Secur-IoT-y: what's with the 'o'?
Secur-IoT-y: what's with the 'o'?

Security for Enterprise Internet of Things (IoT) is the latest concern for the paranoid security practitioners amongst us. However, the Verizon Data Breach report barely has a mention of IoT threats. So, should we be all that worried? Are IoT devices in the enterprise all that different from the other devices we need to secure within our business? To answer these questions, it's important to first consider the various threats that IoT devices might bring to enterprises. 

Enterprise IoT devices could be used:

  • As an entry or exit vector to an enterprise's perimeter
  • To transmit sensitive data out from an enterprise to a cybercriminal's own personal cloud
  • As part of a botnet to launch attacks 

Is there anything new in those threats compared to those on say, unpatched workstations, or servers with unnecessary ports open and passwords left to their default status? Well, not really. 

But IoT devices are different from other network-enabled devices in the enterprise: central management of IoT devices is almost nonexistent (for inventory and patches) and they cannot be secured by add-on software like AV. That said, we have always had unmanageable zones in enterprise assets – BYOD, guest Wi-Fi, the ‘red' zone, honeypot network, the ‘dev' network, and so on. The security of such networks has been done by following the recommendations learned in any ‘Security Hygiene 101' course: segment the network, user access control, build walls with the right amount of fire, and enforce basic enterprise security controls like inventory, password policy enforcement, use patch management, control credentials, etc. Every few years though, there are new security challenges that require the need for more advanced controls.

Consider these security scenarios:

  • Internet-connected printers that scan and email (oh my!) documents and have a large memory cache.The potential threat(s): Files may not be kept with any user access control in the data drivers of the devices and it might be possible to email the file to any personal accounts, not just the business accounts.
  • IoT devices that not only connect to the cloud for updates and configuration but store data in the cloud and provides access to data via apps (think cameras) that are only password controlled. 
  • The potential threat(s): Potentially anyone having access to the passwords can login to the devices via the cloud. This can make the data (like live camera feeds) of the device potentially one compromised or bad password away from prying eyes.
  • Amazon Alexa for enterprise that can schedule meetings and dial into conference calls because it has access to enterprise calendars (and any attachments within), tell you about your flight status because it has access to your Concur profile [2]
  • The potential threat(s): The possibilities of exploiting a technology like this to breach an organization is expansive. Aside from using such a device to completely take over other connected devices and export sensitive information, there is also the possibility for cybercriminals to get more creative and launch hybrid attacks such as using personal user information around their travel plans to carry out highly targeted spear-phishing, credential phishing, or malware attacks.

These are not really ‘Things' that connect to the internet though – they are IT assets, as they have access to potentially sensitive corporate data. The business process to define storage of corporate data in these assets (or respective clouds) and access of such data outside of the perimeter is similar to the process that should be followed for adding any other enterprise asset that can hold sensitive data. The process needs to be defined and enforced with security controls. However, the most probable lack of central management capability presents unique difficulties and this constraint should be at the forefront of the buying process, the justification “the camera was so cheap online …” won't fly later if there are issues. When adding IoT devices on the network, think of the management, security and data storage aspects before buying. The ‘Security Hygiene 201' course principles of least privilege access, know thy network by monitoring it, buy from those you trust, now start to apply to these devices as they do to any IT asset holding corporate data. 

What then is the ‘o' in SecurIoTy?

There is an ‘o' and it's not about enterprise security, but rather about attacker mentality. Every smart security team knows that despite all the equipment, effort and resources put into the security posture – breaches still happen and the final trick is to reduce dwell time of an attack. If an attacker is in the enterprise network somehow, what are the easy targets to steal data from or to cause havoc? Remember those internet connected printers with documents in memory, and cameras with live feeds. Those are easy and natural targets to access in a well-protected enterprise network, once you are inside the perimeter. 

With the onslaught of these types of connected devices, enterprise security teams must raise adopt the ‘Security Hygiene 301' course level and bolster their SecurIoTy posture to detect an attack by deploying customized and adaptive decoys of enterprise IoT in their network and spread breadcrumbs in their network to lure and direct an attacker to the decoys. 

So yes, there is something with the ‘o' in the SecuriOty – it's the opportunity to detect attacks by creating an active defense with an approach to lure, detect and defend. Other than that, it all seems like plain vanilla Enterprise Security – if done the right way.