The Federal Bureau of Investigation’s office in Portland, Oregon has started an effort that it calls "Tech Tuesday" to disseminate actionable security advice to users. Last weekit got around to the Internet of Things (IoT).

The FBI concentrated its advice on limiting an IoT device's access to the Internet router that it uses, since an attacker can leverage the unimpeded path to the enterprise network that can be provided by a WiFi router for malicious activity. As far as the router itself goes, they strongly -- and wisely -- advise changing the router's factory administrative settings from the default passwords. The new passwords should be strong enough to protect the router as well.

However, the network itself needs to be secured. As Portland put it, "Keep your most private, sensitive data on a separate system from your other IoT devices."

Many unsophisticated users will think that this means two separate routers will be needed to establish the two differing networks. That approach will indeed work, but there is a better one.

"Micro-segmentation" has been around in WiFi routers for a while. It enables a router's admin to create a virtual network (VLAN) which will act as different network than the primary one; even if they are resident on the same physical router. The enterprise could isolate other network-using devices with this technique such as printers, which have been hijacked in much the same way as a router can be.

Router maker Ubiquiti has blogged about the specific steps needed to create such a VLAN. First, the VLAN is created and ID'd. A Gateway/Subnet tag is then selected for it. Establishing a DHCP service map between the ports on the router and the IP of connected clients is the next task.

Activate the VLAN with all the choices that have made by assigning it a port on the router.

The last major step is to block traffic from the new VLAN to other networks. This is done by changing the firewall of the router. It is necessary to create a new rule for the firewall that includes the identity of the network that you wish blocked from communication with the other. If done right, all traffic from all other networks to the new network is allowed, but no traffic is allowed to be initiated from the new IoT VLAN to the sensitive network that is connected.

The FBI's Oregon office is trying to bring security to users, and for that it should be commended. But the simple format that it uses in this effort may need more detail about things that can be done, and where users should go to get them done.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33600
PUBLISHED: 2021-09-28
A denial-of-service (DoS) vulnerability was discovered in the web user interface of F-Secure Internet Gatekeeper. The vulnerability occurs because of an attacker can trigger assertion via malformed HTTP packet to web interface. An unauthenticated attacker could exploit this vulnerability by sending ...
CVE-2021-33601
PUBLISHED: 2021-09-28
A vulnerability was discovered in the web user interface of F-Secure Internet Gatekeeper. An authenticated user can modify settings through the web user interface in a way that could lead to an arbitrary code execution on the F-Secure Internet Gatekeeper server.
CVE-2021-36165
PUBLISHED: 2021-09-28
RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64.
CVE-2020-20691
PUBLISHED: 2021-09-27
An issue in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via bypassing the file extension filter and uploading crafted HTML files.
CVE-2020-20692
PUBLISHED: 2021-09-27
GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.