9 Ways to make IoT devices more secure
Devices must be more secure if IoT is to reach its full potential. The good news is that security policies and procedures can protect enterprise infrastructure, harden IoT configurations, and make the network smarter and more defensible. Here's where to start.
New devices are being plugged into the Internet of Things (IoT) at a rapid pace. While IoT is expected to offer many benefits, adding insecure devices to an enterprise network can have serious consequences. The good news is that security policies and procedures can protect enterprise infrastructure, harden IoT configurations, and make the network smarter and more defensible.
Research indicates that most systems are not compromised through sophisticated or device-specific vulnerabilities, but rather because of a lack of basic security controls. While at-risk devices have some things in common—they use TCP/IP protocols and Internet-based software—they cover a wide spectrum of price, application, and purpose. The category includes typical IT gear such as smartphones, tablets, sensor equipment, and control systems, as well as video cameras, network printers, industrial controls, and medical equipment.
Just how big of a problem is it? According to a recent poll by 451 Research, security is the No. 1 impediment of IoT—and for good reason. Weak links in an enterprise’s security posture from insecure devices are broad-ranging and difficult to pin down. For example, supply chains have many vulnerabilities and attack surfaces. There are also many protocols and standards to support, minimal over-the-network software security, complex security architectures, malware-riddled devices, and few incentive for vendors to develop and deploy device updates after the initial sale. Not to mention, just finding and cataloging every device is nearly impossible.
If IoT is to reach its full potential—and if enterprises are to benefit—devices must be more secure. The recommendations below are from various sources, including the Broadband Internet Technical Advisory Group (BITAG) and the Cloud Security Alliance. Some of the advice can be implemented today, but other recommendations will take time, especially around product design improvement.
1. Secure and centralize the access logs of IoT devices
Preventing devices from connecting to the network without IT’s knowledge is one of the first lines of defense. IT managers maintain centralized access logs of networks under their control. They know what’s attached to the network and who logs in to what, when, and for how long. Unfortunately, the process hasn’t scaled to address the volume of IoT devices coming online, which has enabled hackers to enslave insecure devices into botnets to launch distributed denial-of-service (DDoS) attacks. The consequences can be considerable. Thousands of vulnerable routers, IP cameras, and digital video recorders became infected with the Mirai malware and were then used to take down major websites. Mirai spreads to vulnerable devices by continuously scanning the Internet for IoT systems that are protected by factory default or hard-coded usernames and passwords. Experts suggest that the malware can be wiped by rebooting the device, but constant scanning for vulnerable systems almost ensures devices are re-infected. Only changing the default password protects them from rapid re-infection. And in this instance, because few enterprises kept centralized access logs of vulnerable devices, IT security managers didn’t know they were compromised.
Bottom line: Centralize access logs, and train security teams to recognize attack and alert patterns that use IoT endpoints. DDoS attacks sourced from vulnerable IoT devices are expected to increase, meaning endpoint protection systems that can recognize such threats should become standard.
2. Use encrypted protocols to secure communications
Encryption practices of IoT devices are inferior and insecure. Few devices use encrypted communications as part of their initial configuration. Rather, most use ordinary web protocols that communicate across the Internet in plain text, which makes them easy targets for hackers observing network traffic to identify weaknesses. At the very least, all web traffic should be using HTTPS, transport layer security (TLS), Secure File Transfer Protocol (SFTP), DNS security extensions, and other secure protocols for communications with management stations and across the Internet. In addition, devices that connect to mobile apps or other remote gateways should use encrypted protocols as well as encrypt data stored on flash drives. One reason to encrypt data is to ensure that malware hasn’t infected the device.
Bottom line: Choose devices that employ encryption, and use it.
3. Create more effective and secure password policies
Most network infrastructure requires the administrator’s default password to be changed when first accessed. However, most devices, such as home routers, network printers, and sensors, lack strong authentication and access methods. The Mirai botnet was able to be constructed because the default settings of many digital video recorders and IP cameras were never changed. Moreover, the concept of using multifactor authentication—using a variety of mechanisms to log in besides a simple password, such as with an SMS code sent to a cell phone—is a rarity in the IoT world. In fact, some IoT devices don’t require any authentication. A user can navigate with a web browser to a particular IP address and control the device’s configuration and operation.
To demonstrate the possible insecurities, software engineer Leo Linsky wrote what he called an “anti-worm” worm that hacks into IoT devices using default credentials and then changes the passwords to something stronger. While this is just an academic proof of concept published on GitHub, it is worth reviewing.
