In the age of the Internet of Things, our lives have become increasingly efficient and digitally connected, while data security has never been more vulnerable. Connected devices like Alexas, Teslas, and Pelotons consume, and often expose, more data than many people realize. A Tesla is more than a car, collecting your location and vehicle data around the clock. A Peloton is a platform with apps that store – and occasionally spill – personal data through leaky APIs. In hospitals, Alexas act as substitutes for the nurse call button, turning on lights and TVs with a voice command. Let's look at where the real threats lie and identify best practices for securing IoT devices.
What’s the worst that can happen?
The ability of IoT devices to send and receive data has a lot to do with the threat they pose. Most IoT devices are purpose-built to do one thing. A heart monitor was built to monitor a patient’s heart rate and record that data. That’s it. And while it must be reliable and performs a critical function, there are ways to build in redundancy to ensure uptime. Also, a threat actor is not going to target one heart monitor to shut it down – that's not what attackers do. A typical attacker will attempt to get in and move laterally to take over every single heart monitor in a hospital, so they can disrupt operations, put many people's lives at risk, and demand ransom the hospital is highly likely to pay.
But unlike single-function devices that only send data out, multi-function IoT devices communicate out to and – more importantly – offer a way in from the internet. Regardless of their intended use, they are much more a potential threat as gateways to an organization’s ERP or EHR system, or even the HVAC system. Imagine a threat to a hospital’s AC system in the middle of summer with hundreds of at-risk patients.
Protecting against multi-function IoT device attacks
Following are some crucial things to do in terms of device management, network visibility, behavior monitoring, and user access.
1) Identify all your high-value target devices, understand their vulnerabilities and criticality, and double down on security by turning off any unnecessary access and functionality. For instance, look carefully at devices with operating systems that run Server Message Block (SMB) as not every version of the protocol is secure, and attackers leverage those insecurities to compromise and move laterally. Use these three factors when identifying device criticality and risk:
- Impact: How important is this device?
- Possibility: Is it vulnerable in any way? What is every possible exploit?
- Probability: Are there already active exploits (malware, threat actors) in the network that put this device at risk?
2) Identify devices running outdated operating systems and segment them from the rest of the network. Outdated operating systems present some of the greatest risks for most organizations. In our Rise of the Machines 2021 report, we identified that 19% of enterprise deployments had devices running Windows 7 and older operating systems, and 34% had devices running Windows 8 and Windows 10, which are expected to end-of-life in 2023 and 2025, respectively. In healthcare organizations, 15% of medical devices and 32% of medical imaging devices run on outdated operating systems mainly because they remain in operation for a long time and cannot be easily replaced for cost reasons.
3) Closely monitor device behaviors and communication patterns. In addition to knowing what you have in the network, visibility includes understanding how every device is behaving and the communication patterns, so you understand what “normal” looks like, enabling you to quickly identify anomalous behaviors and when a device is compromised.
4) As part of a robust and complete zero trust strategy, be rigorous in ensuring all your devices are being utilized only by current users and those with appropriate privileged access. In the Rise of the Machines 2021 report, we learned 55% of deployments have devices with orphaned user accounts, which provide gateways to privilege escalation and lateral movement.
Some industries are more vulnerable and therefore more security-aware than others. But consider the restaurant chain that glosses over their internet-connected coffee machines. While this may not sound as scary as an at-risk device on a transportation agency device, imagine an attacker taking over those coffee machines and threatening to turn up the temperature to pour scalding hot coffee or turn them off entirely during a peak time. It’s easy to understand how an organization may consider paying the ransom in those cases.
In today’s increasingly challenging cyber-attack landscape, overlooking any device’s security is a risk to your data, your customers, and your reputation. Be rigorous in your defense by understanding device vulnerabilities and criticality, eliminating unnecessary access and capabilities, and monitoring your users, devices, and network closely.
Jamison Utter is Senior Director, Product and Solutions Evangelism at Ordr.