Taking a zero-trust approach to security is pretty much the standard by which organizations are measured these days. It means no user can be on the network without being authenticated and continuously validated.
We think of users as people. But users can also be things. And these internet-facing things – Internet of Things (IoT) devices – can be as much of a cyber security issue as people. Actually, they can be more of a security issue.
The dangers of enterprise IoT
Organizations rely on IoT devices to help them keep operational on a day-to-day basis. There are plenty of devices that keep a business running including security cameras, printers, smart TVs, conference room equipment, kitchen equipment, and environmental sensors. These might include thermostats, smoke detectors, and ventilation systems alongside smart locks and room entry management systems.
The UK's IoT proposals are riddled with 'astonishing' gaps
All of these use software to complete tasks and share data with other devices, inside or outside the network. Their communication is typically automated, machine to machine, and doesn’t involve a human. It may never be monitored in any way that’s meaningful in a security-conscious sense.
Normally, we’d consider many of these devices as the domain of the facilities team rather than the IT team, and outside the scope of the enterprise network that needs protecting. It’s one of the many considerations when it comes to assessing IoT security risks.
“Consider older facilities,” says Abel Archundia, managing director, of global advisory and life sciences at ISTARI. “They may create or manage sensitive data yet likely have air conditioning units or cameras installed years ago in the same network. And most of these systems have no protocol to upgrade operating systems in IoT devices. The worst thing is that they’re not very complex or hard to crack.”
Each of the devices attached to an organization’s network presents a danger, John Linford, Security & OTTF Forum Director at the Open Group explains.
“Devices inevitably have vulnerabilities through their connection to a network,” he tells ITPro. “With the growing use of IoT devices, a business’s attack surface expands as attacks can originate from the channels that connect IoT devices.”
Poor security from the outset
It’s a key problem that poor security is a feature of many of these IoT devices right from the outset – and they don’t have to be particularly old to feature poor security. Right out of the box, they can come with default passwords that aren’t changed on installation, and can have a poor level of commitment to firmware updating and patching. They either lack a regular schedule, a commitment to patch whenever a fault is found or have a short period of support before dropping out of the support regime completely.
“[An IoT device can] lack support for modern, secure controls like two-factor authentication (2FA), and logging and monitoring of device access and network traffic,” Matt Lewis, commercial research director at NCC Group, tells ITPro.
“They often lack an interface – such as a screen to provide notifications about possible new software updates. And they are regularly overlooked as they appear as black boxes performing a function and are presumed to be fine if operational.
“For many IoT devices, updating their firmware can require physical access, which can be difficult for say IP cameras mounted high on fences or gates.”
Why you can’t trust any IoT device
There’s a strongly held view that it simply isn’t possible to trust any IoT device, even if it’s equipped with automatic security updating. “As a former CIO, my guidance is that preparation is the best defense,” Archundia tells ITPro.
IoT devices are often just too much of a risk; they’re too much of a soft entry point into the organization to overlook them. It’s best to assume each device is a hole in an enterprise’s defenses. Perhaps each device won’t be a hole at all times, but some may be for at least some of the times. So long as the hole isn’t plugged, it can be found and exploited.
That’s actually fine in a zero trust environment, because it assumes every single act, by a human or a device, could be malicious. The system, therefore, monitors and checks everything on the basis that a successful attack is always a possibility.
Linford adds it’s possible to limit the scope of an attack administered through IoT in a zero trust environment. “Because zero trust focuses on continuously verifying and placing security as close to each asset as possible, a cyber attack need not have far-reaching consequences in the organization,” he says. “By relying on techniques such as secured zones, the organization can effectively limit the blast radius of an attack, ensuring that a successful attack will have limited benefits for the threat agent.”
Still, the devices themselves merit plenty of attention on an individual basis. Lewis advocates a robust asset management process in which organizations take steps to track every single asset as much as possible. “[This includes] subscribing to notifications from all of their tech vendors about any new software updates, and ensuring a documented process is followed to install any updates or security fixes in a timely manner. This should all be done as a periodic routine, rather than say a once a year activity”.
