Protect Your Organization from Cyber Threats
nComputer systems are more powerful than ever, but they can’t protect themselves. The Master’s in Cybersecurity Risk Management program at Georgetown University trains professionals for this critical role. Attend our sample class on November 30. Register Now.
nn
Questionable understanding of the term and what the technology does cannleave organizations exposed.nn
nnAs the IT press tells us with monotonous regularity, the Internet of Thingsn(IoT) is a global cyber security disaster – people might even be able tonnhack our electric kettlennand gain access to our networks. As Ken Munro, security pen tester andnpresenter of the video in the previous link puts it: “Unfortunately,nsecurity and the Internet of Things aren’t often found in the same place”.nIt feels like we security professionals need to care a lot about IoT, then.n
nnLet’s back up for a moment and ask ourselves: what actually does IoT mean.nIBM has anngreat definition, calling it: “a network of physical devices, vehicles, appliances and othernphysical objects that are embedded with sensors, software and networknconnectivity that allows them to collect and share data”.n
nn
nIoT Creep into Organizations
nn
nnNow, when we think of IoT, most of us are thinking of hardware like “smartnhome” kit – cameras, video doorbells, Wi-Fi-connected refrigerators and sonon. We all know that IoT creeps into many businesses as “shadow IT” – kitnthat has been bought and installed by users without the knowledge of the ITnteam (or, in the most frightening cases, after the IT team has expresslynrefused to entertain the idea of installing it). The question is, do we neednto care about this type of equipment?n
nnIn some ways, no. If we’ve secured our private networks properly (and,nperhaps surprisingly, many of us do), it shouldn’t be possible to connect annew device into either the cabled Ethernet network or the wireless LANnwithout IT configuring the infrastructure to allow it in or IT at leastnbecoming aware of its existence. One therefore finds that “shadow IT”nequipment is often languishing on the “guest” Wi-Fi network which can’t seenthe private network at all – which means a successful attacker can onlynreally move around the non-critical, almost sandbox-like, public-facingnnetwork and not see the company’s crown jewels.n
nnThere are two problems, though. First, even if the kit isn’t on your privatennetwork, it’s in your private premises. All this stuff is sitting on desks,npinned to ceilings and walls, and can hear (if it has a microphone) and seen(if it has a camera) what’s going on. Intruders no longer have to sneak pastnyour security guards to look around the building – they just have to find anway into your guest Wi-Fi (and I bet you’ve never done a scan and seen hownbadly your Wi-Fi network signals leak out through the walls and windows ofnthe office, into the car park and over the back fence).n
nnProblem two with IoT comes not just with “shadow IT” but even with kit thatnis formally sanctioned and supported by the IT team. On the face of it younprobably have a reasonable level of security by putting everything behind anNAT firewallnso people can’t just make an inbound connection to it from the internet. Innthe vast majority of cases, though you manage IT kit via a portal on thenvendor’s web site – that is, out there on the internet. How do you connectnto the individual devices? Easy: the management portal can’t connectninbound, so all the devices make an outbound connection to the portal. Andnwhere there’s a connection, there’s a way to do something bad with it.n
nn
nTaking Advantage of IoT on the Network
nn
nn“Something bad” in this sense takes two forms. The most basic one is toncompromise your login credentials for the portal and simply take overnmanagement of your equipment. In most cases, though, the vendor will bensensible and enforce Multi-Factor Authentication (MFA) to make this verynhard: for example, this correspondent just checked his smart doorbell (Ring,nif you’re wondering – other smart home vendors are available) and wasnprompted for an MFA code. The more advanced one is to compromise the vendorsnsystems via a more “traditional” hacking route and do something nasty – thenclassic example of which is thenSolarWinds attack of 2020, in which malicious actors placed rogue code into a software update whichncustomers then innocently downloaded.n
nnSo far, we’ve talked about the kind of IoT you find in the average home ornoffice, but let’s take a look back at the IBM reference we made earlier. Itnsays that IoT devices “can range from simple ‘smart home’ devices like smartnthermostats, to wearables like smartwatches and RFID-enabled clothing, toncomplex industrial machinery and transportation systems”.n
nnYes, we can have the same threats posed to us from massive industrialnsystems as are presented by simple cameras and thermostats. The Facilitiesnteam that wants to remote-control the air-conditioner from home rather thanncoming on-site when alerts sound are just as big a threat to our security.nMany modern cars now contain a 4G SIM and the owner can turn on the air-connfrom a phone app so it’s nice and cool when they get in five minutes later.nWhile this is nice and convenient, it makes you think when you then readnabout researchersnhacking a big trucknand what might happen if this a bad actor did this in real life.n
nnSo, then, IoT isn’t all about small things. It exists in all shapes andnsizes. And whether it’s a camera that someone could hack to look around yournoffice, or a massive drill whose compromise could potentially be fatal, wenhave to be constantly vigilant and do something about the threat. Let’snremind people what they need to do and help them do it.n
]]>