Infosec pros have spent the past decade fighting a rising tide of both more users and more devices connecting to enterprise resources while at the same time trying to decrease the attack surface -- that is, trying to shut down as many points of access as possible. Much of this is usually attempted by first inventorying connections, consolidating network systems and targeted servers, building portals to cut down on remote access, and advanced correlation of security events by a central security element.
Introducing IoT devices into the mix is like adding an unknown number of new doors to a building where the 100 existing doors are barely controlled. In 20 years, we’ve gone from one device per user to four or five devices per user, and face a future where we won’t have a handle on how many internet-enabled, exploitable points of entry even exist in our environment.
At the very least, just auditing and taking inventory of these devices will be a monumental task, which also happens to be the first step to securing them. Below are three security implications to keep in mind when dealing with increased IoT device accessibility on your network:
Devices increase the attack surface
The one way to mitigate this is to think about how a huge midtown office building handles entrants. They may have many unmanned doors, but they funnel traffic to a central desk or hallway where trusted people are permitted to ‘badge in’ and those not trusted need to be vetted, verified, approved and then badged. Handling other types of access is not dissimilar; using a central, brokered connection to at least service requests from outside the attack surface allows an enterprise to layer controls at a single point of ingress/egress.
Dumb enough to ignore but just smart enough to be dangerous
A lot of attention has been given to “smart” toasters as some kind of IoT poster child, but in essence, that is part of the problem. The “things” that are being connected are in many instances fire-and-forget in their simplicity, or are built-in features and tools that we may not even know are there. This leads to a mindset of just ignoring these “dumb” devices without paying attention to the fact that these devices, while inherently dumb, are connected to the biggest party-line ever made: the internet. As part of that, they are exactly as smart as whoever chooses to access or exploit them.
It’s your ‘Thing’… But who ‘owns’ it?
This leads to the third concern—who actually “owns” or controls, the IoT device you’re living with? If you even realize it is there, are you maintaining it? Hopefully someone is, because without patching and maintenance it will be guaranteed to show up on a vulnerability database in short order and be exploited immediately after. If it is being maintained, who is accessing that device? Maybe you do know, but even if you do, what is the security posture like at that remote vendor? Going back to the previous point, you’re only as safe as whoever has access to your enterprise. Scary thought. But again, following some good access hygiene, such as using that brokered connection mentioned previously, goes a long ways to controlling the Who, What, Where, When and How of access to your IoT systems.
The number of connected devices and access points on your network will almost certainly increase drastically in coming years. What steps are you taking to prevent potential breaches due to IoT devices? Let us know your thoughts in the comments below.