• United States
by Paul Roberts

Tips to improve IoT security on your network

Feb 09, 20187 mins
Internet of ThingsSecurity

As internet of things devices proliferate, it's more important to discover how many and what kind are on your network and figure out how to make them secure. Here's how.

internet things iot
Credit: Thinkstock

Judging by all the media attention that The Internet of Things (or IoT) gets these days, you would think that the world was firmly in the grip of a physical and digital transformation. The truth, though, is that we all are still in the early days of the IoT.

The analyst firm Gartner, for example, puts the number of Internet connected “things” at just 8.4 billion in 2017 – counting both consumer and business applications. That’s a big number, yes, but much smaller number than the “50 billion devices” or “hundreds of billions of devices” figures that get bandied about in the press.

Of course, the fact that the full promise of the Internet of Things awaits in the distant future, or that there are only 10s of billions of connected devices and not scores of billions of them doesn’t change the reality for you, which is that the Internet of Things already poses a security threat to your organization.

Where does the networking professional worried about Internet of Things based threats start? Here are a few thoughts to consider as you plan your organization’s response:   

Know your Known Knowns

The first step in any network security program is to understand and assess the IT assets that you are responsible for securing. This is as true today as it was 30 years ago. And today – as in the past – the biggest challenge that networking professionals face is understanding what is on their network and how it is being used and possibly abused.

To do this, it is sometimes helpful to use the Pentagon’s nomenclature around war planning, thinking in terms of known knowns, known unknowns, and unknown unknowns.

Known knowns are the things you know you know, as former Defense Secretary Donald Rumsfeld put it. They include all your traditional assets: laptops, desktops, servers (including development and test servers), as well as smart phones and tablets. They also include peripheral devices like multifunction printers, photocopiers and so on.

To really know your known knowns, however, you need to see past the obvious and interrogate each of those IT assets to make sure you’ve accounted for any features and functions that could undermine your network security. Furthermore, you need to develop the means of bringing those devices under management.

With smart phones, for example, mobile device management platforms have long been a means of extending control and management to those devices by enforcing patch levels, banning “jailbroken” devices and limiting app store choice. Given the spate of malicious applications showing up on platforms like Google Play, if you’re not paying attention to the security posture of your employees’ and contractors’ mobile phones, you’re taking a big risk.

Less scrutinized are peripherals like multifunction printer/copier/fax machines. These sit quietly in the corner, but sport full featured operating systems and, often, their own wireless hotspot and a capacious hard drive. Is your networking group aware of the hot spot’s existence? Is it disabled or enabled? If it is enabled, is it secured and are you monitoring access to the device along with other network activity? Is the data that is stored on the peripheral encrypted? What data is on it, and who has been accessing it? (Malware authors often use multifunction peripherals as staging areas for malware or stolen data they wish to exfiltrate.)

Have you set policies that limit what other network assets the printer can talk to? Have you made access to the printer part of your broader network access control (NAC) scheme to make sure it isn’t a jumping off point for an unauthorized or non-compliant device? Finally, if it is disabled, do you have the ability to identify if it suddenly is enabled and by whom?  These are the kinds of questions you should be asking not just of printer/copiers, but of each known device in your environment.

Meet your Known Unknowns

Once you have a good handle on known knowns and feel confident you’ve accounted for their various features and capabilities, you’re ready to move on to the thornier issue of your known unknowns. These are – again using Mr. Rumsfeld’s definition – the things that are on your network that you know that you do not know.

These days, the known unknown category is a big one and rich in what many people think of as Internet of Things devices. Known unknowns are a big and growing presence on enterprise networks, accounting for as much as 40% of the devices connected to a network at any time, by one estimate.

Where to look? Consider the IP enabled cameras like the kind infected by the Mirai or Reaper botnets that are monitoring your office. How about the flat screen smart TV deployed by your sales team that has CNN on all day. Do those show up on a list of your IT assets under management? If not, they should. That smart TV, after all, runs an operating system – probably a form of Linux that has to be patched and updated. It has a hard drive, supports wireless connections like Bluetooth and sports external ports like USB. It probably supports a variety of third-party applications as well. In short: that smart TV is a computer that looks kind of funny. But looking funny is no excuse for ignoring it.

Consumer devices brought into your organization by employees may be part of this group as well. Have your executives deployed Amazon Echoes in their offices? Do employees have printers, smart picture frames, desk lamps, fish tanks or wearables with wireless or network interfaces and embedded web servers on their desks?

Consider also third-party systems that are managed by external entities like contractors or your building management firm. Physical security and environmental systems like door badging and HVAC, even elevators and escalators are typically managed from a traditional workstations running consumer operating systems these days. Often, that workstation has also been configured for remote access to simplify troubleshooting and management. Where is that thing? What is it running? Has it been patched and – critically – who has been connecting to it. Is there any way to get from it to your network? If you don’t think that’s anything you should be bothered with, talk to the folks at Target Stores.

Accounting for known unknowns isn’t easy: many run embedded operating systems that aren’t likely to show up on network scans looking for traditional IT assets. Others may only communicate using 802.11x, Bluetooth, Zigbee or other wireless protocols. But more than ever, these devices constitute a risk to your overall enterprise security, so accounting for them is a must. (Note: This doesn’t even broach the subject of industrial control, SCADA and other specialized systems used in operational environments. That’s a whole different issue.)

Fortunately, there is a small and growing list of tools to help you identify known unknowns and pull them into the known knowns camp. In the last five years, a number of startups have started to offer tools that can sniff out devices communicating using Bluetooth, radio frequency (RF), Zigbee and a range of other, common wireless protocols used by Internet of Things devices.  (I’m not mentioning vendors names, but you can Google them easily enough.) Using one of these platforms to audit your environment will likely turn up a slew of devices and maybe even “shadow networks” of devices you didn’t know about.

Once you have a handle about what is out there, the hard work begins. You need tools that can fingerprint and assess the security posture of each device (OS, patch level, access, network activity). For each device you’ve identified – and especially those that were unauthorized – you should consider what function it is serving and how business critical that function is. (Protip: webcam of the office ficus – not mission critical.) Can the device be easily supported by your team with endpoint security (unlikely) or at the very least patching, access control and activity monitoring over the long term? Devices that can’t or won’t play nice with your existing security infrastructure like firewalls, IDS and network access control should be seriously considered for removal from the network or tightly constrained.

Paul Roberts (@paulfroberts) is the Editor in Chief of The Security Ledger