Could your organisation’s CCTV cameras, digital video recorders, routers, or even corporate vehicles be vulnerable to cyberattacks? As more devices connect to the Internet of Things (IoT), public and private sector organisations need to take extra steps to protect their employees, customers and data.
A few years ago, Chrysler recalled 1.4 million vehicles after security researchers demonstrated that a Jeep’s digital systems could be hacked using just a laptop and an internet connection. They showed it was possible for hackers to remotely disable the brakes or even cut the transmission, with potentially deadly consequences.
This is just one of many real-world examples that highlight the security risks associated with IoT-enabled devices, and the cost of inaction. Imagine the danger an employee could face if a corporate vehicle were hacked while they were driving? Or the consequences of cyberattackers turning up the heat on the temperature control system that regulates your server room or refrigeration system?
Organisations shouldn’t be scared of IoT-enabled devices, as they can be effective enablers to business functions and processes (such as home and office automation devices, energy and utility management systems, smart appliances and building and security management systems). But as with any acquisition of technology, the security implications and risks should be considered and assessed.
This is because the use of IoT devices in your environment can potentially increase the attack surface and risk of malicious attacks (due to the additional vectors for compromise). They can also be popular targets that increase the accessibility of powerful Distributed Denial of Services (DDoS) attacks. One of the best-known is the Mirai botnet, which took down high-profile websites including Netflix and Twitter in 2016. The attack was executed using compromised IoT devices such as CCTV cameras, digital video recorders and routers.
How to reduce your organisation’s risk
When it comes to IoT security, there’s no such thing as a silver bullet solution. There are, however, simple precautions that can reduce your risk exposure from IoT-enabled devices.
1. Changing default administrator usernames and passwords on devices
Following good password practices such as regularly changing passwords (and ensuring they are strong and unique) will reduce the risk of a successful attack. The 2016 Mirai botnet attack, for example, was possible because users did not change the default administrator usernames and passwords found in internet-connected devices, making it easier for hackers to gain access.
2. Where practical, closing unrequired inbound ports and applying network segmentation
Allowing only required outbound connections on devices reduces exposure to threats. Security risks of leaving inbound ports open indefinitely include malware infections, data theft, and arbitrary code execution. Applying network isolation (e.g. segmenting your IoT devices into a separate network from your Corporate network) to devices will also reduce the impact if the IoT device or another visible network device is compromised.
3. Sourcing devices from trusted providers
Purchase IoT devices from reputable manufacturers that provide regular security patches. If a deal sounds too good to be true, it probably is.
4. Proactively monitoring devices
Keep an eye out for suspicious activity on IoT-connected devices. For example, a device that has unexpectedly gone offline, or is otherwise behaving strangely, could indicate tampering is taking place.
Are you considering using IoT devices in your organisation? The Cordelta security team can provide advice on how to assess and manage security risks, in a way that enables your business within your risk appetite. Contact us today for more information.
Beneton Chu is a security consultant at Cordelta, a Canberra-based professional and management services firm.
Original Article published by Beneton Chu on the RiotACT.