How to Secure Vulnerable IoT Devices in the Workplace
by Rick Collette on May 24, 2022 3:40:04 PM
The Internet of Things (IoT) is growing so rapidly that it has become challenging for information security professionals to keep up with the development of its security. There are certain potential risks if these managed and unmanaged devices are not secured as they connect at the workplace. With the increase in the usage of IoT devices, the risk of cyberattacks has also increased. Partially secured devices are always vulnerable to cyberattacks and significant data breaches. Bring Your Own Device (BYOD) has also led to inevitable data leaks. The increase of unmanaged devices and shadow IT network traffic from a workforce returning to work on-premises after the pandemic is also a factor in the exponential increase of the attack surface. Therefore, it is necessary to analyze the risks of not securing IoT-connected devices.
This article will shed light on the IoT attack surface, significant risks associated with unsecured connected devices, and some best practices to mitigate these risks.
IoT attack surface
With teams focused on securing IT endpoints and servers, the increase of unsecured IoT devices in the network makes them an appealing ingress vector for cyberattacks and a rich target environment. The mediums mentioned below can lead to data leaks or cyberattacks if not appropriately secured. Once an initial breach occurs, malicious payloads can spread laterally across the network, compromising multiple systems.
Devices have vulnerabilities within their physical & web interface, memory systems, network services, and firmware. As a result, a hacker can get into the outdated components of the system and insecure default settings.
2. Applications and software
Most applications have significant risks, and many web applications do not adequately protect sensitive data. This data can be credit card information, personally identifiable information, patient data, or intellectual property.
3. Communication channels
Threats can also originate from the mediums that connect IoT devices. Attacks can present severe threats to the system, which lay the foundation for an unstable network surface.
Risks of not securing IoT devices as they are connected
1. Data Theft
Data theft is a risk associated with employees using their own devices for work. If you let your employees use their devices at work, this can open an opportunity for cybercriminals to make your organization's data vulnerable to them.
Employees will be using the same device for personal applications. If, for instance, their account is hacked, it can eventually expose corporate data and confidential business information.
2. Legal Liabilities
Customers expect that their information shared with an organization is protected. The reputation of a business is compromised if a security breach happens at their organization, particularly a Managed Services Provider (MSP). Suppose an employee-owned device becomes the ingress vector of a data breach, and confidential information is lost. In that case, the organization might have to face severe consequences such as the possibility of litigation and damage to the brand. The cost of a data breach results in revenue loss and can potentially put smaller organizations out of business.
3. Access to confidential data
If your devices are not secured as they connect, this can give access to confidential data of your users to bad actors. There are many possibilities where employees are likely to connect their devices to the internet at certain places. Take an example of a hospital where someone connects a raspberry pi to scan the net and loses data to bad actors.
4. AI-Based Attacks
AI-Based attacks have been in the wild since 2007. These attacks are becoming more prominent with the development of the IoT ecosystem. As AI developments advance, hackers become more proficient at exploiting the technology. They are developing AI-based tools that are faster and more efficient than humans in conducting a cyberattack.
Therefore, it is necessary to level up AI in your organization so that you can compete with these threat actors and save your business from a successful security breach. AI vs AI in Cybersecurity is already here.
Malware can be present on an employee's device. Employees use their devices to download many files and applications for personal use, such as PDFs, mobile games, and tools. For example, an employee downloads a game that either has vulnerabilities or purposefully contains malicious code. Whenever he connects the device to the corporate network, or even worst, an operational technology network, these can become compromised too.
6. Default and Weak passwords
IoT devices are also at risk if they are authenticated with weak passwords or if the factory passwords are not changed. One weak password is all it takes to access your organization's information. If the employees at your organization do not follow the password management policies, it can lead to data exfiltration and loss.
How to secure vulnerable IoT devices?
Obviously, there are serious risks associated with unsecured IoT devices. But there are specific best practices to prevent data breaches where IoT is the ingress point.
- Discover, identify, and classify ALL your network-connected devices to properly assess your network security posture and risk.
- Actively monitor for critical data leaks. You can do this with security controls that offer advanced machine learning and by analyzing logs.
- You should set up automatic alerts to be quickly notified of sensitive data leaks.
- Adopt zero trust in your organization to help you secure your devices; move away from the implicit trust model that relies only on location in the network to authorize access.
- Check regularly for firmware patches and updates. Patch printers and other managed devices under your control.
- Improve Wi-Fi security by enabling router firewall and WPA2 security protocol. Use a strong password for Wi-Fi access.
- Implement identity-based microsegmentation and least privilege access and do not rely only on traditional network segmentation methods. Create and enforce policies for all unmanaged devices (i.e. so they can only communicate with the internet and not laterally across the network, or deny all their traffic).
The Zero Trust Model
The zero trust model is a framework organizations use to authenticate, authorize, and continuously verify the identity of all users, devices, and applications before granting them access to any resource in the network. Although it’s been around for over a decade, it was very difficult to operationalize until very recently. As of 2022, the U.S. Federal Government is embracing the model and encouraging the private sector to follow suit, as it is a proven framework that considerably reduces the attack surface and likelihood of successful breaches.
As technology rapidly evolves and IoT security improves, the way threat actors attack also adapts. It is practically impossible to fully eliminate the risk of an initial breach of the network perimeter. However, you can always minimize the risk as much as possible by reducing the attack surface to the minimum, as well as the blast radius of a breach. By preventing lateral movement of malicious network traffic through identity-based microsegmentation and least privilege access control, you guarantee that breaches are contained, detected, and remediated faster. Analyze the risks of IoT in the workplace and follow proper best practices to reduce the likelihood of a successful data breach. A successful breach is one that manages to exfiltrate, encrypt or destroy data beyond the compromised device. Attacking a single vulnerable IoT device should not compromise the whole network and business operations.
Elisity delivers frictionless, centrally managed zero trust access security to effectively and efficiently protect corporate data and critical assets from malicious lateral movement across the network. Cognitive Trust is Elisity’s cloud-native and cloud-delivered solution for identity-based segmentation and least privilege access of users, applications, and devices (managed and unmanaged), on-prem and in the cloud. The solution enables organizations to quickly gain visibility into network assets and traffic flows, and begin building policies to protect the most critical enterprise assets. Elisity is backed by Two Bear Capital, AllegisCyber Capital, and Atlantic Bridge.
No Comments Yet
Let us know what you think