CISOs have to worry about securing two kinds of IoT devices: Enterprise-grade they buy, which likely have security controls; and consumer-grade devices purchased by the company or brought in by staff.
These devices can include smart TVs, thermostats, smart speakers, fitness trackers, video cameras for recording podcasts and anything else that isn’t a PC or a router but connects to the network — and therefore are just as much a possible source of vulnerabilities as anything else.
To help infosec pros deal with these devices the Online Trust Alliance on Tuesday issued a best practices checklist.
“Underpinning this list are several core concepts,” says the alliance (now part of the Internet Society). “Enterprises should: be proactive and fully consider the possible
risks introduced by these devices; understand that IoT devices are likely more vulnerable than traditional IT devices; educate users on IoT device risks, and strike a balance between controlling IoT devices versus creating “shadow IoT.”
Here’s the list:
–Just as in guest networks, place IoT devices on a separate, firewalled, monitored network;
–Update all passwords (local and remote, if different) to strong passwords and use multi-factor authentication where possible. Do not use products with hard-coded passwords. Closely govern permissions for devices, delegating access only when necessary;
–Turn off any functionality that’s not needed. This includes cameras, microphones or even connectivity itself (e.g., if a smart TV is merely for display, not connectivity). You may have to block/cover ports, cameras and microphones;
–Verify that physical access does not allow intrusion (e.g., by simple restart, easily accessible hardware port or default password);
–Don’t allow (or severely restrict) automatic connections via WiFi or other means. This will restrict the ability of other devices to connect and infiltrate an IoT device;
–If incoming traffic is not blocked, check for open software ports that may allow remote control and configure or restrict them;
–Enable encryption whenever possible. Better yet, consider buying only devices that support encryption. Otherwise, consider using a VPN or other means to limit data
exposure;
–Research the security and privacy characteristics of the controlling apps and back-end services. Do not use devices that rely on services with poor security and privacy;
–Keep firmware and software updated (via automatic updates or monthly checks). Do not use products that cannot be updated;
–Closely follow the lifecycle of the devices so that they can be removed from service when they are no longer updatable or secure.
“The consequences of ignoring these new devices range from annoying to board-level critical,” the OTA says in a blog. “Intruders might be able to access these devices and pull off some mischief like changing channels or flipping things on and off. But they might also be able to monitor audio, video or data generated by these devices. In extreme cases they may be able to use that access and surveillance to hop over to critical systems on the network, ultimately gaining access to important data – just ask the Las Vegas casino that lost 10 GB of information to a site in Finland via a hacked smart fish tank last year.”