Bottom line: Change default passwords to strong, unique ones, and use single sign-on tools to manage and limit access. Educate end users on best practices for home network routers and modems, especially if laptops and tablets move from home to office networks.
4. Implement restrictive network communications policies, and set up virtual LANs
It's important to understand the difference between restrictive network communications and permissive network communications. For example, there is a difference between a PC that shares all of its hard drive with everyone and a web server that restricts only a few authorized users to view its content. Unlike most restricted web servers, the assumption with IoT devices—such as temperature sensors—is that they are permissive. They can and should communicate with just about anyone and any device by default. This permissive communication is part of their design. Vendors want them to participate on networks and share their data with a variety of tools and software programs. Unfortunately, permissiveness is what makes these devices inherently insecure and vulnerable to all sorts of exploits. Instead, restrictive network communications, such as built-in firewall rules or more careful user or application authentication, should be implemented. Devices should not be reachable by standard TCP/IP ports such as Telnet or FTP, and users should not assume they operate behind enterprise firewalls that will prevent communications across the network or out to the Internet.
Bottom line: One way to provide better security is to isolate sensors and other permissive devices on a separate virtual LAN. This setup prevents a hacker from observing the totality of network traffic if one sensor is compromised, or using it to launch attacks across the entire enterprise.
5. Understand that device firmware can be insecure
Identifying how firmware on connected devices is updated is a priority. For example, look at the network-attached printers still running original factory-installed firmware versions. Unlike Windows or Mac endpoints, sensors and printers don’t have the ability to enable automatic updates, and device manufacturers aren’t forthcoming when it comes to updates.
Some firmware is easily compromised because updates can be applied without any user authentication. Firmware can also be riddled with vulnerabilities. A case in point: Security researchers at the Carnegie Mellon University Cylab downloaded close to 2,000 home router products’ firmware images and tested them. Some 43 percent were vulnerable to simple attacks, and many had back doors to make hacking easier. One bright spot in this area is Factom, a security software vendor that proposes to authenticate IoT devices to prevent spoofing and ensure data integrity by leveraging block chain technology. Others should follow its lead.
Bottom line: Purchase devices that have secure firmware update policies when possible. In addition, educate users on how to secure home routers.
6. Improve failover design
Devices should function when Internet connectivity is lost or disrupted. However, few IoT devices are designed to cope with failures such as Internet continuity or data disconnections. Failover design is especially important for IoT devices that involve user safety, such as door lock mechanisms, video monitoring, and environmental monitors and alarms. These devices should have manual overrides or special functions for disconnected operations.
Bottom line: IT should include failover design as part of the decision process. Vendors must step up and address the problem.
7. Design explicitly for privacy and security
Few IoT device vendors consider security a feature or incorporate it into the design lifecycle. As a result, most devices fail to offer privacy policies or incorporate privacy-by-design principles. (This is also true of many standard computer hardware and software vendors.) In addition, distinguishing between the roles of supplier, OEM, customer, and partner is getting harder, making enforcement of security best practices difficult. As a result, some devices might have inserted malware, outdated software, bugs, or other vulnerabilities due to lack of proper testing or quality controls.
Bottom line: Security and user privacy of the entire IoT supply chain need improvement. Vendors must design explicitly for privacy and security, especially when a device is sold with an accompanying online service contract that locks customers in for extended periods of time. Vendors should also provide obvious links to privacy policies from websites.
8. Create an industry-backed program for “Secure IoT Device” labeling
There is currently no industry standards program for IoT security. BITAG’s "Internet of Things (IoT) Security and Privacy Recommendations" report suggests, “An industry-backed set of best practices seems to be the most pragmatic means of balancing the innovation in IoT against the security challenges associated with the fluid nature of cybersecurity, and avoiding the checklist mentality that can occur with certification processes.” It goes on to list a collection of industry groups, such as the W3C, the U.S. Federal Trade Commission, and the Online Trust Alliance, that have stakes in the IoT industry. Unfortunately, none of these organizations focus primarily on IoT.
Bottom line: The IoT device industry should consider the creation of an industry-backed program under which a "Secure IoT Device" logo or notation could appear on IoT retail packaging, similar to how the Wi-Fi Alliance operates.
