By Josh Wyatt, global executive services director, Optiv Security
When we think about securing the internet of things (IoT), the conversation usually turns to the sensational – ranging from industrial controllers being compromised to bring down critical infrastructure, to automobile cruise control systems being hacked, to last year’s “holiday nightmare” security story where researchers found that the cuddly Furby Connect’s insecure Bluetooth connection could easily be co-opted by strangers who want to have nefarious conversations with children.
These sensational security stories actually share a common theme with less visible, but more profound, IoT risks: IoT devices are usually deployed with little (if any) thought given to security, because time-to-market trumps security every time. And, because IoT devices tend to have limited processing power, they can’t accommodate an after-market security layer (Furby firewall?), which makes them extremely difficult to secure once they are deployed.
The IoT devices found in your typical office environment tend to fall into that “less sensational but more profound” category of IoT security. In fact, many people may not even think of printers, scanners and even smart watches worn by employees as IoT risks – but they are a legitimate concern. As are wireless keyboards and mice, TVs, refrigerators, smart home devices, office routers, thermostats, ClickShare systems, conference phones, coffee machines, kiosks, projectors, and smart signage. It’s easy to overlook how many IoT devices are in today’s typical office environment, but if any are connected to the company network, they are potential points of vulnerability.
As such, enterprises should implement policies and procedures that minimize the potential security risk created by IoT devices. These can be broken down into three steps: Governance, Contracting, and Device Testing and Approval.
Step 1: Governance
Organizations should integrate IoT governance into their IT governance, risk and compliance (GRC) programs. A key part of establishing governance is to define what IoT means for the organization: a common misstep is to put governance in place without fully understanding the IoT landscape. So, for example, a manufacturer might establish governance around industrial controllers and other operations technology but neglect networked printers and other connected office devices.
One approach to establishing governance is to categorize IoT devices by their role: those that improve customer experience, those that improve employee experience (where most connected office products would fall), and those that deliver a competitive advantage. This type of categorization enables security pros to prioritize these devices based on their business value, so IoT security is prioritized by relative risk to the organization, rather than taking “secure everything equally” approach. Another way to evaluate IoT devices is by how they communicate. Those that are IP-based and network accessible tend to fall into traditional processes within a security policy, while ZigBee and Bluetooth-enabled devices may introduce previously unseen challenges for the organization.
At a minimum, governance should include the following:
· An active and current inventory of devices, which includes information on vendor, version, firmware/application versions, business owners, remediation owners and purpose.
· Assignment of clear roles and responsibilities for managing IoT security. This should include defining who is responsible for identifying, testing, and deploying patches and configurations, as well as who is responsible for evaluating vendors, testing devices and approving device deployment.
Step 2: Contracting
A key component to partnering with an office equipment vendor is clearly defining roles and responsibilities for both parties. If a new vulnerability is discovered in a printer, for example, the vendor should be contractually obligated to assist in the remediation of that vulnerability. If possible, negotiations and vendor selection should include a discussion around this responsibility.
Another way to hold vendor partners accountable is to have a clause in the contract that says you will only deploy and utilize that vendor’s products if they meet usability requirements. Usability requirements can be captured in a simple document that includes definitions and a “secure implementation” clause that says you do not have to pay for the system if it is not patched and up to date.
Step 3: Device Testing and Approval
Many office products and other IoT devices fall neatly into the category of “third-party risk.” As such, organizations should validate that these products are secure and vulnerability free and that the vendor itself follows secure practices. A good way to accomplish this validation is to implement a product testing requirement for any IoT devices that are currently deployed or will be deployed in the future.
Penetration tests are the most effective and direct approach to doing this. They will identify vulnerabilities in the products and show the potential impact the device might have on the environment. This second part is a critical component to the penetration test – understanding whether or not vulnerabilities are actually exploitable. Any test that does not include this component will not be terribly useful, because the purpose of the test is not just to identify vulnerabilities; it is to understand how an adversary may exploit the vulnerability to move laterally across the network.
Unfortunately, there is no single capability or tool that can be used to secure all of the office devices mentioned earlier. However, the foundational aspects of security should still apply to most of them, including:
- No default or weak credentials. The rules an organization uses with conventional computing systems should also apply to the use of IoT devices.
- Network segmentation. There is no reason why a coffee maker should be able to “touch” a server or workstation. By definition, a ClickShare or other wireless presentation system needs to touch a workstation, but there are controls that can be put in place to do so securely.
- Patch and configuration management. As part of the governance guidelines, someone needs to hold responsibility for patching and remediation of identified vulnerabilities and configuration weakness. Ideally, the vendor will accept responsibility for these functions with at least some of the IoT technologies.
- Asset Management. Understanding the complete roster of IoT devices and the people who hold responsibility over them is critical to having an effective IoT security program. It is impossible to remediate vulnerabilities or respond to incidents for devices that have no defined business or remediation owners.
- Threat Management. This term can be defined in many ways, but in the context of IoT, it should be threat-intelligence-driven offensive testing, response and remediation. A threat management program should be more than the typical “once a year” penetration test. It should be driven by threat intelligence (that is, new vulnerabilities and exploits discovered in IoT devices), with penetration testers adopting the perspective and likely techniques of potential enemies, not just reporting the results of vulnerability scans. This approach will ensure that actual enemies will not be able to exploit IoT devices for broader network access.
Putting it all together, to secure today’s smart office products, security pros should understand and define IoT for their organization, develop effective governance, and use the “enemy perspective” approach to threat management to identify weaknesses. By taking these steps, organizations can not only safely adopt IoT devices in the workplace; they can also develop sound security habits that can be transferred across the rest of the organization.