IoT Security: 5 Tips To Protect Your Devices From Hackers
Best Practices For The Connected Era
As the Internet of Things (IoT) transforms IT, enterprises are cognizant of IoT security vulnerabilities, and are devoting major resources to protect company data. These billions (and billions) of new endpoints represent the newest attack vectors in the enterprise.
With major security challenges from these new endpoints, enterprises must be vigilant and take precaution. Here are five best practices to protect the new devices and the data on them.
1. Create Strong Passwords
As with other endpoints and mobile apps, one of the foundational keys for IoT security rests in having the strongest passwords possible. While this may sound obvious, over 80% of all data breaches are caused by weak passwords. The proliferation of devices in the enterprise means that easy-to-guess passwords must be avoided. Enterprises should ensure that all passwords are long and difficult for hackers to determine. Similarly, all passwords should include a multi-factor authentication. When used correctly, multi-factor authentication can safeguard all devices from potential attacks. If a hacker attacked a device with a multi-factor authentication, then properly-trained employees should realize the potential attack and report it to IT or security teams.
Just like with other devices, it is critical in IoT security that the default passwords are always avoided. Many connected devices come with default passwords, and some organizations may assume that these passwords are sufficient. The problem is that these default passwords are so common, that hackers could easily infiltrate devices with them. This is such a common problem that California banned all IoT devices that rely on default passwords.
2. Isolate The Devices
With some devices having questionable security capabilities, it is imperative some are removed from the network and are placed in their own isolated network, such as a virtual LAN. Generally speaking, IoT devices should not receive an automatic connection to an open WiFi network. However, this is only a first step in the process. Enterprises should strongly consider segregating devices onto a separate firewalled network to prevent major security breaches. By taking this step, an enterprise can prevent a security incident before it occurs.
In light of the importance of device isolation for security, the Internet Engineering Task Force (IETF) published guidelines about basic architecture models:
- Device-to-device:Devices that are connected on the same network and use wireless PAN protocols, such as Bluetooth.
- Device-to-cloud: Using long-range communication, these devices are connected to the cloud, where data can be transmitted and analyzed.
- Device-to-gateway: Gateway devices are like the middle-man in the IoT world. Data from devices or sensors can be transmitted to the gateway, and in turn sent to the cloud.
- Cloud-to-cloud: This architecture allows third parties in the organization to access data in the cloud after it has been uploaded by the device.
3. Protect Data With A VPN
Whenever possible, it is important that data transmitted from devices is encrypted. This can be leveraged by devices that only support encryption, and it is a great way to improve IoT security. However, this is not always possible, which is why a virtual private network (VPN) should be utilized so that data can be protected.
A VPN is a great way to mask both the data and user IP address. This will make it more difficult for hackers to track the activity of users and the flow of data on the device. One of the best features of a VPN is the encryption capabilities, which are usually considered to have an advanced military-grade standard known as 256 AES encryption . By using a VPN, an enterprise can ensure that all data migrating to and from the device will be masked. This solution also prevents the hacker from knowing which device the data is being transmitted to. In addition to the encryption, a strong VPN can also provide DNS leak protection and IP switching, which will prevent the hackers from finding IP addresses.
4. Shut Off Unnecessary Functionalities
Some devices are occupied to handle multiple functionalities. However, if a device has one or more functionalities that will not be used by an organization, then it should be shut down. For example, if a smart television in an office is only used for display purposes, then there is no reason for it to be connected to the network (even it had the capabilities to do so). Likewise, if a printer — which is one of the most common attack vendors in offices today — has faxing capabilities but is never used for that, then those capabilities should be shut down.
Any time a device is taken off the network, it decreases the chances of getting hacked. This is especially true in IoT security with devices that don’t have to be connected to the same network. By limiting attack surfaces, an enterprise will do its part in enhancing security. Some organizations go as far as to block functionalities on devices, such as cameras and microphones, to prevent it from ever being connected to the network. There are even cases of physically blocking off a USB port so that a particular device doesn’t get connected.
5. Centralize Access Logs
More businesses are using new devices now than ever before, so it is up to IT departments to take charge and protect them. However, IoT security could be futile if centralized access logs are not being leveraged.
When malware strikes an device, IT departments are tasked with wiping, rebooting, or changing the device’s password. However, instead of stopping attacks from occurring, this is only a reactive approach to the attacks.
A centralized access log allows IT team members to determine what has been connected to the network in the first place. This insight allows enterprises to recognize threats before they become a problem. It is a proactive approach to preventing devices from being compromised. As the number of endpoints in the enterprise increases, it is critical that centralized access logs become a part of an IoT security strategy.
A Warning About IoT Security
As more devices get deployed in the enterprise, there will more challenges. One study found that 61% of organizations that adopted IoT technology have already had at least one security incident. Meanwhile, IoT security spending is expected to double from $1.5 billion in 2018 to $3.1 billion in 2021. It is critical that enterprises follow these best practices in order to protect new endpoints.