At Schneider Downs, we understand that the continuous advancement of technology fuels a corresponding expansion in the variety of internet-connected systems and devices used by our clients. These devices have the potential to enable process efficiency, analytics, and even security. Common examples we see in organizations each day are camera systems and door lock systems. Often, these types of devices are designed to be easy to use, but may overlook various aspects of security.
It’s easy to underestimate the threats these devices can pose to your organization. While providing penetration testing services to clients, our security analysists have leveraged poorly configured systems like door locks to gain access to restricted areas and sensitive data. Device functionality will always be the primary selection criteria, but each device should also be looked at from a security perspective. Here are some security-focused areas that should be considered in the selection process:
Vendor Reputation – What’s the reputation of the manufacturer of the device you’re considering, and how long have they been around? If the manufacturer goes out of business or drops product support for your device, updates will stop, vulnerability management will become much harder and you may even need to retire the devices early. Considering product support plans and how long manufacturers have been in business can help ensure that your chosen device has longevity.
Credential Management – Many devices come with a default username and password to log in with, often as simple as admin:password. Ensuring devices can change the password, at a minimum, is essential to the security of data it may collect. Measures then need to be put into place to ensure those credentials are actually changed from their defaults. If not, your device will be vulnerable to anyone with a connection that’s smart enough to Google for those default credentials.
Encryption – Chances are if you’re exploring IoT devices for your organization, you’re interested in the data those devices can collect. Choosing devices that support encryption of data at rest and in transit will help that data stay confidential. Choices may be limited since many devices lack the computing required for secure encryption; your organization will need to determine whether or not the device’s connectivity and purpose warrant encryption. Devices with weak encryption or without encryption at rest can have risks mitigated through isolation on separate networks and the use of transport encryption through TLS.
Patching– Unpatched devices are one of the biggest risks to any organization. For IoT devices, patch-ability is twofold. First, make sure the device’s hardware is capable of being patched. If a vulnerability is exposed and your device can’t receive a patch, your best option to secure it will be to replace it. Secondly you must ensure that newly released patches are applied via automatic updates or a manual schedule. Further, some products may requiring manual updates may need physical access to the device for each update.
While the aspects discussed in this article are angled towards selecting IoT products, security considerations should be examined as part of any organization’s technology selection process. If we as consumers can consistently make decisions and ask questions based on security, there’s a chance more vendors will design products with these elements in mind.