DDoS attacks are hardly the only way attackers pit IoT against the enterprise. Cyber miscreants compromise IoT to unlock treasure troves of PII, which grants them ammunition to easily gather passwords for accounts at businesses, government agencies inside the military. Because many connected devices mean many passwords, criminal hackers also crack IoT at home and at work to cull countless device credentials. They test these passphrases on enterprise systems, assuming that people repeat the same word jumbles on every system they access.
Since the holiday shopping season, consumers have been speaking very personal commands into their exciting new IoT devices such as Alexa, Google Home Amazon Echo, says Elliott Abraham, CISSP Senior Security Architects, ADAPTURE. These commands, which reference musical selections, shopping habits, and preferences for news items tell a great deal about a person, adds Abraham.
Attackers hacking these devices use this information in social engineering campaigns and very targeted spear-phishing to get you to log in to bogus sites or otherwise reveal the access credentials you may well use across many sites and systems, including your employer’s, explains Abraham.
Because people reuse passwords everywhere, data crooks also exploit IoT by compromising device passwords that they then try on accounts in more valuable locations and systems, says Dr. John Michener, chief scientist, Casaba Security.
Whatever the IoT abuses that concern you, WindowsITPro provides expert fixes.
Solutions to IoT initiated intrusions
No matter how attackers gather PII, you can keep them from seeing any benefit by acquiring your best technical, policy, and employee training defenses against social engineering and spear phishing. Technically, implement thorough patch management, spam filters, anti-virus, anti-malware behavior-based security tools. Filter content at a gateway device and encrypt sensitive data and remote connections. Get a hacker who is neck-deep in state-of-the-art techniques to pen test your network and every entry point in it on a regular basis. Use network monitoring that doesn’t drown you in alerts over false positives.
Changes in operating system platforms hold promise for defeating social engineering and phishing, according to Dr. Michener. “For example, the move to app-like isolation such as the use of Microsoft container technology on Windows platforms will provide a reasonable level of incremental protection for users who inadvertently follow links and view documents,” says Dr. Michener.
Enterprises should develop security policies that fully address social engineering and spear phishing from before the moment criminal hackers initiate these techniques through every stage of an attack and beyond. With the existence of IoT, the Dark Web dwell time, the cyber kill chain does not expose every element that requires an associated security policy item.
Security policies also present challenges. If for example, as a security policy, organizations configured their environments so that employees had to use public accounts for browsing and externally-sourced email and had to use internal accounts for internal usage (with a strong filter between the two environments), phishing compromises would be much less effective, according to Dr. Michener. But the enterprise is unlikely to deploy this widely to most workers because it impacts workplace routines, explains Dr. Michener.
The enterprise should create an employee security education program and accurately measure its effectiveness over time. Change program elements or the whole program if it’s not working. Take a positive, inclusive approach that rewards employee success in security matters.
According to Abraham, the enterprise should train employees in a manner that will strengthen “the human firewall” by making security a part of company culture, using screensavers that rotate security messages to get the word out, and using “message of the day” screens when accessing company systems to enforce acceptable use policies. The business must train employees on Identity Awareness and protecting PII, use quarterly phishing awareness campaigns that send carefully crafted emails to users to test the effectiveness of security training, and use Training and Awareness systems to make learning about security topics fun and informative while incentivizing the employees to complete the training, says Abraham.
Keep attackers from getting and getting far with IoT passwords
To keep attackers from exploiting IoT passwords, enforce strict policies that prevent password reuse. Keep an accurate inventory of connected devices on your network and deploy a proven approach to detecting when new devices come online, says Abraham. “Network Access Control (NAC) is a great way to keep rogue IoT devices from connecting to your network,” says Abraham.
IoT devices should operate within appropriate zones, and access only allowed sites, according to Abraham. “For example, most reasonable network administrators might find it strange to see an IP address associated with their conference room phones connecting to Dropbox. Visibility and vigilance are key; know what you have and enforce policies of connectivity,” insists Abraham. Make this part of the policy and enforce it technically.
Test IoT devices before deploying them to production. “Enterprises should create an air gap network that is physically isolated from unsecured networks and mimics the existing production infrastructure,” says Kevin Kelly, CEO, LGS. Do vulnerability analysis of IoT devices on this second network to maintain security, find holes in the network and devices, and determine whether and how you can deploy each connected device, according to Kelly.
To deploy IoT to production more securely, the enterprise should nest these inside isolated VLANs, use proper firewall rules, and configure each device correctly, says Michener.