7 steps to enhance IoT security

Securing the IoT is a multi-faceted effort that requires big moves as well as small adjustments to ensure networks, systems, data and devices are protected. Here are 7 security practices you might not have considered.
One of the biggest concerns with the Internet of Things (IoT) is making sure networks, data, and devices are secure. IoT-related security incidents have already occurred, and the worries among IT, security and networking managers that similar events will take place are justified.
“In all but the most restrictive environments, you’re going to have IoT devices in your midst,” says Jason Taule, vice president of standards and CISO at security standards and assurance company HITRUST. "The question then isn’t if, but how you are going to allow such devices to connect to and interact with your networks, systems and data.”
What can organizations do to enhance IoT security? There are plenty of options—including a number of practices that might not be so obvious.
IoT security: start by thinking small
To build better security into IoT, organizations should start with the smallest component in their network infrastructure—the code, says Laura DiDio, principal at research and consulting firm ITIC.
“The majority of IoT devices are very small,” DiDio says. “Therefore, the source code tends to be written in the ‘common tongue’—C or C++ and C# languages which frequently fall victim to common problems like memory leaks and buffer-overflow vulnerabilities. These issues are the network equivalent of the common cold.”
And like the common cold, they are pesky and persistent, DiDio says. “In IoT environments, they can proliferate and become a big and often overlooked security problem,” she says. “The best defense here is to test, test and re-test.” There are a variety of well-regarded testing tools on the market that have been used for IoT devices, DiDio says.
Security and IT administrators can also use stack cookies, DiDio says. These are randomized data strings that applications are coded to write into the stack just before the Instruction Pointer Register, to which data overflows if a buffer overflow occurs. “In the event a buffer overflow does occur, the stack cookie gets overwritten,” she says. The application will be further coded to verify that the stack cookie string will continue to match how the code was initially written. If the stack cookie doesn't match, the application terminates.
Deploy context-aware access controls
Controlling access within an IoT environment is one of the bigger security challenges companies face when connecting assets, products and devices. That includes controlling network access for the connected objects themselves.
Organizations should first identify the behaviors and activities that are deemed acceptable by connected things within the IoT environment, and then put in place controls that account for this but at the same time don’t hinder processes, says John Pironti, president of consulting firm IP Architects and an expert on IoT security.
“Instead of using a separate VLAN [virtual LAN] or network segment which can be restrictive and debilitating for IoT devices, implement context-aware access controls throughout your network to allow appropriate actions and behaviors, not just at the connection level but also at the command and data transfer levels,” Pironti says.
This will ensure that devices can operate as planned while also limiting their ability to conduct malicious or unauthorized activities, Pironti says. “This process can also establish a baseline of expected behavior that can then be logged and monitored to identify anomalies or activities that fall outside of expected behaviors at acceptable thresholds,” he says.
Hold vendors accountable for their IoT equipment
Organizations as a matter of course hire all kinds of service providers, and in some cases those services are provided through equipment that’s placed on the customer’s premises. In the age of IoT, there’s a good chance the machinery will be connected and therefore vulnerable to hacking and other intrusions.
It’s up to the customer to ensure that there is accountability in place if something goes wrong.
“One place to start is within contracting,” says Brian Haugli, a partner at security consulting firm SideChannelSec and a former security executive at insurer Hanover Insurance Group. “Are your vendors pushing an IoT into your enterprise as part of their services or solutions? If so, you must know about it and see that it's part of the contracting/procurement.”
Make sure it's clear who's responsible for updates and the lifecycle of the equipment, as well as if you'll have access to it in case of an incident, Haugli says. “I've seen HVAC [heating, ventilation, and air conditioning] and printer companies not give up access that led to a stalled response effort,” he says. “Those same vendors would push back on routine patching responsibilities or upgrades” to operating systems.
In some cases, a contract might not specify when the customer would warrant a new piece of equipment with a supporting operating system, and the vendor might be unwilling to take on the cost, Haugli says. As a result, an unsupported and vulnerable device could be allowed to sit on the network far longer than it should.
“If we aren’t articulating our requirements to our vendors, don’t take steps to confirm compliance and aren’t holding them accountable, what basis do we have for expecting these issues to be addressed?” Taule says. “In the same way that hardware OEMs and software companies now all expect to be held accountable to identify and quickly resolve weaknesses in their products, so too should the companies that provide us the IP cameras, medical devices, printers, wireless access points, refrigerators, environmental controls and the untold number of other IoT app devices upon which we increasingly rely.”
Companies should apply the controls outlined in common security frameworks to IoT devices, Taule says. For example, include security functional requirements in your contracts; request recent vulnerability scans or assert the right to scan them yourself; obligate the vendors to provide timely updates to address identified weaknesses; and rescan the devices after any firmware updates to ensure that identified issues have been resolved and that no new issues have been introduced.
Read More…….
Source: 7 steps to enhance IoT security
Location: London, UK

Comments

Post a Comment

Popular posts from this blog

HOW CAN USING WORDPRESS BENEFIT YOUR BUSINESS?

WordPress is basically an open-source and free content management tool. It is most commonly used to create websites and it is the simplest, most popular, and widely used tool to  create websites or blogs .   WordPress has become so popular that it powers more than one-fourth of all the websites on the Internet. Every day you visit hundreds of websites and everyone out four websites that you visit is powered by WordPress. WordPress is in business since 2003, and over the last few years, it has become the number one choice for creating websites. This is because it offers a lot of benefits for you and your website. Here are the top reasons why WordPress switching to a WordPress platform would be highly beneficial for your company’s website. 1. EASY TO USE:  Within no time you can install a  WordPress site without any complex installation process. Without any technical expertise, the WordPress site is ready and up and running in a matter of minutes. Al...
Read more

How do I develop a mobile apps with ReactJS?

Image
React JS is unquestionably one of the most popular & interpreted  mobile app development  frameworks; with its boundless functionalities, it has stimulated a widespread & vigorous community. This concluded in an extensive stock of reusable fragments for it that will spare your valuable time & efforts while you proceed for programming, React JS library itself motivates loosely covered source code that is compostable and modular. React is composed by Facebook, and it has adopted a separate programming architecture than that of  Angular  JavaScript but the same MVC framework. For being equitable, there is no specific structure for apps built with React. ReactJS is admittedly a comprehensive JS library that inspires us to regenerate the probability for the user. But it won’t allow you to create mobile apps on its own. The library needs the archetype & controller panel that is corresponding to penetrate in the hiatus; Facebook released flux that ...
Read more

Why choose React?

Image
ReactJS is a JavaScript library that is open source and maintained by  top IT company  Facebook along with a developers’ community. This library(Also convert-able to framework) is used extensively in developing user interface for web applications. This particular framework was invented with a purpose to “ build large applications with data that changes again and again over time”. There are a few tools we use regularly have proved to be quite useful. However, only a handful completely revolutionized our workflow. Facebook’s ReactJS is one of them. With plethora of frameworks available these days, it’s hard to find a framework that could ultimately not become a dead end. After researching at  ValueCoders  we suggest to go for ReactJS. Here are 5 major reasons why some of the giants like Facebook, Instagram, and Whatsapp are relying on ReactJs and what’s there for your upcoming project: REACTJS IS EXTREMELY EFFICIENT ADVANTAGES OF REACTJS Facebook’s Reac...
Read more