RSA Hot Topic — IoT Security and Managing Unknown Devices
As one might expect, this year’s RSA security conference is buzzing with Internet-of-Things (IoT) security and related presentations, products, and demonstrations. With dozens of vendors and workshops focused on securing and managing unknown devices, IoT security is certainly a hot topic for 2018 and beyond.
From discussions about government’s role in mandating security for IoT products to the hands-on car hacking village, there are interesting IoT topics for just about everyone attending.
For many here at the show, the most important theme surrounding IoT security centers around how to adequately secure their company’s networks are given the plethora of unknown devices that are connecting to them. Employees, partners, contractors, service providers, visitors, and even strangers are constantly adding and connecting new and unknown devices.
Countless IoT Devices Connecting to Corporate Networks
The number of Internet-connected devices within an average enterprise has grown exponentially over the last few years. Rapid mobility and IoT growth have led to an astonishing number of endpoints that organizations must manage and secure. Experts anticipate this trend to grow significantly during the foreseeable future. Gartner predicts more than 20 billion connected things will be in use by 2020. That’s up from 11 billion in 2017.
IT and security departments are often surprised at the number and type of gadgets that are outside their ownership and control, but connecting to the corporate networks. Here are a few examples of what they are finding:
- Employee-owned devices: Mobile phones of course, but also smart watches, health and fitness gear, and smart speakers
- Presentation and communication equipment: Smart TVs, speakers, smart tables, and interactive whiteboards
- Building controls: Smart thermostats, lighting controls, light bulbs, window coverings, air purifiers, landscape sprinklers, batteries, wall plugs, and switches
- Services: Internet-connected vending machines, refrigerators, coffee makers, ovens, and more
- Security systems: Smart cameras, door locks, doorbells, motion sensors, and alarms
- Safety devices: Internet-connected fire sprinklers, emergency exits, smoke, and carbon monoxide detectors
- Business operations: Employee and asset monitors and locators, product inventory tracking, industrial controls, and countless other smart devices
Policies, Processes, and Technologies for Managing IoT Devices
For CISOs and their staff, there are no magic bullets for safeguarding their organization from countless IoT vulnerabilities. But there are a number of steps an organization can take to reduce the risks. Here are a few ideas that security experts have discussed at the RSA conference this year.
- Identify all devices on your networks: Most security and IT departments don’t know how many devices are on their networks. According to a recent Forrester study, 82% of organizations are unable to identify all of the devices connected to their network. Fortunately, there are many products on the market to do that—enabling enterprises to easily take this first important step.
- Establish policies to automatically disconnect unmanaged devices: Organizations should consider disconnecting devices that are unknown to IT. While this won’t be feasible in all situations, doing so will draw a very visible line that should not be crossed.
- Change default passwords and settings: Attempting access via default credentials is one of the first things hackers will try to do. Strangely, this simple security precaution is often ignored.
- Restricting IoT devices to separate networks: Having an isolated network for unknown and unmanaged devices will dramatically reduce the risks. The good news is that it’s relatively easy and inexpensive to do.
- Upgrade network monitoring tools: While many organizations have fundamental network monitoring in place, the IoT explosion demands raising the bar. Visibility and analysis of all IoT traffic is critical, so is machine learning and broad file-type analysis. Network perimeter controls are essential, but organizations must also detect malware and other threats that bypass those controls and are already present inside the organization. For more information, see Detecting Malware that Walks Into Your Network.
- Monitor and assess the security of newly discovered devices: Quality, advanced products, and technologies should assess new devices for vulnerabilities. These tools can establish a baseline of normal behavior, and identify subsequent anomalous behavior that could be malicious.
- Updating and patching: Not all IoT devices are capable of performing updates and patches, but for those that are, organizations must implement policies and procedures to make sure it’s done.
- Restrict network connections: To prevent IoT devices from accessing sites they’re not supposed to access, only allow them to download updates and nothing else.
- Effective security training: Thoroughly instruct your employees, contractors, and business partners regarding policies that govern the connection between personal and IoT devices. While some argue the merits and effectiveness of security training, virtually everyone agrees that it still needs to be done.
Hope for A Secure IoT Future
As discussed in Why Enterprises Should Care about IoT Malware, it’s very evident that the IoT will continue to gain an even greater presence in our networks and lives, and that securing it is one of the major issues the global tech community must address.
We are only at the beginning of this war. However, from the discussions here at RSA, it’s clear that a lot of very bright people are working hard to win this conflict.
Will we be able to harness this evolving technology that will no doubt revolutionize the world? Let us hope so.