Taking a zero-trust approach to security is pretty much the standard by which organizations are measured these days. It means no user can be on the network without being authenticated and continuously validated.
We think of users as people. But users can also be things. And these internet-facing things – Internet of Things (IoT) devices – can be as much of a cyber security issue as people. Actually, they can be more of a security issue.
The dangers of enterprise IoT
Organizations rely on IoT devices to help them keep operational on a day-to-day basis. There are plenty of devices that keep a business running including security cameras, printers, smart TVs, conference room equipment, kitchen equipment, and environmental sensors. These might include thermostats, smoke detectors, and ventilation systems alongside smart locks and room entry management systems.
READ MORE
The UK's IoT proposals are riddled with 'astonishing' gaps
All of these use software to complete tasks and share data with other devices, inside or outside the network. Their communication is typically automated, machine to machine, and doesn’t involve a human. It may never be monitored in any way that’s meaningful in a security-conscious sense.
Normally, we’d consider many of these devices as the domain of the facilities team rather than the IT team, and outside the scope of the enterprise network that needs protecting. It’s one of the many considerations when it comes to assessing IoT security risks.
“Consider older facilities,” says Abel Archundia, managing director, of global advisory and life sciences at ISTARI. “They may create or manage sensitive data yet likely have air conditioning units or cameras installed years ago in the same network. And most of these systems have no protocol to upgrade operating systems in IoT devices. The worst thing is that they’re not very complex or hard to crack.”
Each of the devices attached to an organization’s network presents a danger, John Linford, Security & OTTF Forum Director at the Open Group explains.
“Devices inevitably have vulnerabilities through their connection to a network,” he tells ITPro. “With the growing use of IoT devices, a business’s attack surface expands as attacks can originate from the channels that connect IoT devices.”
Poor security from the outset
It’s a key problem that poor security is a feature of many of these IoT devices right from the outset – and they don’t have to be particularly old to feature poor security. Right out of the box, they can come with default passwords that aren’t changed on installation, and can have a poor level of commitment to firmware updating and patching. They either lack a regular schedule, a commitment to patch whenever a fault is found or have a short period of support before dropping out of the support regime completely.
“[An IoT device can] lack support for modern, secure controls like two-factor authentication (2FA), and logging and monitoring of device access and network traffic,” Matt Lewis, commercial research director at NCC Group, tells ITPro.
“They often lack an interface – such as a screen to provide notifications about possible new software updates. And they are regularly overlooked as they appear as black boxes performing a function and are presumed to be fine if operational.
“For many IoT devices, updating their firmware can require physical access, which can be difficult for say IP cameras mounted high on fences or gates.”
Why you can’t trust any IoT device
There’s a strongly held view that it simply isn’t possible to trust any IoT device, even if it’s equipped with automatic security updating. “As a former CIO, my guidance is that preparation is the best defense,” Archundia tells ITPro.
IoT devices are often just too much of a risk; they’re too much of a soft entry point into the organization to overlook them. It’s best to assume each device is a hole in an enterprise’s defenses. Perhaps each device won’t be a hole at all times, but some may be for at least some of the times. So long as the hole isn’t plugged, it can be found and exploited.
READ MORE
That’s actually fine in a zero trust environment, because it assumes every single act, by a human or a device, could be malicious. The system, therefore, monitors and checks everything on the basis that a successful attack is always a possibility.
Linford adds it’s possible to limit the scope of an attack administered through IoT in a zero trust environment. “Because zero trust focuses on continuously verifying and placing security as close to each asset as possible, a cyber attack need not have far-reaching consequences in the organization,” he says. “By relying on techniques such as secured zones, the organization can effectively limit the blast radius of an attack, ensuring that a successful attack will have limited benefits for the threat agent.”
Still, the devices themselves merit plenty of attention on an individual basis. Lewis advocates a robust asset management process in which organizations take steps to track every single asset as much as possible. “[This includes] subscribing to notifications from all of their tech vendors about any new software updates, and ensuring a documented process is followed to install any updates or security fixes in a timely manner. This should all be done as a periodic routine, rather than say a once a year activity”.
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Zero trust gains momentum amid growing network visibility challengesNews Organizations are looking to automation, orchestration, and risk mitigation as key security priorities
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to success
News Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
-
Cognizant and Zscaler expand partnership to launch new AI-powered zero trust security toolsNews The pair’s expanded partnership aims to help customers simplify their security setups while tackling evolving cyber threats
-
The evolution of SASE and its importance in zero trustSupported Content SASE has been an increasingly important security framework for five years – but integrating zero trust is crucial to its success
-
Why siloed thinking could be undermining your zero trust strategy
Advertisement Feature Despite the majority of businesses now moving towards a zero trust strategy, a siloed view of security means many are unable to fully embrace everything the technology has to offer
-
Ten ways a zero trust architecture protects against ransomwarewhitepaper The most effective strategy for ransomware protection
-
The state of zero trust transformation, 2023whitepaper From prevention to enablement: Leveraging the full potential of zero trust for the highly mobile and cloud-centric enterprise
-
A brief history of zero trustwhitepaper The cybersecurity game changer, from concept to cornerstone
