I used to love the old Space Invaders arcade game - waves of enemy attackers came in faster and faster while you tried to defend your base. With experience you could learn their tactics and get pretty adept at stopping them. For today’s enterprise IT staff, consumer-grade IoT devices must certainly feel like those space invaders of old.
There’s good news and bad news about these new creatures in the enterprise. The good news is that they don’t start with mal-intent and can be profiled well enough to confine their activity. The bad news is that they’re coming in waves, often slipping in under the radar, and the consequences can be much bigger than getting blasted and placing a few more quarters in the slot.
To help enterprise IT staff deal with this new wave we released “The Enterprise IoT Security Checklist: Best Practices for Securing Consumer-Grade IoT in the Enterprise” today, outlining best practices for securing consumer-grade IoT in the enterprise. The Checklist includes ten actions, based roughly in chronological order from purchase, through installation, to ongoing support, meant to raise awareness of the common vulnerabilities presented by these devices and how to address them.
Many of these devices show up without much fanfare – smart TVs in conference rooms, smart speakers in conference rooms or at employees' desks, fitness trackers connected to smartphones that may then access the corporate network, and networked printers with age-old software vulnerabilities.
The consequences of ignoring these new devices range from annoying to board-level critical. Intruders might be able to access these devices and pull off some mischief like changing channels or flipping things on and off. But they might also be able to monitor audio, video or data generated by these devices. In extreme cases, they may be able to use that access and surveillance to hop over to critical systems on the network, ultimately gaining access to important data – just ask the Las Vegas casino that lost 10 GB of information to a site in Finland via a hacked smart fish tank last year. Finally, these devices can be recruited to form an army to attack others on the network or the Internet a la the Mirai botnet attack.
The checklist walks through practical steps to minimize the attack surface created by these devices and the impact if they were to be compromised, but the high-level approach is to give them their own isolated network, lock down “open doors” such as default passwords, old software, open software ports, automatic connectivity and audio/video inputs, and enable encryption where possible. And the attention doesn’t stop at just the devices themselves – the controlling applications and backend services also need to be well understood to reduce risk.
Ideally, IT staff can set a policy that allows these devices to be reasonably incorporated into the enterprise without restricting use so much that it prompts “shadow IoT” efforts by employees. For more comprehensive guidelines on security, privacy and lifecycle best practices for consumer-grade IoT products, see OTA’s IoT Trust Framework.
Despite the alarms, ultimately the news is good – with proper attention you can reign in the risks associated with these new invaders and keep your base of operation safe.