https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/IoTWorldToday-mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • IoT World Expo Austin
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • IoT World Expo Austin
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Thinkstock / iStock / aetb

Security continues to be one of the biggest IoT hurdles.

10 Ways to Support IoT Device Security in the Enterprise

IoT is creating a massive attack surface in the enterprise. To combat the problem, the Online Trust Alliance releases these IoT device security guidelines.
  • Written by Brian Buntz
  • 16th April 2018

Casual IoT is infiltrating office buildings and businesses everywhere. Smart TVs, wearables, smart speakers, connected printers and even consumer-grade security cameras are now deployed in the enterprise.

In the plus column, such devices are easy to set up and deploy. And in the negative column, they tend to be easy to hack.

They also open up new vistas for hackers. There’s the case of hackers who sought to steal data from a Las Vegas casino by way of a connected aquarium. And then there is the teenager who hacked 150,000 printers last year.

As the numbers of connected devices continue to expand, the problem could go from bad to worse. To help improve the sorry state of IoT device security, the nonprofit Online Trust Alliance has released a series of 10 guidelines designed to address the threat facing nearly any type of organization.

Here, we summarize the 10 guidelines while including feedback from Jeff Wilbur, director of the Online Trust Alliance.

1. Put IoT Devices on Their Own Firewalled and Monitored Network.

When it comes to connecting consumer-grade IoT devices in the enterprise, you need to take a proactive approach. “You want to have them segmented away and behind a firewall,” Wilbur said. “You can block incoming traffic to it so people can’t attack from the inside and you can control and monitor it closely.”

2. Updating Your Passwords Is a Must. Using Multi-Factor Authentication Is Also Helpful. 

While using strong passwords is a standard piece of advice for internet security, there is some debate out there on what a strong password is. “I don’t know if I have a definitive answer, but the trend seems to be towards using longer passphrases that might be easier for you to remember but difficult to guess,” Wilbur said. “The shorter it is, the easier it is to crack.”  

Oh, and don’t think just because you changed an “s” to a “$” or an “l” to a “1” in your passwords that you will be safe. “Because those substitutions are obvious, that would be pretty easy for an attacker to use those in a dictionary attack,” Wilbur said.

Multifactor authentication can be a relatively easy way to up the security of many IoT devices with a user interface, but it isn’t always possible. 

3. Shut Down Functionality When It’s Unneeded

One of the most primal security strategies is to shrink your attack surface down as much as possible. But the question becomes: How far you are prepared to take it. “Are you going to solder a plug into a USB port? Some organizations actually do that kind of thing,” Wilbur said.

But you don’t necessarily have to get a soldering iron out to reduce your attack surface. “Smart TVs, if all you are doing is using them as a display, don’t need to be connected to anything,” Wilbur said. “Taking them offline reduces the attack surface.”

4. Check to See if Physical Access Allows Intrusion

Related to the above point, it is helpful to understand how your attack surface differs in the case that a hacker is remote versus when they are physically in the office location. There are a number of connected devices that are vulnerable after doing a hard reset. If there are any, consider locking them away, when possible.

Here, enterprise professionals must determine their risk tolerance. “How likely is someone in a conference room going to launch an attack?” Wilbur asked. “You have to at least proactively think about how far to take it instead of hanging a smart TV on the wall and never thinking about it again, without realizing what you have just done.”

5. Watch Out for Automatic Wi-Fi Connections

A fair number of consumer-grade IoT devices are designed to detect Wi-Fi and just attach themselves to any network they might find — which may be an SSID that isn’t password protected. “You want a secured Wi-Fi network; not an open one,” Wilbur said. “You want your data to be encrypted.”

6. Block Incoming Traffic When Possible. When Not, Watch Out for Open Ports

Many IoT devices ship with open ports to support management functions rather than standard functionality available via a user interface. Even some passwords permit telnet access with only an IP address.

Again, the point here is to reduce your attack surface as much as feasibly possible. That might mean completely blocking all incoming traffic with a firewall. But in other cases, that will mean only keeping open which TCP and UDP ports you need. Some IoT devices may have custom open ports that are not standard. “There are all of these unique software ports that may be available, and it may differ by device,” Wilbur said. “You may not know they are even there.”

7. Make Encryption a Default

It may not always be feasible to encrypt data for some time-sensitive enterprise applications, but for most consumer-grade IoT devices, it is possible to ensure data is never sent as clear text. When it isn’t possible to encrypt, organizations should use a VPN or other means of masking their data.

8. Do Your Research When Using Back-End Services or Apps for IoT Devices

Avoid using any web service without knowing something about it. Organizations like the Online Trust Alliance look at best practices to gauge online trust of companies that are internet- and IoT-connected. “There are a number of tools where you can assess the security of web services that might be connected to your IoT devices,” Wilbur said. Such services check to see if they, say, have good configuration for their TLS / SSL connections or whether they use trusted protocols or have sound site configurations. “There are free tools out there that we regularly reference. One is by Qualys and one is by High Tech Bridge,” Wilbur said.  

