I’m a lucky guy with a cool job where I get the opportunity to connect with organizations of all kinds in the Midwestern U.S. and all across Canada. In my travels, I have encountered an interesting viewpoint around IoT (Internet of Things) devices that I want to share with you.
But before I go further, I need to preface this blog by mentioning that one of the key reasons I joined Forescout over a year and a half ago was my belief that companies were entering into a new high-risk world with IoT device security challenges hitting the enterprise on multiple fronts due to IoT growth in the enterprise. I am not alone in that view. IDC is predicting the IoT spend in 2017 to surpass $800 billion, which represents a 16.7% year over year growth. (Full article is here: IDC IoT Spending).
Also, I was convinced that attackers were going to start targeting IoT due to the general lack of security in the design and deployment of IoT devices. That has happened, as I have discussed in my prior posts – Mirai oh My & New Botnet on the Block. Lastly, I felt IoT device security required a different approach and new capabilities that traditional IT systems lack. For starters, I learned in my meetings that this new approach requires agentless detection, visibility and automated asset classification. Moreover, it should offer the ability to inventory devices and readily determine their security posture and tighten network access control and orchestration among disparate security tools that enable security and operations teams to take quick action when devices are compromised. A new model and approach is needed.
Quick plug: in other words, I was (and am) a believer when it comes to the Forescout platform and its underlying technologies and methodologies. In nearly every meeting I have, we talk about the challenges IoT devices bring and solutions to those challenges. In these conversations I ask, “How do you approach the security of the IoT devices that are in your environment today?”
And here’s that interesting viewpoint that I mentioned up front—the one I hear time and time again: “We only allow corporate devices on our network—no BYOD—so we’re covered when it comes to IoT.” Basically, it’s a viewpoint that lumps BYOD and IoT devices together as if the challenges they present are virtually the same. But the thing is, they’re not.
Today IoT devices are pervasive, and largely undetected. If I hear the viewpoint above, I can’t help but launch into a slew of questions, including these:
- What about that printer, IP Phone, smart TV, projector, video camera, conference room scheduler, smart thermostat, smart lightbulb…? (essentially, whatever I saw on my trip to the conference room or what is currently in view.) Are these IoT devices? How do you secure them?
- Do you know how many of these IoT devices you have in your company and where they are deployed?
- Do you have security tools such as antivirus, Advanced Threat Protection, whitelisting, HIPS/HIDS and Data Loss Prevention running on these devices?
- Do you set the security policies on these IoT devices, and have a way to enforce your policies?
- Can these IoT devices communicate on the network with critical business systems, like your Exchange email server?
- What happens if I were to disconnect one of them, spoof the MAC address of the network or wireless interface, and then connect my device? Would you see my connection and prevent that from happening? If you didn’t prevent access, would your security operations team get an alert?
What would your responses be?
Your organization’s security might just depend on your answers.