IoT Security is going to matter in a big way soon enough, though the devices are small their impact is certainly bigger and the implementation of securing IoT has to be done at multiple levels to ensure networks, systems, data and devices are protected. Let us look at some of the steps needed to implement.
Any one thinking of implementing IoT has an underlying concern how to make sure networks, data and devices are secure. Risk of IoT incidents has many IT, security and networking managers worried that it would high impact. IoT devices are going to be present even in the most restrictive environments, thus the question, as per Industry experts isn’t if, but how you are going to allow these devices to connect to and interact with your networks, systems and data.
Big Question – How do we cope with this eventuality?
1. IoT security: small is big
When it comes to IoT, small becomes big and important. Organizations should focus on an aspect often neglected aspect of – the source code. The IoT devices by sheer size needs that the footprint of the software is minimal and therefore source code tends to be in languages like C++, C# therefore rendering it prone to problems memory leaks and buffer-overflow vulnerabilities. These network resistance of such issues is low and provide easy walkway for trouble. These kind of issues when it comes to a network become big and overlooked security problems. The only way is to ensure that the code is well tested and more importantly tested for security. There are testing tools also available in the market which help testing IoT devices. Additionally one can techniques like stack cookies or canaries to help build heuristics within the application to detect the stack overflow situations and to terminate on detection.
2. Device Aware Access Controls
In an IoT ecosystem, controlling access is quite a security challenge when the assets, products, people are all connected. Such a control needs to be available at the network level level. This calls for the organizational level identification, agreement and definition of what are acceptable behaviors and activities that a particular class of objects connecting can perform. Thus it may not authorized for one IoT device to access a certain information of another IoT device.
Controlling access within an IoT environment is one of the bigger security challenges companies face when connecting assets, products and devices. That includes controlling network access for the connected objects themselves. Thus a security system similar to that of Pub or a Bar where you are checked when entering inside but once you are inside then you are free bird with complete access – is not going to work in the new IoT networks. The access control will need to be much aware of what devices are together and what are the access or permissions being sought out in the context. Thus the context and devices together would define what is acceptable and what is not!!! Thus defining what is normal and acceptable helps build a baseline and it can be monitored for anomalies and exceptions so that the alarms can be raised before there is any damage done.
3. Identity Spoofing
Obviously the only way a hacker can stay in the game is by staying ahead. The fact the population of IoT devices is exponentially increasing so is the opportunities available for the hackers to gain access increasing since these are new access points that are getting added in to the network there by adding as many vulnerabilities to the network.
As one thinks of having access controls which are based on the contexts and possibly even specific to individual devices. The easiest way for a hacker, is to behave like the device by spoofing the identity of the device instead of try to hack in to the security implementation. It has therefore become very essential for organizations that the process of identification and authorization become very smart to ensure there is no such kind spoofing happening. Thus it is needed to have organization wide unique id for each device atleast within in the organization.
4. Control connections for IoT devices
The ability of IoT devices should be limited by allowing them to connect using network firewalls and access control. By ensuring that the IoT devices will not be able to initiate connections to talk to internal systems, one can limit an attacker’s ability to leverage IoT devices as an point of attack hack in to the network. Though this will not rule out attacks but it will definitely limit the ability of hackers to freely move within networks.
Another option available is by forcing that IoT should connect through proxies or jump hosts. This strategy allows the algorithms to inspect the network traffic coming from IoT devices or the ones sent to them. This way too one can establish a point of checking where one can check if this payload is supposed to be sent to the IoT device sent.
5. Network Segregation
Typical enterprise wireless networks need security follow the WPA2-Enterprise/802.1x standard. The current wireless networks of IoT devices are not of this standard. It is therefore advisable not to mix both these networks. It is therefore better to put these devices on their own wireless network with only internet access available. This would need creation of virtual LAN and have the the traffic routed through a firewall.
This is will also help in logically segregating the devices in to areas or may be some other logic division or grouping.
The above list of measures is not an exhaustive list or a sure shot method of prevent or avoiding an attack but definitely these measures will bring down the risk to a great extent.