https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
Banking Technology
  • NEWSLETTER
  • Home
  • News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webcasts
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Editorial Submissions
    • Advertise
    • Strategic Partners
  • IOT World Events
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Health Care
  • Retail
  • Analytics
  • Architecture
  • Engineering/Development
  • Security
  • Home
  • News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webcasts
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Editorial Submissions
    • Advertise
    • Strategic Partners
  • IOT World Events
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Health Care
  • Retail
  • Analytics
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Thinkstock / iStock / aetb

Security continues to be one of the biggest IoT hurdles.

10 Ways to Support IoT Device Security in the Enterprise

IoT is creating a massive attack surface in the enterprise. To combat the problem, the Online Trust Alliance releases these IoT device security guidelines.
  • Written by Brian Buntz
  • 17th April 2018

Casual IoT is infiltrating office buildings and businesses everywhere. Smart TVs, wearables, smart speakers, connected printers and even consumer-grade security cameras are now deployed in the enterprise.

In the plus column, such devices are easy to set up and deploy. And in the negative column, they tend to be easy to hack.

They also open up new vistas for hackers. There’s the case of hackers who sought to steal data from a Las Vegas casino by way of a connected aquarium. And then there is the teenager who hacked 150,000 printers last year.

As the numbers of connected devices continue to expand, the problem could go from bad to worse. To help improve the sorry state of IoT device security, the nonprofit Online Trust Alliance has released a series of 10 guidelines designed to address the threat facing nearly any type of organization.

Here, we summarize the 10 guidelines while including feedback from Jeff Wilbur, director of the Online Trust Alliance.

1. Put IoT Devices on Their Own Firewalled and Monitored Network.

When it comes to connecting consumer-grade IoT devices in the enterprise, you need to take a proactive approach. “You want to have them segmented away and behind a firewall,” Wilbur said. “You can block incoming traffic to it so people can’t attack from the inside and you can control and monitor it closely.”

2. Updating Your Passwords Is a Must. Using Multi-Factor Authentication Is Also Helpful. 

While using strong passwords is a standard piece of advice for internet security, there is some debate out there on what a strong password is. “I don’t know if I have a definitive answer, but the trend seems to be towards using longer passphrases that might be easier for you to remember but difficult to guess,” Wilbur said. “The shorter it is, the easier it is to crack.”  

Oh, and don’t think just because you changed an “s” to a “$” or an “l” to a “1” in your passwords that you will be safe. “Because those substitutions are obvious, that would be pretty easy for an attacker to use those in a dictionary attack,” Wilbur said.

Multifactor authentication can be a relatively easy way to up the security of many IoT devices with a user interface, but it isn’t always possible. 

3. Shut Down Functionality When It’s Unneeded

One of the most primal security strategies is to shrink your attack surface down as much as possible. But the question becomes: How far you are prepared to take it. “Are you going to solder a plug into a USB port? Some organizations actually do that kind of thing,” Wilbur said.

But you don’t necessarily have to get a soldering iron out to reduce your attack surface. “Smart TVs, if all you are doing is using them as a display, don’t need to be connected to anything,” Wilbur said. “Taking them offline reduces the attack surface.”

4. Check to See if Physical Access Allows Intrusion

Related to the above point, it is helpful to understand how your attack surface differs in the case that a hacker is remote versus when they are physically in the office location. There are a number of connected devices that are vulnerable after doing a hard reset. If there are any, consider locking them away, when possible.

Here, enterprise professionals must determine their risk tolerance. “How likely is someone in a conference room going to launch an attack?” Wilbur asked. “You have to at least proactively think about how far to take it instead of hanging a smart TV on the wall and never thinking about it again, without realizing what you have just done.”

5. Watch Out for Automatic Wi-Fi Connections

A fair number of consumer-grade IoT devices are designed to detect Wi-Fi and just attach themselves to any network they might find — which may be an SSID that isn’t password protected. “You want a secured Wi-Fi network; not an open one,” Wilbur said. “You want your data to be encrypted.”

6. Block Incoming Traffic When Possible. When Not, Watch Out for Open Ports

Many IoT devices ship with open ports to support management functions rather than standard functionality available via a user interface. Even some passwords permit telnet access with only an IP address.

Again, the point here is to reduce your attack surface as much as feasibly possible. That might mean completely blocking all incoming traffic with a firewall. But in other cases, that will mean only keeping open which TCP and UDP ports you need. Some IoT devices may have custom open ports that are not standard. “There are all of these unique software ports that may be available, and it may differ by device,” Wilbur said. “You may not know they are even there.”

7. Make Encryption a Default

It may not always be feasible to encrypt data for some time-sensitive enterprise applications, but for most consumer-grade IoT devices, it is possible to ensure data is never sent as clear text. When it isn’t possible to encrypt, organizations should use a VPN or other means of masking their data.

8. Do Your Research When Using Back-End Services or Apps for IoT Devices

Avoid using any web service without knowing something about it. Organizations like the Online Trust Alliance look at best practices to gauge online trust of companies that are internet- and IoT-connected. “There are a number of tools where you can assess the security of web services that might be connected to your IoT devices,” Wilbur said. Such services check to see if they, say, have good configuration for their TLS / SSL connections or whether they use trusted protocols or have sound site configurations. “There are free tools out there that we regularly reference. One is by Qualys and one is by High Tech Bridge,” Wilbur said.  

Mobile apps are a little bit trickier. “There are not a lot of tools out there,” Wilbur acknowledged. “High Tech Bridge has a mobile app tool now that looks at the security and privacy of mobile apps — for Android and Apple.” But overall, there is not as much information on the security and privacy of mobile apps.

