Stronger IoT Device Security Starts With Passwords, Patching

Over the last year, SpiderLabs has seen an “exponential” increase in the amount of requests for its security testing services when it comes to looking for and helping remedy IoT-related vulnerabilities, according to Ed Williams, who serves as director of the elite security team for managed security services firm Trustwave.

What keeps Williams up at night, he said, is just how simple it is to gain access to connected devices – simply because, for instance, a user didn’t change a default password on the device. It’s to the point where it’s almost trivial for a sophisticated hacker to compromise a single device and use that as a launching pad into a complex enterprise environment, according to Williams.

“What we see is a rush to market in terms of IoT. People are getting things out on the market and then saying, ‘we should think about security,’” Williams said. “They aren’t baking security in from level zero.”

And that doesn’t only include the device makers themselves – but also enterprises in which they were purchased and deployed. It’s something made clear by a recent survey commissioned by Trustwave, based in Chicago, and conducted by industry analyst firm Osterman Research.

More than 80 percent of the 137 surveyed, who were knowledgeable and/or responsible for IoT security at their organizations, reported that they are currently or will be using IoT technology by the end of 2018, according to the report “Internet of Things Cybersecurity Readiness.” Yet only 28 percent consider their IoT security strategy to be “very important” to the organization, and more than one-third of those surveyed believe IoT device security is only “somewhat” or “not” important.

The report’s authors attribute these responses to a lack of maturity of IoT implementations themselves. A little less than half of the survey respondents indicated they either wouldn’t or didn’t know whether they would increase IoT deployments. With that lack of a business case established, it may be that security for IoT has been relegated to a much lower priority than it should be, the authors concluded.

In turn, uncertainty over security itself may be a limiting factor in further deepening IoT deployments.

“The combination of a low emphasis placed on IoT security, the sizeable proportion of organizations in which security incidents have already occurred and the perception that future security incidents are a virtual certainty leaves decision makers with little confidence that they can defend against IoT-related security incidents,” the report’s authors wrote.

However, there are concrete steps both device makers and implementing organizations can take to secure devices and deployments, Williams said.

“It’s all about the basics,” Williams said. “Security of IoT is everybody’s responsibility.”

The first thing is to fully understand what the project is and what it’s trying to do, build the threat model around that, and build a secure development life cycle, he said.

For enterprises implementing IoT devices, once they are installed, change the default passwords to unique, complex passwords, Williams said. New guidance on passwords issued by the National Institute of Standards and Technology (NIST) last year – which recommend reusing a strong password rather than changing a password frequently – is helpful, Williams said.

Trustwave also recommends implementing an agile methodology for quickly patching IoT vulnerabilities to ensure any attacks leveraging flawed devices are prevented or minimized. In turn, organizations should perform continual and proactive threat hunting to search for advanced persistent threats that may have crept into the network via vulnerable IoT devices, according to the report. Trustwave also recommends restricting partner access to the network where it’s practical to minimize the potential for IoT threats.

Once the deployments are in house, managed security services can regularly scan the devices and fix issues – crucial because CIOs may not even know IoT devices exist in their enterprise environments and are connected to enterprise networks, according to Williams.

“Security shouldn’t be a barrier, it should be an enabler,” Williams said.