9. Create bug bounty programs and vulnerability reporting systems
Vendor support for IoT devices is limited, especially when flaws are discovered. IoT devices are often missing features such as power reset buttons or even on/off switches found in typical IT products. Manufacturers may skip these features to simplify the product and reduce cost, but doing so can make products vulnerable to remote control exploits. Unfortunately, companies have few places to turn to. Few IoT vendors have implemented the support programs that the enterprise world takes for granted, such as customer alerts when a device is no longer sold, links to prior versions, and contact information.
Bottom line: Vendors must create ways for companies and users to get answers, including bug bounty programs, vulnerability reporting systems, support contacts, and escalation procedures.
NEW March 2017 Blog: Aruba Atmosphere 2017, Nashville, TN Recap Parts 1 and 2Check out our March Blog series
February 2017 Blog: Many Organizations Will Find HPE/Aruba Networks IAP Solution Just Right
When it comes to wireless solutions for small and medium size organizations, the analogy of Goldilocks and the Three Bears serves as a great analogy. In the adorable children’s story, Goldilocks samples one bed too hard, one too soft, one porridge too hot, one too cold, until she finds the offerings that are perfect for her.
Read full article
integraONE Acquires Quatro Systems, Inc. of Horsham, PA
2/16/2017, Allentown, PA: integraONE, the area’s leading technology provider, is pleased to announce its recent acquisition of Quatro Systems, Inc. of Horsham, PA. The resulting partnership with Quatro Systems enables integraONE to offer its broad spectrum of information technology solutions to an even wider range of clients, adding the Philadelphia metro region to its geographic service area.
This is the third acquisition by integraONE, which previously acquired Classic Networking, Inc. of Mechanicsburg, PA in 2010 and 7 Layer Solutions, Inc. of Saxonburg, PA in 2012.
The acquisition comes nearly twenty-seven years after integraONE’s inception. Founded June 1, 1990 as Integra Business Center, Inc. (dba integraONE), the company provides networking infrastructure, data center, server, and storage solutions, security technologies, cloud solutions, unified communications, and its own managed services solution, FusionONE. The company is a trusted technology partner for medium-size to enterprise level financial, commercial, educational, governmental, and healthcare organizations throughout the Mid-Atlantic region.
“integraONE is a company that continually evolves to offer the best technologies available to meet the unique needs of our clients. This acquisition allows us to further expand our geographic reach into the Philadelphia metro region and to offer a local physical presence for our clients at this new Horsham office. Quatro Systems’ staff and resources will be a great addition to the integraONE team and we are excited about this growth opportunity,” said Marty Andrefski, President, integraONE.
Established in 1989, Quatro Systems, Inc. Quatro Systems, Inc. is an established Managed Services Provider and Systems Integrator. For the past 28 years, Quatro has been a full service leader in providing technology solutions, strategy, consulting, and IT infrastructure support services to companies of all sizes from small/medium to large organizations in the Mid-Atlantic region.
“We are excited to join forces with integraONE and to offer our legacy clients an even greater array of technology solutions and products. integraONE is a well-respected company and we are proud to join their team,” said Jim Chebin, CEO, Quatro Systems, Inc.
“Combining our existing managed services skillset with integraONE’s extensive technical expertise and product offerings will be a win-win for our clients. We are pleased to join the integraONE organization and are excited about what the future holds,” said Mike Kazakevich, President, Quatro Systems, Inc.
Founded in 1990, integraONE provides clients throughout the Mid-Atlantic with a full range of technologies solutions around the following core competencies: Security Technologies, Network Infrastructure, Data Center/Server/Storage solutions, Cloud Services, Unified Communications, and FusionONE Managed Services. integraONE is headquartered in Allentown, PA with satellite offices near Harrisburg, Pittsburgh, and now Philadelphia, PA.
integraONE maintains strategic alliances with industry leading technology providers including HPE, HPE/Aruba, HP, Inc., Cisco and Cisco Meraki, FireEye, APC, Axis, Barracuda, Bradford, Brocade, Lenovo, Fortinet, Kaspersky, Lightspeed Systems, Microsoft, ForeScout, Trend Micro, Cylance, iBoss, Symantec/BlueCoat, StorageCraft, Veeam, Concerto and more.
Top 10 Concerns for CTO and IT Leaders in 2017
Security, staff retention, and training will continue to plague IT leaders, but the convergence of disruptive technologies such as IoT, the cloud, and AI brings a new set of worries.
There is a palpable feeling of uncertainty within central IT departments. Digital disruption is sparing no industry, and IT is still adapting to its more complex role in the enterprise, so there is plenty to be anxious about.
