I think over
a week ago, I wrote a blog post about the security that goes along with the Internet
of Things (IoT) devices, and especially giving them as gifts this Holiday Season. In today’s blog, we are going to add onto that
and talk about IoT security from the standpoint of business entities.
There is of
course a lot more at risk here, especially if an organization is large, and has
employees located in different geographic locations throughout the world. So, here is a quick checklist as to how you,
as a CISO, head of an IT Security team, or even a business owner, can do a Risk
Assessment:
1)
Take
stock:
By
this I mean conduct an inventory of all your digital and physical assets. Then, rank them according to their degree of
vulnerability, using a categorical scale, such as 1-10. In this case, one would indicate least
vulnerable, and ten would be the most vulnerable. Anything in between would be an increasing
level of vulnerability, or decreasing, depending upon how you look at it (such
as 2-9, or 9-2, respectively). Then out all
those assets, not only identify the ones that are most vulnerable, but also
confirm which one of those are of an IoT nature. Then, decide upon the appropriate controls,
and deploy them. Or if you already have
an existing set of controls, then you and your IT Security team need to produce
a plan of action to upgrade them to decrease the level of vulnerability as much
as possible. It is important to note that
if you have both legacy and recent systems, trying to determine the right set
of controls could be more difficult. In this
case, your best bet would be to consult with an MSP or an MSSP to work this out
for you.
2)
Power
Consumption:
Because
of their level of interconnectivity, IoT devices are known to be extremely hungry
for both processing and consumption power.
Therefore, if you do make use of a Vulnerability Scanner, or even doing something
in Penetration Testing, make sure that whatever you use is “lightweight” in
design. As a result, this will not put
an extra burden on those resources that are powering the IoT devices, and you
can still be able to pinpoint any weaknesses or gaps accurately.
3)
Updates:
Just
like the importance of a Security Policy, having a reliable Software Update
Policy is just as equally or if not more paramount. This is the one area where most businesses
fail, and as a result, they become the victim of a security breach. Thus, it is important to create a regular schedule
when you will be checking for the latest updates that come out from the vendors
that you work with and decide upon a good time (preferably after business hours)
in which they should be deployed. But
there is one very important caveat to be remembered here: There could be times that even these patches
and updates could have flaws in them. So
therefore, it is important to evaluate them in a sandboxed environment first, before
installing them into production mode.
4)
Access:
Obviously,
you want to limit access to those end users who need to have entrance into your
IoT devices. Some of the best ways in
which to do this is to is to implement Multifactor Authentication, also known
as “MFA” for short. This is where you deploy at least three or more different authenticating
mechanisms to fully identify the person who wants to gain access. In this case, try to eliminate using
passwords, together, and use something that is much more robust, such as an RSA
token, a Smart Card, in conjunction with Fingerprint Recognition and/or Iris
Recognition.
5)
Attack
Surface:
As
a business owner or a CISO, it might be very tempting to connect as many IoT
devices together as possible, because the thinking here is that this will
increase productivity and offer seamless communications. While there might be some truth to this, the
bottom line is that with all this interconnectivity, you are simply expanding
the attack surface for the Cyberattacker.
Through just one point of entry, a malicious payload can be easily deployed
and have a cascading effect upon your entire IT and Network
Infrastructure. The moral of the story
is just to connect what needs to be absolutely connected, and always keep track
if you are adding more, unneeded connections.
This can be easily done by using the various Heat Maps in Microsoft
Azure.
My
Thoughts on This:
Well, there
you have it, a quick list as to what you can do to mitigate risks to your IoT
devices, and to fill in those gaps and weaknesses that you discover. This all requires a 24 X 7 X 365 watch, and
although this might seem impossible to do from the outset, you can automate
much of this, especially by making use of a DIEM based platform.
No comments:
Post a Comment