viernes, 31 marzo 2023
Visitas totales a la web: 88477808

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

‘Shadow IoT’: The growing corporate security blindspot

Darryl Jones

Businesses, manufacturers, and legislators each have their own role to play to manage the risks of ‘shadow IoT’

With only a third of workers set to return to the office by autumn, UK businesses will continue to have millions of employees working from home for the foreseeable future.

This change has required businesses to introduce a myriad of new policies and procedures to adapt, not least in the field of enterprise security.

For years, industry insiders have predicted IoT devices to surge in number. SoftBank’s COO, Marcelo Claure, boldly stated in 2018 that there will be 100 IoT devices for every person by 2025. That’s nearly a trillion IoT devices in total. What’s more, he said that businesses will increase their IoT spend by 96% in the next three years.

The pandemic has seen demand for IoT devices accelerate as homebound consumers buy devices to kit out their home offices. However, this new wave of IoT purchases, from WiFi routers and mesh networks to smart speakers and health-focused wearables, could undermine businesses’ security as the ‘enterprise’ becomes the worker’s home itself.

How secure is your IoT device?

The majority of IoT devices purchased for the home are relatively inexpensive, marketed to the average consumer, and often little effort is made to protect them at a hardware or software level.

What’s more, IT teams have no visibility over what devices employees own or the security measures that employees have (or haven’t) taken. With 15% of IoT devices owners still using default passwords, chances are high that most businesses have at least one employee with a vulnerable device.

And when that device resides on the same network being used by the worker for emails, file sharing and accessing protected data, a private vulnerability becomes a business problem. Malicious attackers suddenly have access to a greater array of attack surfaces associated with IoT devices ranging from hardware, networks, APIs and interfaces.

With no sign of a full-scale return to the office anytime soon, governments, manufacturers, IT security teams and employees all have a role to play in mitigating these risks.

IoT security 101 for corporate IT

The good news is that IoT device security principles are similar to those applied to other devices and data in general.

Given that these devices are beyond the view of IT and operations teams, they must instead put in place security tools that provide endpoint protection and monitor edge devices – early intrusion prevention and detection is still the best method to avoid breaches.

Encryption and other security applications should be assessed on corporate IT equipment which is deployed on the same network as consumer IoT devices. They are the first line of defense and need to provide the security measures that these devices, as has been outlined, frequently don’t provide as standard.

Their vulnerabilities should be evaluated against the attack surfaces outlined above, with action taken accordingly, e.g. stricter, real-time authentication processes for devices on corporate networks.

Employee education and basic cybersecurity training and awareness also plays an important role in mitigating risk. For example, connecting IoT devices to a separate network makes attacks much more difficult, so asking employees to separate work and consumer devices at a network-level could have a significant impact.

Basic password literacy is also another must and should be something most employees are already doing in their everyday lives – employees can be asked to, at a minimum, check and reset default passwords across IoT devices.

Manufacturers must step up and secure devices

Longer-term action will also be required from the manufacturers themselves. This applies even if they aren’t subject to legal requirements to secure IoT devices in the markets they operate in.

Manufacturers can face huge reputational damage, compromised intellectual property and a loss of consumer trust even if the breach is unintentional, e.g. the result of poor design.

Device-level identity management is a key way to secure IoT. Compromised passwords are the easiest and most common way to gain unauthorized access to devices – which is why legislation often targets this area.

Good credential management looks like a unique tamper resistant hardware identifier set at the factory with a unique complex password and a secure password reset process. Each password stored should also use an industry standard hash function and unique salt value. Using 2FA (two-factor authentication) is also recommended where possible.

The number of external network connections should be kept to the minimum amount that is necessary for the device to function so that access points are restricted and controlled.

This also applies to physical access points – all interfaces and ports which are used by the manufacturer to test or debug the device should be removed.

Many manufacturers are already taking this seriously but, for those that aren’t, this issue will eventually have to be resolved at a regulatory level.

National governments must mandate basic IoT security standards

Businesses with employees in more than one country will often face a patchy and confusing international regulatory framework on IoT device security.

The UK has stepped up in recent years in this regard. Two years ago, it launched the ‘Secure by Design Code of Practice’ for consumer IoT security.

Primarily aimed at manufacturers, it sought to bake in common sense security standards which included unique default device passwords, a minimum timeline for security updates, and a public point of contact to disclose vulnerabilities. However, manufacturers were not legally required to follow these guidelines.

That is until January 2020, when the UK government codified these guidelines into a new law that will force manufacturers who make IoT devices sold in the UK to follow them. This was a massive step towards protecting consumers – and by extension, businesses – by taking away the burden of responsibility to secure their devices and putting it back on the manufacturer.

Unfortunately, the US government has not followed suit. The US still lacks federal rules, despite warnings from the FBI about the risks from IoT devices as gateways to ‘primary devices’ like laptops on the same network.

In 2018, California became the first US state to regulate IoT devices under SB-327, requiring many of the same measures as the UK law above. It entered into force in January 2020. But for businesses operating in the majority of the US, a level of IoT risk looks unavoidable.

IoT security is a collective responsibility

Because the ecosystem is still so nascent there is no silver bullet for securing IoT devices at scale – manufacturers, legislators, enterprises, and employees each have their own role to manage and monitor the risks of IoT.

However, with some of these measures in place, businesses can have increased confidence that their corporate networks are secure and insulated from the threat of consumer IoT. Maybe then they can move onto tapping into the wealth of value-add opportunities they can provide.

Fecha de publicaciónseptiembre 29, 2020

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos


Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

Cómo la inteligencia artificial detecta los robos en las tiendas

La empresa Veesion ha desarrollado un software que identifica los hurtos después de analizar los gestos y...

La ‘guerra mundial’ por conseguir el láser más potente del mundo: EEUU frente a China y Europa

El recién inaugurado ZEUS en EEUU reaviva la carrera por los láseres de alta intensidad, con múltiples aplicaciones en medicina, energía y...

Conoce las especialidades de la Policía Nacional

En España, cada vez con más frecuencia, los ciudadanos optan por estudiar una oposición ya que les asegura un puesto de trabajo fijo...

Los delitos de atentado contra agentes de la autoridad se disparan

De 9.967 casos en 2018 repuntaron a más de 11.000 en 2020, el año del confinamiento. En 2021 se registró un nuevo...

Guía Europea para la protección contra inundaciones

CEPREVEN decidió editar este Documento Técnico, en colaboración con el CONSORCIO DE COMPENSACIÓN DE SEGUROS, como respuesta al impacto de los Riesgos...