I know it's a weird question to ask, after all how dangerous can a wi-fi enabled thermometer be? Don't own a thermometer? Okay, how about a toy car with a mobile app that acts as a remote? Not into toy cars? What if I told you that IoT kettles existed and that you could boil water anytime from anywhere in your home or office with a simple swipe of your phone? And if none of these catch your attention, there are literally thousands more devices that may just suit your technological needs.
But as the tile suggests, this isn't a bad 1980s Steven King movie where inanimate objects come to life to attack their owners, it's more like its 2020 where inanimate objects come to life to attack their owners. Okay, maybe not truly attack, but here's the reality.
For every toy, kettle, video camera, bulb, door sensor, and more, everyone of these devices comes with its own inherent security flaw—most commonly simple architecture and functionality that is completely devoid of any built-in security protocols. Why? Because most of these devices can be categorized as “dumb," meaning they have no operating system (at least not in the terms we think of), nor do they particularly need one. They are single-function items that connect to a wi-fi or Bluetooth signal and do one job.
So, now we know that Steven King is alive and well in our homes and offices, what do we do? First, it's all about policies. For any organization, knowing that IoT devices will inevitably show up in the workplace is the first step in ensuring better security. Along with that realization, creating policies that detail the types of devices allowed, what devices can and cannot do, and detailing how they will be dealt with sets the stage on multiple security fronts.
Front number one: education. If a policy is created and distributed appropriately, people will know immediately what is considered acceptable IoT and what is not. This means that in most cases risk is mitigated by default as people simply won't introduce unsanctioned IoT devices into the workplace, and in the case of a device that is not allowed but is introduced, adequate steps can be taken to shut it down and remove the device.
Front number two: welcome to the IT department. Ensuring that IT has policies and processes in place to choose proper IoT devices for actual work-related endeavors is also another very good way to mitigate breaches from unsecured devices. This usually translates to IoT devices such as door sensors, HVAC sensors and thermostats, cameras, and more—all of the things that any IT and facility operations department would be installing for daily tasks. A good example, what if ACME IoT Inc. made the perfect door sensors that would connect to the network, but that particular manufacturer was not on the approved IoT manufacturer list? This means that the potentially poor reputation of ACME IoT Inc. due to past security issues would be avoided altogether.
Front number three: policy leads to proper monitoring. In the case of any and all IoT devices, monitoring the network for any improper or anomalous activity is paramount. For instance, we've all heard the stories of certain mobile apps being nefarious in nature: either accessing information that they shouldn't be, or even speaking through connections to potentially unsecured servers. Many times these apps are associated with personal IoT devices that can be leveraged by cyber criminals to gain access to data.
More so, even the aforementioned facility operations devices such as sensors or cameras can lead to so-called back doors. By continually monitoring those devices, any anomalous activity can be identified immediately and dealt with appropriately before anything bad happens.
In 2020 and beyond, we know IoT is everywhere—it makes our collective lives easier, safer, and more enjoyable. And, it's not like IoT is going anywhere. So, instead I suggest that everyone embrace IoT all while simultaneously being aware of its risks, its security limitations, and how to mitigate issues that could arise. As the saying goes, luck favors the prepared. If you're prepared to be breached, then you won't be breached.
November 24, 2020 | Vanessa Howard
Virtual, Traditional, or Hybrid EOC What do you need to achieve?
An emergency operation centre (EOC) should enable people to respond to and plan the recovery from an emergency as effectively as possible. This is true of a brick and mortar EOC, a virtual EOC, and of a hybrid model. While there are...
Calian Cyber Security White Paper - Data and its importance to endpoint security