A remedial approach to destructive IoT hacks

As of this year, there are more than 10 billion active IoT devices all over the world, many of which are deployed in enterprises.

Keeping those devices secure is of the utmost importance, lest they be a way in for attackers, so it’s imperative that organizations institute IoT security practices that remediate vulnerabilities and better protect the network – by identifying and securing every “thing”. The main challenge lies in the fact that most companies aren’t aware of the spread of devices connected to its network.

Find and fix every “thing”

Executives often greatly underestimate how much of their network is made up of IoT devices––putting the number at about 1 percent. However, it’s typically 20 percent or higher. In fact, IBM X-Force recently estimated that devices make up 43 percent of the access points on the average organization’s network.

One reason for this discrepancy is that devices are often being deployed without IT department knowledge or approval, as they are often owned and managed by other teams (e.g., facilities management or physical security teams).

It’s critical for companies to get a handle on device inventory now. Device discovery and inventory are the first step in basic security hygiene – but is often harder than expected. Many discovery solutions provide little more information than MAC and IP addresses or use signals that knock over existing devices.

What’s needed is enriched data that allows for security teams to act. With greater awareness and complete visibility into every connected device, organizations can create a full inventory of IoT devices with all the information required to maintain them.

According to a recent Positive Technologies report, 15% of IoT devices owners continue to use default passwords. This report also found that just five sets of usernames and passwords gave them access to a great number of IoT devices, including IP cameras, routers, DVRs, and smart washing machines. Default passwords allow attackers to take over IoT devices as easy access points into the network. From there, they can use these credentials to move laterally, escalate privileges and eventually gain access to an organization’s most critical and sensitive assets.

Many organizations turn to segmentation, a legacy approach to IoT device security, quarantining devices on a separate network and keeping insecure devices away from anything important, but this is no longer enough. Even when on their own, limited segments, insecure devices can still pose a threat through additional vector exposures, such as VLAN hopping malware and other entry techniques.

Segmentation is a temporary solution, but inoculation and remediation technologies fix problems rather than triaging them – ensuring that IoT devices are compliant with the same policies traditional endpoints are expected to meet for optimal security.

The average timeframe for applying vulnerability patches and rotating credentials is seven years, making them the softest targets on the network today. Policy-driven password rotation and implementation of security patches and updates will keep data protected and prevent malicious actors, like Mirai botnet, from opening the back door.

Automation for security

Automating security is critical to scaling IoT technologies without the need to scale headcount to secure them. To keep up with manual inventory, patching and credential management of just one device it takes 4 man-hours per year. If an organization has 10,000 devices, that nets out to 40,000 man-hours per year to keep those devices secure. This is an impossible number of working hours unless the business has a staff of 20 dedicated to the cause.

To continuously secure the thousands, or even tens of thousands, of devices on an organization’s networks, automation is necessary. With the mass scale of IoT devices and the opportunities to strike in every office and facility, automated identification, and inventory of each device so that security teams can understand how it communicates with other devices, systems and applications, and which people have access to it is crucial.

Once identified, automation technology allows for policy compliance and enforcement by patching firmware and updating passwords, defending your IoT as thoroughly as your other endpoints. On top of that, implementing a centralized IoT security tool lets organizations enforce consistent security, better manage IoT devices across their lifecycles and reduce IoT risk.

Organizations invest billions each year on securing desktops, servers, and cloud networks, but by ignoring IoT security their network is vulnerable to attacks. As the attack surface continues to grow, it is now more crucial than ever to install improved IoT security to defend enterprises against cyberattacks and bad actors.