The Internet of (Shadowy) Things

You may not want the IoT to intersect your enterprise, but it will happen in 2017 whether you allow it or not. Here’s my advice for how to cope.

Hundreds of connected refrigerators, brought in by unsuspecting business departments, are saturating a hospital’s Wi-Fi network. Doctors, who rely on Voice over Wi-Fi for communications, stop getting pages, and medical monitoring equipment isn’t sending the latest data needed to treat patients. This isn’t about not being able to connect to Twitter. This affects people’s actual lives.

This is the Internet of Shadowy Things. And the reality is that we really don’t know how these consumer and prosumer devices are designed or secured. That smart fridge, digital media player, or connected video camera might be the source of the kinds of denial of service attacks (DDoS) we saw this year. These attacks led to problems with Internet connectivity but they could have been much worse.

Suppose the brunt of the Mirai botnet (now available for rent) was unleashed against a connected power grid. How long would it be until services were restored?

What if the network connection goes down for a chain of retail stores from an IoT-based attack? How many customers will walk out when their credit cards magically stop working? And how many might not ever come back?

The fact is that the recent attacks we’ve seen against Dyn, Deutsche Telekom, and TalkTalk are annoying. Hundreds of thousands of people have been knocked offline or been prevented from accessing websites. But no one has been seriously hurt, at least not yet.

It’s tempting to go back to the traditional IT playbook: fear the technology entirely, clamp down hard, and “just say no.” We saw this with Wi-Fi in the late ‘90s, and with iPhones in the late ‘00s. But, new IoT devices could be the source of real value. Connected refrigerators seem silly until you realize they could help drive both revenue and productivity in a vertical like pharmaceuticals. IP cameras can help coordinate first responders in case of emergencies by providing real-time video to coordinators that improves situational awareness. Digital media players can provide immersive experiences for consumers in retail by ensuring that relevant content is displayed to them in any store, anywhere in world.

Employees always win. While they’re told “no,” they (individuals or whole departments) will do an end-run to get what they want - completely ignoring security best practices. The sheer number of IoT devices, estimated to be between 50 and 200 billion by 2020, means IT organizations will be quickly overwhelmed. Want historical proof of employee-driven technology adoption? Try to find a commercial office with only wired Ethernet access, or a company that says, “We don’t allow iPhones.”

The answer is to develop the building blocks that let you say “yes” to the Internet of Shadowy Things. Here are some ideas that you can get started with today.

  • Segment the network: Users will bring new devices onto the network that you likely don’t want connecting to critical infrastructure so it’s time to add a couple of new SSIDs and VLANs to your network. You might already have a guest network in place that provides Internet connectivity while blocking access to enterprise resources and that’s a start, but IoT devices may need access to some enterprise resources whereas guests need none. IT can decide over time what resources are accessible on the IoT network. Ultimately, an IoT network fits somewhere between your outright-trusted enterprise network and what you use for guests.
  • Think seriously about PKI and NAC: You don’t want users taking their credentials and putting them into the refrigerator to get it online because, if it is compromised, the refrigerator is acting on the network as one of your employees. (Spoiler alert: it may very well be your CEO who bought a new gadget and used their credentials to authenticate to the network. The new gadget gets hacked but from the network's perspective, it looks and acts like your CEO. The username and password is available to the attacker so the fridge can authenticate to other things as the CEO). Public Key Infrastructure (PKI) can help by ensuring only authorized endpoints enrolled by the user and trusted by IT can connect. Layering in Network Access Control (NAC) ensures that devices are actually trusted and meet your minimum security criteria. Less trusted IoT devices are kept segmented to the correct network.
  • Block Telnet: If it’s feasible, block Telnet connections from your network entirely. At a minimum, block connections made over Telnet from the outside world. Unsecured connections like Telnet, combined with devices with default passwords, allowed worms like Mirai to spread.
  • Think about traffic shaping: If you do have devices that are compromised, you can stop the bleeding. Traffic shaping, particularly around suspicious traffic flows (short packets, long periods of activity, repeated destinations), can help mitigate the effect of attacks launched from your network and provide improved connectivity for mission critical services.
  • Manage what you can: You can bring some connected devices under EMM and other security frameworks. If your organization is prototyping the development of its own IoT devices, look to platforms like Windows 10 and Android because their security toolsets are more mature than consumer development platforms. If devices can’t be configured through a central platform, work with your employees to set them up in order to disable the types of default configurations that have led to exploitations like those in Mirai.

Without a doubt, the security frameworks and best practices needed for an enterprise IoT foundation are time-consuming to implement, but the risks that shadowy, Internet-connected devices present are sobering. By applying these recommendations you can lay the security groundwork for future connected devices and make your enterprise more secure today.

Sean Ginevan