The Internet of Things (IoT) is expanding rapidly — as are the security and privacy risks associated with it. One recent study suggests that nearly 20 percent of organizations have already suffered distributed denial of service (DDoS) attacks by IoT botnets. Gartner analysts say security concerns are inhibiting growth of the IoT.
Given the enormous business and economic potential of the IoT, organizations can’t afford to stay on the sidelines waiting for some manufacturer or industry consortium to develop better security. There are a number of measures you can take to protect your business while taking advantage of the IoT’s many possibilities.
The consistent application of security best practices within a multilayered security environment can help most organizations deflect attacks. IoT devices themselves are often the most vulnerable element because they usually weren’t designed with security in mind. Many times, they are also connected the business network. That makes them inviting targets for botnet enslavement or gateways to access sensitive data.
One way to improve device security is by updating the embedded device firmware. In many cases, you can register devices with the manufacturer to receive automated firmware updates. Many IoT devices also come with default universal passwords — those should be updated to strong, unique passwords before ever plugging in the device, especially when you are connecting them to a business network.
Since bot infections are typically spread via malware, you must make sure that antivirus and antimalware solutions are up to date. Also, apply current patches for both business and personal devices as well as all operating systems. Check regularly for new updates.
A next-generation firewall will include basic tools for botnet detection, prevention and removal and can improve network segmentation. These tools include intrusion detection systems, rootkit detection packages and network sniffers. Some may include specialized programs that can interrupt the link to the command-and-control server that delivers instructions to the bot. Utilizing a firewall to create segmentation can allow isolation of IoT devices and limit communications to other segments of the network only to what is necessary for business purposes.
IoT security challenges go beyond bot-enslaved devices, however. Because many IoT projects use Wi-Fi to connect devices to the network, the wireless network requires its own security strategy. This requires a comprehensive framework covering all aspects of the wireless infrastructure, from the radio frequency layer all the way to the application layer.
Organizations must put tools in place that check for rogue devices entering the airspace, attacks on wireless links, and unauthorized users attempting to access the network. Also, use secure password practices for wireless routers, and consider using MAC address filtering to limit the devices able to access your network.
It’s also a good idea to disable the Universal Plug and Play (UPnP) on your router. UPnP is a set of protocols that permits devices to be plugged into a network and automatically know about each other. Attackers routinely exploit UPnP weaknesses for all sorts of malicious behavior, including DDoS attacks, malware distribution, click fraud and credit card theft.
Organizations will soon be able to upgrade their wireless network with a much stronger Wi-Fi security standard. The WPA3 protocol features a new handshake protocol and stronger encryption, and addresses connectivity challenges specific to IoT implementations. For instance, WPA3 supports Opportunistic Wireless Encryption (OWE), an existing standard that encrypts every connection between a device and an access point with a unique key, without the need for additional credentials. Even if hackers manage to intercept data packets, they won’t be able to decrypt the master key.
The Internet of Things promises to bring exciting efficiencies to all manner of industries, but malicious actors will continue to find ways to uncover and exploit vulnerabilities. While manufacturers and security vendors must bear some of the responsibility for securing the IoT, all organizations must employ tough security measures to counter potential attacks. To learn more about boosting your IoT security, give us a call.