To get a jump on the year ahead, we asked several CTOs, CIOs, and IT leaders about what keeps them and their colleagues awake at night. The top issues—including perennials such as security, staffing, and skills training—should come as no surprise. The good news is that shining a light on these challenges is the first step toward overcoming them.
Here are the 10 most common central IT concerns for 2017, directly from the mouths of IT pros. This was an unscientific poll, and responses aren't ranked in any specific order, but the list represents the issues that were most frequently and vehemently mentioned.
NEW! FusionONE Managed Services Brochure
Get our latest FusionONE Managed service brochure.
NEW! January 2017 Blog: How to Combat the Biggest Cyber Threats of Last year in 2017
How to Combat the Biggest Cyber Threats of Last Year in 2017
In our article last month, we covered two of the top cyber threats of 2016 – Ransomware and Business Email Compromise or BEC. With the amount of money involved in these types of attacks, these cybercrimes will most certainly continue to plague organizations throughout the coming year. Although Ransomware can be initiated through drive by Internet sites, email is still the predominant delivery system of both of these cyber menaces. Whether it is to capture user credentials or to deliver malicious malware through an embedded link, cyber criminals continually target your email system each and every day. It is the gateway into your network that involves the highest degree of human receptiveness, which means it is a key point of vulnerability.
Protecting What May be Your Weakest Link
The first line of defense for these threats is an effective email security system. Today’s leading Email security solutions such as the Barracuda Email Security Gateway offer far more than mere SPAM filtering, offering a complete coverage against a multitude of threats including inbound malware, spam, phishing, and Denial of Service attacks. This and other solutions offer additional features as well such as email encryption to protect the integrity of email messages, as well as spooling, should your email server ever go down for any duration of time. With the proliferation of mobile computing today, companies such as Barracuda now offer their email security solutions in the form of SaaS delivery as well. In doing so, threats are eliminated before they even touch the network. In addition, IT Leaders are recognizing that their company’s email is one of the weakest links in their security coverage. Because of this, many organizations are even supplementing the email default protection provided by services such as Office 365, with an added layer of protection. Solutions such as the Barracuda Email Security Service are designed with the intention to compliment cloud based email services and foster a greater defensive shield.
Protecting from BEC Threats
Although email security solutions like those offered by Barracuda are extremely effective at combating most threats today, the unfortunate fact is that no solution is totally foolproof against all attacks. A case in point is BEC threats which involve taking advantage of internal email procedures as was discussed last month.
These types of attacks can be easily thwarted by a multi-communication policy concerning large wire transfers. More and more IT departments for instance are requiring multi-factor authentication for company email and remote access, such as a username/password complimented by a text message PIN, security question, security token or fingerprint. In the case of large wire transfers, the CEO should have to confirm the wire request with a phone call from a specific phone number. As an added measure, the CEO would have to verbally state a rotating password. This is the same concept that the military uses to confirm striking orders on a submarine or missile base for instance. These measures may not be convenient, but they can save a company from embarrassing devastation. Similarly, any changes made to a vendor’s profile or payment location should be verified by a secondary sign-off by multiple company personnel.
A common ploy with these types of attacks involve Typo Squatting or URL Hijacking. One way to prevent this is through regular training program for all employee positions in the financial department. Employees could be trained to examine and confirm the “From” name and address as the real name and address of the CEO or whichever account is requesting the transfer. In addition, the “Reply-to” name should be confirmed as well. Staff members could also be trained to forward the request in order to respond to it rather than simply replying to it. This way, the employee would have to manually insert the CEO’s address from the contact list within the email application.
Layered Protection Against Ransomware
An international study showed that 40% of all enterprises experienced a ransomware attack in 2016. Of these victims, more than a third endured a financial loss and 20 percent had to stop business completely. As we discussed in our blog of July 2016, the one thing you can do to protect your organization from any sustained damage from ransomware is an effective backup solution.
A simple security measure you can implement in order to prevent ransomware from establishing a foothold in your network in the first place is to create a software restriction policy through Windows Group Policy. By configuring a rule set for all executables within the two mentioned folders as well as any subfolders contained within them, you prevent these malware strains from taking root, thus eradicating their ability to encrypt your data. If your computer isn’t domain joined, you can still implement a SRP on any professional version of Windows 10, 8 and 7 through Local Security Policy. You can specify files for SRP by a number of ways such as their hash identity but in this case, configuring a path rule is the most effective. Once you create the policy, make a rule using “New Path Rule” for the folders as is shown below.
Modern threats today are highly sophisticated, making detection difficult. What’s more, thanks to financial incentives and malware distribution channels, 2017 is sure to be another year of combatting smart cyber threats such as these.
