Just in time for Black Friday and Cyber Monday, the FBI in Portland issued a warning to consumers about the dangers of smart TVs, along with some tips on how to secure them. This may be a wake up call to think about something that hasn't gotten much attention since Mirai took out East Coast internet - IOTs in the corporate environment and making sure they stay secure.
It's Important To Care
No matter how good the segmentation, infected IOTs put malicious actors one step closer to sensitive data, and IOTs inside the network are a gold mine for lateral spread. Whatever network they run on, infected IOTs can be used for launching attacks on others, costly cryptomining, or generally as a platform for other illegal activities. In the kinetic world, compromised IOTs can equate to compromised physical security, and in the worst examples may cause illness or even death (think: refrigerators, medical equipment, etc).
Treat IOTs Like Any Other Computing Device
The first step in protecting IOT devices is to identify them. Scan known networks and search periodically for rogue devices that may have been inadvertently (or maliciously) connected to corporate wired or wireless networks. Scanning won't capture everything though, and many scanners will fingerprint underlying operating systems without actually identifying the correct device type.
When first enumerating devices, remember that many of them may be managed by a facilities department with little or no involvement from IT. Keep track of discovered IOTs in an asset database, with information about their physical location and who is responsible for maintaining them. Record hardware and software versions along with end of life dates. Track whether or not the devices can be accessed remotely and if they need to communicate to any cloud-based services.
Here are some examples of IOTs commonly found in corporate environments:
- Alarm systems
- Badge and biometric readers
- Factory machinery and industrial devices
- Refrigerators, coffee machines, and televisions in break rooms
- Security cameras
- Smart panels, UPS and other power related systems
- Thermostats, heating and cooling systems
- Wireless access points (corporate and guest access)
Policies and Guidelines
As with anything else, ensure there are policies and guidelines governing the use of IOTs. Policies should mandate that all IOTs be registered in an asset database, are accessible only by authorized users, receive frequent patching, are included in security monitoring, and exist only in dedicated, segmented networks. They should also prohibit the use of IOTs that have reached end of life and are no longer supported by the manufacturers.
Additionally, policies should govern the use of personal devices and IOTs that may be connected to managed Wi-Fi services and guest access.
Include IOTs in standard access policies and ensure, at a minimum, that passwords are changed periodically and that default passwords are never used. Prohibit credential reuse, and mandate the use of more advanced authentication systems for devices that support it. Access to IOTs should follow the same request and approval model as other devices and applications, and access revocation should be included in the user termination process.
Scanning and Patching
Include IOTs in standard vulnerability scanning and patching programs, with published SLAs for updating. Although scanners may not correctly identify many types of devices, they can be very helpful in pointing out outdated operating systems, vulnerable web services and open ports sometimes found on IOTs. These can be brought to the attention of manufacturers and mitigated until fully remediated.
Monitoring outbound traffic from IOTs is one of the most effective ways to identify devices that are infected with malware.
For devices that support it, and where it makes sense, ingest log data into SIEM and UEBA systems. Logs can also be obtained from some underlying cloud services that support IOTs. This is especially important for sensitive devices, like security cameras and alarm systems that are remotely accessible.
IOT security remains relatively weak and proper segmentation is fundamental to protecting the entirety of the network. Afford IOTs their own firewalled segments and limit Internet access to an as-needed basis.
IOT manufacturers continue to deliver products with security as an afterthought, rarely designing with security in mind and releasing updates just as infrequently. To avoid the next media event, researchers will need to focus on finding vulnerabilities and bringing them to light. Customers, in turn, will need to demand more attention to security and privacy from manufacturers. The landscape will only change when they are held accountable.