Mobile apps are a little bit trickier. “There are not a lot of tools out there,” Wilbur acknowledged. “High Tech Bridge has a mobile app tool now that looks at the security and privacy of mobile apps — for Android and Apple.” But overall, there is not as much information on the security and privacy of mobile apps.

9. Update Your Firmware and Software

This advice is some of the most important on the list. If an IoT device can’t be updated, it probably shouldn’t be in your enterprise.

While most well-known consumer-facing IoT devices do support updates, inexpensive security cameras are one of the worst offenders in this regard. They often use off-the-shelf software stacks with known vulnerabilities, use hard-coded passwords and lack support for updates.

While some updates can be automated, firmware updates tend to be a manual affair.

10. Follow the Life Cycle of IoT Devices and Discard When Necessary

If a maker of, say, an IoT device suddenly goes out of business, it may be necessary to get rid of their product. In some cases, the device will still work but just won’t be patchable, which brings us back to the prior point. But in other cases, the defunct manufacturer — or a manufacturer who kills off a product line — will brick the devices it no longer makes, rendering them useless.

“This list is meant to be chronological, from when you install it to its life cycle,” Wilbur concluded. “But if I had to pick a top couple: it would be to change default passwords, which many devices have, and to keep your software updated.”

Tags: Article Security Technologies

Related Content


  • Caltech campus
    Robots Could Gain Sense of Touch, With New Artificial Skin
    New design can help businesses determine the presence of hazardous materials, offer greater safety for workers
  • Clearview AI Fined $9.4M Over Facial Data Scraping
    The company was ordered to delete any data it held on U.K. citizens.
  • Microsoft Ramping up Cybersecurity Service Offerings
    Three new managed services will boost the company’s presence in the security space
  • IoT Product Roundup
    IoT Product Roundup: PTC, Nokia, Arm and More
    All the latest Internet of Things products

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

  • Black Hat 2022: Sophisticated Cybercriminals, Increased Ransoms
  • Black Hat 2022: Adapting to the Growing Cyberthreat Landscape
  • Security: The Hidden Risks of Connected Devices
  • Northrop Grumman Harnesses IoT for New Missile Integration Facility 

Roundups

View all

IoT Product Roundup: Verizon, Microshare, SmartCow and More

15th August 2022

IoT Deals & Partnerships Roundup: Nokia, Accenture and More

29th July 2022

IoT Deals & Partnerships Roundup: Nokia, SoftBank, Microsoft and More

15th July 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Events

View all

IoT World Expo Austin

2nd November 2022 - 3rd November 2022

Latest Videos

View all
Image shows a road within the Curiosity Lab at Peachtree Corners

Brandon Branham, Peachtree Corners, on Smart Cities

Peachtree Corners CTO and assistant city manager chats with IoT World Today’s Chuck Martin about what’s happening at Curiosity Labs

Image shows a Beep electric autonomous shuttle

Joe Moye, Beep, on Self-Driving Shuttles

Beep’s CEO chatted with IoT World Today’s Chuck Martin about the deployment of the company’s electric autonomous shuttles

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Is MQTT becoming the de facto standard of Industry 4.0? The impact of IoT on industrial automation protocols

18th August 2022

Building trust for a connected world

25th August 2022

Is MQTT becoming the de facto standard of Industry 4.0? The impact of IoT on industrial automation protocols

18th August 2022

Special Reports

View all

Security: The Hidden Risks of Connected Devices

11th August 2022

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

🎉SPEAKER ANNOUNCEMENT ALERT!🎉 Brandon Satrom, the VP of experience engineering at @blueswireless, will speak at… twitter.com/i/web/status/1…

17th August 2022
IoTWorldToday, IoTWorldSeries

Meet business-wide goals with Equipment as a Service dlvr.it/SWn1g0 https://t.co/Ya1F8QUhpw

17th August 2022
IoTWorldToday, IoTWorldSeries

Smart Shopping Cart Startup Raises $35M dlvr.it/SWmd0Q https://t.co/qIAhJNfvDG

17th August 2022
IoTWorldToday, IoTWorldSeries

The Forrester Total Economic Impact of Lightbend Akka Platform dlvr.it/SWmcFd https://t.co/L9JSOlkiOr

17th August 2022
IoTWorldToday, IoTWorldSeries

Semtech Acquires Sierra Wireless for $1.2 Billion dlvr.it/SWmXWz https://t.co/oa2WgxyZyI

17th August 2022
IoTWorldToday, IoTWorldSeries

Robotaxi via Lyft App Launched in Las Vegas dlvr.it/SWmXT0 https://t.co/2i9bNaWRwG

17th August 2022
IoTWorldToday, IoTWorldSeries

Smart Cities Featured at IoT World in Austin dlvr.it/SWmVt7 https://t.co/I7jdnEI89w

17th August 2022
IoTWorldToday, IoTWorldSeries

📣 Join us on August 18th to explore how MQTT has been helping system integrators to overcome the challenges of hybr… twitter.com/i/web/status/1…

16th August 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X