Fortinet 2017 Cybersecurity Predictions-Accountability Takes the Stage
With the growth and pervasiveness of online devices and digital tools, we reached a critical tipping point in 2016. The need for accountability at multiple levels is urgent and real and affects us all. If something isn’t done, there is a real risk of disrupting the emerging Digital Economy.
Even in recent weeks, IoT devices were hijacked to shut down a huge section of the Internet. Stolen documents were used in an attempt to influence the US presidential election. Ransomware began to reach epidemic proportions, including high value targeted ransom cases. These and similar attacks have had sweeping impacts beyond their victims.
The rise of the digital economy is not just changing how organizations conduct business. The effects of this “fourth industrial revolution” are much more pervasive, and the speed of change is unprecedented beyond anything that has come before it. Slamming the brakes on a global economy in such a transition could be devastating. Vendors, governments, and consumers driving this change need to step up and be accountable for making sure that doesn’t happen. Cybersecurity is a strategic decision in all of these scenarios. It won’t be easy.
Preparing for a black swan cyber event
January 2017 Financier Worldwide Magazine
There can be little doubt that cyber breaches are becoming more frequent and cyber criminals are becoming more sophisticated in their techniques. From malware to reconnaissance attacks, and from DoS/DDoS attacks to phishing campaigns, cyber criminals are becoming bolder and more determined by the day.
Unfortunately, they are also finding more success. We need only look at the breaches endured by companies such as Target, Sony and Yahoo to see that cyber crime is prevalent. Indeed, in some circles, arguably, it has become normalised. Society in general is now accustomed to seeing news stories of successful cyber attacks across a variety of countries and sectors.
In light of the snowball effect of cyber criminality, it is imperative that individuals, companies, industries and governments do not accept cyber breaches as merely part of their day to day operations. To defeat cyber criminals, hacktivists and their ilk, it is vital that organisations double down on cyber security provisions and do all they can to protect themselves against a breach. For too long, companies have adopted a ‘it will never happen to us’ approach to cyber security, yet there is a strong chance that a breach will, or has already happened. Many companies are susceptible and suffer a breach without even realizing that it has occurred.
Why You Need In-Store Wi-Fi In 2017In 2017, offering your customers a Wi-Fi connection is no longer considered a luxury, it’s a necessity. Here are three important things to consider.
Customers expect a seamless experience when shopping in your store. These days that means that offering a Wi-Fi connection is a necessity. Indeed, Wi-Fi is one of the easiest services retailers can offer to ensure a positive shopping experience for their customers.
According to research conducted by JWire, about 80 percent of customers feel that an in-store Wi-Fi connection would influence their purchase decisions. In other words, customers would be more willing to purchase from a store that provides a Wi-Fi connection.
An in-store Wi-Fi connection does not just offer internet access to users. It also enhances customer shopping experience by allowing them to browse products, place an order, and make payments through their mobile devices. This creates a positive shopping experience that increases the chance of repeat customers.
There are three important things home furnishings retailers should consider when upgrading or installing an in-store Wi-Fi solution.
Customize the network
The key to serving tech-savvy consumers, and meeting the influx of applications and devices into your network, depends on how you optimize your retail network.
When implementing a network, you must take into account the context of users (their devices, location, privileges, the applications used and duration of time). Consider investing in wireless hotspot equipment that provides enhanced features through which you can accomplish these tasks.
Traditional access points and routers lack features essential for setting up Wi-Fi at retail settings. Wi-Fi hotspot equipment comes with features that limit bandwidth usage, optimize roaming and cellular handoff, and offers captive portal that require users to accept Terms of Service (TOS).
News Article Index
9 Ways to make IoT devices more secure ...
NEW March 2017 Blog: Aruba Atmosphere 2017, Nashville, TN Recap Parts 1 and 2 ...
February 2017 Blog: Many Organizations Will Find HPE/Aruba Networks IAP Solution Just Right ...
integraONE Acquires Quatro Systems, Inc. of Horsham, PA ...
Top 10 Concerns for CTO and IT Leaders in 2017 ...
NEW! FusionONE Managed Services Brochure ...
NEW! January 2017 Blog: How to Combat the Biggest Cyber Threats of Last year in 2017 ...
Fortinet 2017 Cybersecurity Predictions-Accountability Takes the Stage ...
Preparing for a black swan cyber event ...
Why You Need In-Store Wi-Fi In 2017 ...