CISSP D3 Preview | Internet of Things (IoT)

In this lecture, we’re going to talk about the Internet of Things or IoT, it is one of those terms that most people don’t really understand what it is.
It is just a IoT, similar to cloud and because they don’t really understand what it is, they also don’t really understand how to make it as secure as possible.
The Internet of Things is almost anything we add smart to, smart TV, smart garage store, smart thermostat, smart car, smartphone, smart whatever.
It is all the things we did not used to have connected to the Internet that now are.
And just like anything else we do where we make things easier, we also inherently make them less secure.
IoT is no different.
We design most of the things that are smart devices for functionality, not for security.
And because of that, they can be an easy attack vector and a way onto our network.
Many of them, after we buy them and we add them to our network, they are never patched.
Some of them don’t even have the option.
They’re often not very secure.
They have very basic security, if any, because again, they were designed for functionality, not security.
Most of them have default passwords and logins, well-known ports that they use, making them very easy targets.
And I’m not saying we shouldn’t use them.
We just need to be very clear on their vulnerabilities and how we can protect our network and our data.
So when we start adding IoT devices to our network, we need to think of them as part of our layered defense.
If they have default passwords and logins, we need to change those, if possible, change which ports they communicate on.
If there are any vendor patches, apply those and include them in our patch management, we lock down all the ports that this specific IoT device does not need.
And then finally and very important, we segment all IoT devices off on their own VLAN.
Just like we have with our server hardening, whenever we get a new IoT device, we harden it, that is removing all the defaults, applying all the patches we added to the network on its own VLAN and as long as we use the IoT device, we have proper patch management.
A while ago I saw someone hack into a smart TV because default username and password, default everything.
From that smart TV, since it was not segmented off onto its own VLAN, he was able to jump to other devices on the network.
That hacker was able to bypass most of their layered defense because they had none in place on the TV and the TV was connected to the regular network.
The TV was a couple of years old and it was running on a Unix OS that was maybe three or four years old.
The OS had a couple of security vulnerabilities that were known, even though there were patches for that specific TV and that vulnerability, it was not patched, meaning they were still there.
And this again goes back to we can have the best security system in the world, if we leave the front door unlocked, it doesn’t really matter.
The attacker is going to find the weakest link in our chain and start their attack there.
If you don’t have IoT in your organization’s environment, it will be there very soon.
What you can do is maybe influence which IoT devices are purchased.
Let’s say we need a smart TV for a conference room, if vendor A has never pushed out a security patch and vendor B has, well maybe try to convince them to get the TV from vendor B.
Also look at which vendor actually has security designed in.
95% of IoT devices are built for functionality, security is either an afterthought or not there at all.
So we buy the things that make sense and that we think we can secure enough.
Once we have them, then we harden the devices, remove any default settings, usernames, passwords, ports.
We patch them before we put them into our production system and then we use them only on a network that is segmented off from everything else.
If they have completely no security features, we may choose to have a tiered system for IoT devices or just place it on our guest network if we have one, many of them will also have Wi-Fi and Bluetooth capabilities and that just like everything else, need to be secured.
So definitely in our corporate environments and possibly in your home environment– harden, patch, segment.
And remember, your phone is also a smart device, unless there is a very good reason that it needs to be on the primary secure network, put it in the IoT VLAN with every other smart device.
The smartphones are most often more secure than any other IoT device we have because any newer phone will get patched automatically and they get patched often.
That said, good design might still want us to put their smartphones in the IoT VLAN.
And with that we are done with this lecture.
I will see you in the next one.