A Day in the Life of an IT Pro: Hacked off with IoT

Friends, Romans, fellow IT Pros, lend me your ears. It’s time to talk about Internet of Things (IoT) now, I know the topic of connected fridges and the like is often covered, but amid the cacophony of excited consumers is a warning – the impact of IoT on enterprise security could be monumental.

Earlier this year, I was fortunate enough to attend CeBIT, where I witnessed a demonstration by security researchers who showed just how easy it was for them to hack a Bluetooth-enabled “personal massager” (I won’t elaborate further). The demonstration initially brought a ripple of amusement, before the researchers pointed out that by using the same techniques, hackers could actually infiltrate the backend of the connected product and attack the manufacturer. The giggles soon stopped.   

While the IoT is something to be excited about for consumers and businesses alike, the buzz and economic potential of IoT is resulting in vendors rushing their products to market, relegating security concerns to an afterthought. Poorly conceived and executed IoT devices now pose a real threat to enterprise security, so what can we – the IT pros – do about it?

Best laid plans

Strategy is vital when implementing secure IoT because, to borrow that old phrase, failing to prepare is preparing to fail. If there is even a slim chance that your organization may one day turn to IoT technology, policies and procedures should be put in place immediately, long before the first device gets through the door.

Now, putting a strategy in place is time consuming and offers up a variety of hurdles, from office politics, to obtaining management buy-in and dealing with a great deal of queries from people throughout the organization. However, the hard graft is worth it, as a well-considered strategy is often the difference between being breached and being protected.

First, your corporate policy for IoT devices must have a detailed, clearly defined framework. In a policy that covers all devices beyond smartphones, tablets, laptops and watches that connect to networks, I’d recommend that an organization demands its IoT vendors commit to some pretty strict rules.

These should include certifying the security of their device, publishing changes in advance of each new version of its OS, and informing customers when they are changing the choice of hardware components and sub-components for future production runs of said device.

The framework should also specify that corporate adopters must agree to budget for both funds and staff, allowing for ongoing testing of the vendor’s hardware and software updates, including security reviews as part of the adoption cycle.

Stop rolling your eyes. Yes, this may strike some as over-cautious, and yes, it may result in a few headaches – from higher cost of ownership of the devices, to friction among management and IT pros; and we already have enough on our plates. Yet by avoiding this level of strategic thinking we are asking for a serious amount of trouble, and it’s always better to be safe than sorry with IT security.

Let’s talk tactics

After the strategy comes the tactics, with IT pros having to assess the IoT devices already within their organization. With strategy tackling the long-term, it’s time to look at the action you can take right now to manage the devices already within reach.

First, turn to a NetFlow analyser – a tool which you should already have access to. While NetFlow may be more commonly associated with figuring out where bandwidth usage is going, it can also expose the transfers of data between two specific endpoints via the same port and protocol within an organization. By tracking these “conversations” you can easily identify IoT behavior and monitor the sites which are being connected to your organization, all using a tool that you likely already have.

Next, you need an IP address management (IPAM) tool. The IPAM (a useful tool, regardless of IoT), does what it says on the tin – it identifies and manages IP addresses. This is particularly useful for IoT devices as they take up a huge number of IP addresses, while many have MAC addresses that group together under the umbrella of a single vendor. As a result, the IPAM will allow you to automatically locate and report upon IoT devices while it carries out its usual tasks.

The third and final weapon in your war against IoT hacks is deep packet inspection (DPI), an interface in the middle of IoT traffic that captures and analyses packets, identifying the source and destination IP, port and protocol. This information can help categorize the packet, whether it’s potentially malicious, a business application or something else entirely, and is an extremely useful tool when keeping tabs on IoT traffic.

What now?

The proliferation of IoT devices was always going to an impact on organizations’ security. Any chinks in your business’ armor are ready to be exposed by any number of devices, from cars to children’s toys, with each seemingly benign object now a potential Trojan horse for hackers.

So, before we roll our eyes at yet another mention of IoT and those damned connected fridges, bear in mind the impact it could have on your organization if you fail to properly prepare. Through strategic and tactical thinking, IT pros can avoid being swept away by this new wave of innovation and instead capitalize on its opportunities.

What’s Hot on Infosecurity Magazine?