Cybersecurity Awareness Month: 10 Tips for Better IoT Security
October is National Cybersecurity Awareness Month, and this year’s focus takes on a big topic in cybersecurity: securing the Internet of Things (IoT). Each week this month, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) will emphasize the maxim, “If You Connect It, Protect It.” You can learn more about the campaign here.
Why should you care? From temperature sensors in food storage containers to retail kiosks, from safety monitoring devices to interactive digital advertising experiences, IoT has become integral to the modern enterprise and a catalyst for business growth. Even with the current economic uncertainty, spending on IoT technologies is still expected to rise by 8.2% in 2020 according to a recent report by IDC. Two big drivers of the increasing investment in IoT is its ability to enable efficiencies and automate manual tasks — a major plus for the bottom line.
Your company is already using the Internet of Things, and will almost certainly be supporting more IoT devices in the future. As you create or continue your IoT security plan, keep these ten tips in mind.
10 Top Tips for IoT Security
- Device Inventory: The foundation of IoT security is knowing what devices are in use. Ensure that all IoT devices are added to your asset inventory before they go online, and make sure they are documented and added to network monitoring systems just like any other online host. Scan the network regularly in order to ensure all authorized devices are on the networks where they are supposed to be and to identify and remove unauthorized devices.
- Change Default Passwords: Default login credentials for IoT devices are easy to find online. Once an attacker has fingerprinted a device in a scan, accessing the network is trivial if the default username and password are still set. Make changing default passwords a standard part of configuring any new IoT device.
- Protect Credentials: Credentials for IoT devices, including the ones used for any cloud administration portals, should be subject to the same uniqueness, password strength and password changing requirements your business has in place. If a device supports authentication via SSH key, make sure to follow best practices for securing cryptographic keys, just as for any that are used by more traditional systems.
- Network Segmentation: Network design and segmentation can help shrink the attack surface when using IoT devices. Keep IoT devices on networks designated specifically for such devices, and off of networks designed for items like workstations, laptops, or servers. That way, if an attacker is able to compromise an IoT device, it will be more difficult for them to pivot from that device to another device that contains, or can easily access, sensitive internal data. On the other hand, it also makes it less likely for an IoT device to be compromised if it’s not on the same network as workstations that may get infected with malware due to user error or lack of vigilance.
- Updates and Patching: Outdated firmware can lead to serious security issues. For example, medical devices based on unsupported versions of Windows have led to an uptick in the Conficker worm, a virus that is over a decade old. Applying software updates on IoT devices can be more complex than it is on more traditional endpoints, and some IoT devices do not expose a way to update it at all. Consider the availability and ease of patching while evaluating and selecting IoT devices, and document how to patch those devices so IT and security teams can respond in a timely manner if either business needs or security issues demand an update.
- Data Security: In order to accurately assess how much risk a device actually introduces, know what data an IoT device accesses, stores, and transmits. Consider what data a device needs in order to function, and be wary if a device demands more data than it needs to accomplish the necessary business purposes, especially if that data it needs to store or transmit is sensitive.
- Encryption of Data In Transit: A recent study found that 98% of IoT device traffic is unencrypted, raising serious questions about the security of the data they transmit. When assessing and selecting IoT devices, consider built-in capabilities to use up-to-date encryption protocols.
- Penetration Testing: Penetration testing matters both before adding an IoT device to the network and while it is connected. Working with a knowledgeable IoT penetration tester to test the security of a device before adding it to the network helps you make an accurate assessment of the risk of connecting that device. Including IoT devices in ongoing security assessments also allows you to learn whether it is vulnerable to newly discovered vulnerabilities or attack techniques.
- Network Monitoring: Botnets, such as Mirai, target IoT devices specifically. For security monitoring purposes, make sure to know the baseline traffic to expect from individual IoT devices on the network. With this information, it becomes easier to identify unexpected traffic and to connect it to either botnet infections or other unauthorized activity from an IoT device.
- Physical Security: In addition to software security and data security, also consider the physical security of an IoT device. Choose devices with strong tamper resistance and tamper logging features. Also, ensure that your security team is actively tracking IoT devices for signs of tampering or of connecting unexpected or unauthorized USB drives or other devices to the authorized IoT devices.
With these top tips in mind, you can start asking the right questions and making the right plans to secure your IoT infrastructure.
To learn more about the depth of experience the Security Compass penetration testing team has with Internet of Things technologies, download our datasheet. If you have questions about your IoT security posture or want to know even more about how our team can support you, contact us.