IoT: making mountains out of microprocessors

Simon McNamee, security researcher at the SANS Institute, on how businesses can secure their IoT platforms

SANS Institute, IoT, Connected device, Security

The internet of things is here to stay. It is estimated that there are approximately eight billion IoT devices connected to the internet and this number is set to continue to grow at an alarming rate. Applying the same rules to IoT devices that you use with any other connected device will usually result in a considerable reduction in the risk they present to you and your networks. None of the following controls are anything particularly complex, in fact, most require very little effort to implement.

Maintain a register of devices

All devices connected to the network should be logged and, where possible, assessed to determine the level of access they should have. A proper understanding of which devices are connected to your network is a prerequisite for proper security, and any new or unknown devices should trigger an alert.

Create a separate network

Most businesses generally already provide separate networks for guest devices where access to sensitive resources is restricted, and this should be extended to cover IoT devices. Whether given their own network or added to an untrusted guest network, their access to other resources should be restricted to those explicitly needed for them to function.

Patch where possible

Ideally, all devices should be kept up to date and all available patches applied. This is particularly important for IoT devices given their uncanny ability to be installed and promptly forgotten. Vendors will regularly release updates, and you should periodically check each device manufacturer’s website for updates or security bulletins. Where possible, automatic updates should be enabled on your devices.

Change default passwords

The majority of IoT devices have exceptionally weak passwords set by default, and while it's tempting to point the finger at vendors, ensuring a sufficiently secure password is our responsibility too. The best advice here is much the same as for passwords everywhere, use a password manager and make sure all devices have a unique password.

Keep track of your data

Many IoT devices rely on cloud services to function. However, the fact that they are always connected and sending data outside of your network presents two obvious issues. If the network goes down they will be unable to function, but more concerning is the possibility that sensitive data could be making its way out of your network without your knowledge. Make sure you have read the privacy policy associated with your device, especially around data retention, usage, and encryption.

Until IoT devices mature and security becomes a proper focus for vendors, the best advice remains to remember that while they may be "IoT devices", in reality all that means is they are simply tiny computers and they should be secured and monitored just like any other device connected to your networks.

Most Popular

Digital Edition

Subscribe today and get your copy of the magazine for free