9. Update Your Firmware and Software

This advice is some of the most important on the list. If an IoT device can’t be updated, it probably shouldn’t be in your enterprise.

While most well-known consumer-facing IoT devices do support updates, inexpensive security cameras are one of the worst offenders in this regard. They often use off-the-shelf software stacks with known vulnerabilities, use hard-coded passwords and lack support for updates.

While some updates can be automated, firmware updates tend to be a manual affair.

10. Follow the Life Cycle of IoT Devices and Discard When Necessary

If a maker of, say, an IoT device suddenly goes out of business, it may be necessary to get rid of their product. In some cases, the device will still work but just won’t be patchable, which brings us back to the prior point. But in other cases, the defunct manufacturer — or a manufacturer who kills off a product line — will brick the devices it no longer makes, rendering them useless.

“This list is meant to be chronological, from when you install it to its life cycle,” Wilbur concluded. “But if I had to pick a top couple: it would be to change default passwords, which many devices have, and to keep your software updated.”

Tags: Article Security Technologies

Related


  • IoT
    IoT World Q&A: IoT Adoption Is Risky, but Not Deploying It Is Riskier
    IoT adoption may have not kicked into high gear, but the biggest risk in IoT is not trying at all, said Avnet exec Lou Lutostanski in a recent interview at IoT World.
  • Automation
    SAP Adds Digital Twin Technology to Asset Management
    Using digital twin technology, SAP Predictive Engineering Insights enables customers to see a virtual representation of an asset in real time.
  • Image shows a woman in an industrial technology concept.
    Rockwell Automation, PTC Partner on Smart Factory Technology
    The two companies will work together to integrate technologies; why the maritime industry is eager to invest in IoT; and more news.
  • security
    Iranian Hackers Expected to React to U.S. Exit of Nuclear Deal
    The 2010 Stuxnet attack against Iran has become a prime example of an IoT attack. Now that the U.S. has exited the Iranian nuclear deal, retaliation is likely.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Securing the Future: How to Keep IoT Deployments Safe
  • For BYOD Policies, IoT Brings New Risks, Report Says
  • Course Offers Practical Cybersecurity Awareness Training
  • IoT Security Issues: Airline’s Cybersecurity Leader Weighs In

News


How IIoT Can Fuel Business Model Disruption

31st January 2019

IoT World Announces the First Annual IoT World Awards

25th January 2019

Linux Foundation Creates Umbrella Group for Edge Computing

  • 1
24th January 2019
view all

White Papers


Sponsored Content

eBook: Transforming Manufacturing For Growth: Gaining a Competitive Advantage With IoT

13th February 2019
Sponsored Content

Digital Transformation: Moving from Preventive to Predictive Maintenance Models in Transportation, Field, and Industrial Environments

27th December 2018
view all

Special Reports


Making Sense of 12 Smart Building Technologies

26th December 2018
view all

Galleries


5 Considerations Before Flying Taxis Take Flight

28th January 2019

IoT Predictions for 2019: Less Hype, More Pragmatism

  • 1
12th December 2018
view all

Industry Perspectives


Sponsored Content

McObject wins IoT Vendor of the Year

1st December 2018
Sponsored Content

IoT is Changing our Lives: An Interview with Piotr Zajac, CEO, Untitled Kingdom

  • 1
9th May 2018
view all

Events


Data Center World

19th March 2019 - 22nd March 2019
Phoenix Convention Center, AZ

Container World

17th April 2019 - 19th April 2019
Santa Clara Convention Center, CA

Internet of Things World

13th May 2019 - 16th May 2019
Santa Clara Convention Center, CA

IoT World Europe

12th June 2019 - 13th June 2019
ExCel, London

Smart Cities Summit

31st October 2019 - 1st November 2019
Sheraton, Atlanta, GA

Industrial IoT World

31st October 2019 - 1st November 2019
Sheraton, Atlanta, GA
view all

Twitter


IoTWorldToday

The sprawling #IoT market has had more than 10 years to establish standards and best practices to move it forward.… twitter.com/i/web/status/1…

20th February 2019
IoTWorldToday

Until fairly recently, it seemed like relatively few industrial organizations suffered #cyberbreaches, see how it's… twitter.com/i/web/status/1…

19th February 2019
IoTWorldToday

Trusted #PlatformModules are poorly understood by many, well understood by few --> bit.ly/2GwmypT #IoTSecurity

19th February 2019
IoTWorldToday

The Impact of #IoT and #AI in the health care field --> bit.ly/2EcgQqF

15th February 2019
IoTWorldToday

Get your free pass to the world's largest #IoT exhibition → spr.ly/6019ErSm3 Join 12,500+ like-minded profe… twitter.com/i/web/status/1…

13th February 2019
IoTWorldToday

#IoT and #machinelearning in the retail industry --> bit.ly/2E6CnkJ #onlineshopping #ecommerce #AI bit.ly/2E5DgtV

12th February 2019
IoTWorldToday

Emerging technologies such as #AI and #IoT offer “endless” possibilities for industrial companies--> bit.ly/2teZYcx

8th February 2019
IoTWorldToday

RT @Nerdery: “A lot of innovators are trying to innovate on top of, but not with the healthcare value chain.” Director of Strategy @taqee h…

8th February 2019

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

IoT World Today

© IoT World Today 2019. All rights reserved.

  • About Us
  • Contact
  • Cookies Policy
  • Privacy Statement
  • Terms of Service

Follow us

Websites are now required by law to gain your consent before applying cookies. We use cookies to improve your browsing experience. Parts of the website may not work as expected without them. By closing or ignoring this message, you are consenting to our use of cookies.
X