IoT risk management and security don’t seem to get the attention they deserve until there’s a data breach. KnowBe4’s James McQuiggan discusses the often-overlooked cyber risk associated with using IoT devices and what organizations can do to protect themselves.
Thinking back a few weeks ago to a family movie I watched, I remember how it told the story of a lion cub that ventures out and discovers an elephant graveyard. To the lion cub, it seems exciting, and he wants to check it out. However, his father already warned him, telling him to stay away from the graveyard because it’s where the dangerous hyenas live. The young lion cub and his friend decide to explore it anyway and are soon surrounded by hyenas. Spoiler alert, the father leaps in at the last second to scare the hyenas off, and the lions head home. The IT administrator of an organization, in this case, is the father, and the young lion cub represents the IoT systems that connect to the network.
The IoT devices are young, curious and lacking security features, making the risk of attack more significant. However, organizations continue to add IoT devices to their infrastructure. They increase their exposure and attack risk unless they initiate a robust risk management program to isolate and secure the devices.
Consider how many IoT devices you have in your home (if you have a device that connects to the internet or your home network that doesn’t have a monitor or keyboard attached to it, it is most likely an IoT device). Your security cameras, baby monitors, lightbulbs, video-capable doorbells, smart TVs, smartwatches, thermostats, refrigerator and voice-activated speakers with personal assistants (Siri, Alexa, Google) are some IoT devices found in the home.
What about the IoT devices utilized in businesses?
Hopefully, Alexa is not utilized in the workplace, let alone remotely at home within earshot of peoples’ workspaces. With a significant amount of the workforce now working at home and having all of their IoT devices on the same network as their office laptops, the risk of cyberattacks is significantly higher. IT departments cannot monitor your home network. This environment is essentially an IT admin’s worst nightmare. It’s like the lion cub has ventured past the badlands and is permanently stuck there for the unforeseeable future.
Rush to Market
IoT risk management and security do not always appear to be at the forefront of most companies until there is a data breach resulting from a compromised product. After this, the effort to secure it becomes a high-level focus, and the necessary security features are added to the product. Budgets are approved, resources are provided and the organization works to provide a secure product. The race to get a product out to market seems always to be more critical compared to the energy and resources allocated to adequately secure the IoT device from the beginning.
IoT developers want to develop products to ensure they aren’t shipped with default passwords and that they prompt users to change default configurations on first use. Utilizing a secure development life cycle (SDLC), where the information security department is involved from the beginning, and making it a development gate can ensure a more secure product. Having the proper security features has proven to reduce the risk of the IoT. Otherwise, the risk is transferred to the organization that utilizes it, and members of the organization must then take steps to secure it properly.
There are occasions where an organization does utilize a strong SDLC and then discovers a vulnerability within the product. In most cases, a fix is provided, but it still falls to the owner to mitigate the risk until a patch can be applied. Additionally, the patch may not be applied to availability issues or problems with implementing the fix, adding further exposure and risk to the organization to mitigate the issue. From another perspective, how many organizations have IoT devices that contain vulnerabilities and that have a patch available, but don’t have a proper change control program to support the IoT devices?
Here’s something cybersecurity professionals not working as a CEO or CISO may struggle to understand, as explained by the owner of a cybersecurity consulting company: Your upper manager or C-suite officer accepts a lot more risk than what the cybersecurity expert thinks should be taken on.
It’s not unusual for a security professional to deliver a security risk management presentation to upper management to request that specific features, programs or policies be implemented to protect a product or internal feature. When it comes to presenting upper management, for them, it’s not about security. It’s about risk and how much risk is acceptable for them, and this amount is going to be a lot greater than we security professionals are willing to accept.
Your security is only as good as the weakest element in your organization’s risk management program. Your chain is only as strong as the weakest link. The same applies to your risk management programs for your suppliers, vendors or IoT devices.
Organizations that provide a product will work to get it to market quickly and worry about some risk. C-suite management and board members take on a more significant threat than the CISOs feel they should. Security professionals feel it’s a game of Russian roulette when it comes to budgets of what programs to use versus what they want to have completed.
IoT is playing similar risk scenarios with products that don’t have the security features the security industry wants them to have; therefore, mitigating measures are needed to secure the devices. It’s challenging to secure an organization when the weakest link is an IoT device that has been accepted by the business and approved by upper management.
Compliance and IoT Can Be Tricky
Many compliance requirements may be too difficult or even impossible to meet with an IoT device. For example, a product vulnerability assessment might make it possible to document any open ports, but might not be effective at detecting vulnerabilities. If an organization has an active scanning tool going on and off the network, they might document a list of all IoT assets. However, in most cases, it’s a challenge to track current servers and end systems, let alone IoT devices that might be connected and disconnected every day.
Another issue is the requirement of installing anti-malware software on all devices connected to the network. Considering that IoT devices don’t run on the ubiquitous Windows operating system, meeting this requirement is quite tricky. Finally, when it comes to identity access management, IoT devices are delivered with a single user account or hard-coded credentials, accessed locally on a wireless network or through Bluetooth for configurations. Compliance requirements for access will focus on individual user access and hardened passwords. Many IoT devices are not capable or designed to handle that type of granular control, thus making network access by external threats a more significant risk.
Actions to Take Now
With the increase in use of IoT devices, there are recommended tasks and configurations to help reduce the risk of an IoT compromise. Initially, developers should ensure products aren’t shipped with default passwords and that users are prompted to change default configurations upon first use. This capability will help the users avoid an attack based on publicly known information or open source intelligence (OSINT) that provides an easy way for attackers to gain access.
Within the organization, where the IT or information security departments need to protect and secure the network, the concept of compartmentalization or isolated networks can significantly reduce not only the IoT device’s access to the network, but also its exposure to the outside world. Isolating devices behind a firewall and restricting the access to the necessary ports and services limits exposure by limiting communication to only what is essential.
Maintain a dedicated inventory of all IoT devices connected to the network and maintain the catalog to stay abreast of updates for the devices, and apply them as early as possible to minimize the impact on availability and additional exposure to the environment.
Risk Management Tools for IoT Devices
Several tools are available to mitigate and manage risk for IoT devices. Essentially, all organizations want to be utilizing policies, processes and documentation for all of the IoT devices. There should be a governance, risk and compliance (GRC) program to support the needs of compliance, risk mitigation and a repository for those policies and procedures within any organization. Within organizations, a spreadsheet provides a way to track the policies and links for policy and procedure documentation. Utilizing a GRC application will help free up resources and increase productivity. The GRC application functionality is to track policies, procedures, evidence and other documentation in alignment with the compliance requirements of one set and multiple sets of standards, thus eliminating the need for duplicate work.
The IT departments will always need to wrangle those lion cubs. Still, if an organization can provide the proper tools, resources and funding, it can support a more robust compliance culture. These actions can significantly reduce the risk of exploitation and potential violations, leading to loss of reputation and one of the most important things to a profitable organization: loss of revenue.