With October National Cybersecurity Awareness Month (NCSAM), Intertrust is publishing a series of posts that expand on the NCSAM theme “If you connect it, protect it!” This is our second post in the series.
Securing connected devices
The second week of National Cybersecurity Awareness Month (NCSAM) focuses on “Securing Devices at Home and Work.” The increasing proliferation of connected devices in the US (projected to reach 13.6 per person by 2022) has created enormous opportunity for manufacturers and distributors. Tech companies have been a shining light of the COVID-era for investors, with markets placing a premium on the potential of IoT devices as must-have products for both consumers and industries. One major obstacle to this, however, is the state of connected device security.
Reports regularly reveal vulnerabilities in millions, hundreds of millions or even billions of devices. And, with the pandemic-forced shift to remote work, these vulnerable devices mean a massively increased risk exposure for enterprises. A new survey from Cybersecurity Insiders found that 72% of organizations experienced an increase in endpoint and IoT security incidents in the past year and 56% believe their organization will be compromised due to an endpoint or IoT-originated attack in the next 12 months.
Security flaws can allow hackers to steal or tamper with data, insert fraudulent devices into a network, gain access to networks and backend systems, and even misdirect the device to perform malicious actions. With that in mind, we’re going to take a look at some of the best tips for improving connected device security.
Tips for improving connected device security
Secure identity provisioning
Businesses and consumers alike should make sure that the devices they use are manufactured in accordance with the IOT device security guidance set down by the National Institute of Standards (NIST). Their IoT Device Cybersecurity Capability Core Baseline defines IoT device security features and capabilities needed to protect devices as well as their data and systems.
In order to comply with these guidelines, an IoT device must be equipped with a unique, secure identity. Secure device identities are essential to authenticate that a device is genuine, securely send and receive data, patch security flaws, and perform other software and firmware updates. Such identities can be provisioned using public key infrastructure (PKI), either in-house or using solutions such as Intertrust’s Seacert managed PKI service.
Seacert enables device manufacturers to provision cryptographically secure, future-proof identities at the factory floor or remotely through cloud-based deployment. No matter the PKI method used, IoT device users should make sure that their device vendors follow established PKI best practices, such as maintaining certificate revocation lists to ensure that a compromised certificate or device doesn’t lead to the entire system becoming vulnerable.
Establish a connected device security strategy
While device developers must build security into their device development and deployment, businesses using those connected devices should also take steps to limit potential vulnerabilities in their own defenses. An effective connected device security strategy reduces the possible attack vectors and reduces risk related to IoT devices. Best practices include:
- Limit the internet connectivity of an IoT device to necessity rather than leaving it in a default ‘always on’ mode
- Create separate networks for IoT devices whenever possible, depending on their level of security control
- Change default passwords and update other passwords regularly
- Employ Network Access Control (NAC) to monitor and limit the possible number of connections to your network as well as identifying possible rogue connections
Perform regular penetration testing
Maintaining security for a company’s systems and networks of connected devices requires the constant checking of defenses to try and find security flaws before hackers do. This is done through pentesting and vulnerability scanning, either by internal IT security or third-parties. By being aware of the risks to their networks, companies can take appropriate actions to improve the security of their connected devices or harden their server defenses, depending on where the greatest needs arise.
Attackers constantly try to discover flaws and vulnerabilities that they can exploit while security professionals try to close them down. IoT devices do not have the processing power necessary to support device level security solutions, such as antivirus, that can block attacks on these vulnerabilities until a security patch is issued and deployed. This makes it critical to update IoT device software as soon as possible.
This requires that the IoT device be able to securely receive and process updates and that processes are in place to prevent tampering in transit. Updates should be digitally signed before being delivered and verified by the device before the update is installed—PKI can be leveraged for this. Remove from your network devices that can no longer be patched because they run on unsupported operating systems or the vendor no longer provides updates.
Multi Factor Authentication (MFA)
Access control is essential to IoT device security—if a hacker has compromised a connected device it can be impossible to distinguish between legitimate actions by the owner of the device and those of an attacker. Multi factor authentication adds a layer of security beyond passwords that is very difficult to circumvent as it often requires possession of something that only the user or administrator has.
Examples of MFA include:
- A phone call or text message to confirm identity while trying to perform an action
- Biometrics, such as fingerprint or facial recognition
- A secure code distinct from the normal password
- An authenticator app
- An external authentication token or device
Make IoT device security a top priority
For all manufacturers and vendors of connected devices, and the businesses that use them, security must be built into processes and systems throughout the device lifecycle.
Intertrust Seacert provides secure identities for devices as part of a managed PKI service, allowing businesses to get their IoT project up and running quickly without compromising security, at a fraction of the cost of an in-house alternative. To learn more about Seacert you can read about it here or get in touch with our team. To find out more about National Cybersecurity Awareness Month you can do so here.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.