Four Steps To Reduce or Get-Your-Arms-Around IoT Risk
https://go.device42.com/network-discovery
In the independent study by Ponemon Institute:
The Internet of Things (IoT) is an open door to RISK: 82% of respondents predict unsecured IoT devices will likely cause a data breach in their organization. 80% say such a breach could be catastrophic.
Solarwinds breach “one mobile device and 4000 lines of code”.
A Cybersecurity SOFT TARGET – The largest percentage of incidents are Iot and expected to double due to 5G bandwidth increases.
Traditional/Current security tools are designed to protect the network devices, ie; servers, operating systems and configuration states with controls driving software patching and security update s.
Iot devices are not capable of encryption or queries providing conf/software versions and are currently system seen as only as an IP address, although there could be 200,000 devices on a large network and as many as a 1000 even on a small network and not included in any current cybersecurity controls or security updates.
“On a positive note, the simplicity of these devices can be used to Cybersecurity Strategy advantage. A behavioral analysis technique developed for securing factory floor computers is being repurposed to fill in the blanks. Instead of asking the IoT device for the needed security control data, this technique monitors the IoT device’s communications. Critical information is extracted directly from the conversation through ‘deeppacket inspection”. This passive monitoring technique, coupled with a broader program of repair and segmentation, can be used to bring IoT risk under control.
The first step in minimizing IoT risk is Externally Scan the network’s exterior for systems that are unexpectedly open to the Internet. Accidental misconfigurations and insider attacks will cause weak IoT devices to become visible from the Internet.
Additionally, and more importantly; legacy building automation systems that were installed in the last 20 years may have been directly connected to the Internet to permit easy access for remote monitoring. These systems can remain in service for decades, accumulating vulnerabilities and escaping security policy upgrades because they are not considered part of the computing infrastructure. External scans can be used to find these holes.
The second step, segmenting the network, exploits the fact that IoT devices have a limited range of functions with a small number of communication partners. A security camera should capture video and route it to video processing/recording devices. That is all it does. It should not be whispering sweet nothings to the accounting server. If it does, there probably is an infection present.
It is important that organizations group similar devices and those that communicate with each other on common segments.
Third once network segments have been established, organizations need to migrate existing IoT devices to their proper locations. Because the owners of IoT devices are not easily determined through automated processes, a social engineering process can be used to obtain the data needed.
Fourth, staff would create a series of network segments to be used by consumer electronics. This segment would be open for anybody wishing to connect to it, so employees would not be tempted to hide their devices.
The last step of the process is for organizations to monitor for attacks. Behavioral analysis watches the usual behavior of a device during a training period. It builds a model that describes who communicates with the IoT device and how they usually interact with each other. Since IoT devices have a limited range of functionality when they are operating correctly, anomalous behavior is readily identified. Because the IoT devices are concentrated onto specific network segments, the effort required to monitor the lot is much less than if they remained distributed across the network.
ON HIRING:
First Staff/Personnel Augmentation for Cybersecurity Experience:
Using a passive asset inventory discovery tool to identify assets when network mapping.