IoT: making mountains out of microprocessors
Simon McNamee, security researcher at the SANS Institute, on how businesses can secure their IoT platforms
The internet of things is here to stay. It is estimated that there are approximately eight billion IoT devices connected to the internet and this number is set to continue to grow at an alarming rate. Applying the same rules to IoT devices that you use with any other connected device will usually result in a considerable reduction in the risk they present to you and your networks. None of the following controls are anything particularly complex, in fact, most require very little effort to implement.
Maintain a register of devices
All devices connected to the network should be logged and, where possible, assessed to determine the level of access they should have. A proper understanding of which devices are connected to your network is a prerequisite for proper security, and any new or unknown devices should trigger an alert.
Create a separate network
Most businesses generally already provide separate networks for guest devices where access to sensitive resources is restricted, and this should be extended to cover IoT devices. Whether given their own network or added to an untrusted guest network, their access to other resources should be restricted to those explicitly needed for them to function.
Patch where possible
Ideally, all devices should be kept up to date and all available patches applied. This is particularly important for IoT devices given their uncanny ability to be installed and promptly forgotten. Vendors will regularly release updates, and you should periodically check each device manufacturer’s website for updates or security bulletins. Where possible, automatic updates should be enabled on your devices.
Change default passwords
The majority of IoT devices have exceptionally weak passwords set by default, and while it's tempting to point the finger at vendors, ensuring a sufficiently secure password is our responsibility too. The best advice here is much the same as for passwords everywhere, use a password manager and make sure all devices have a unique password.
Keep track of your data
Until IoT devices mature and security becomes a proper focus for vendors, the best advice remains to remember that while they may be "IoT devices", in reality all that means is they are simply tiny computers and they should be secured and monitored just like any other device connected to your networks.