Network security

An Introduction to IoT Network Security

Illustration: © IoT for all

An automated light switch, a climate control system in an office building, or a digital sign found in a school cafeteria, all of these have one thing in common, they can make a network vulnerable once connected to the internet. The Internet of Things (IoT) presents a growing attack surface for malicious actors who are finding ever more creative ways to exploit devices, whether in living rooms or used for businesses, namely building control.

The network is now the focal point of IoT security. Devices connect to the network and the network touches all data and workloads. This is how hackers can move laterally to compromise systems and data on the network. Through the network, users and devices can be authenticated, policies and rules put in place to control access and behavior, and visibility can be increased to detect anomalies

IT professionals and security operations teams must adapt to this new reality if corporate networks and sensitive data are to remain protected. With the ever-increasing number of connected IoT devices comes an almost equal number of challenges:

  • In corporate environments, people connect these devices without always involving someone from IT. They see an open port and connect a device to it. As a result, companies often don’t know everything that’s on their networks.
  • There is a great variety of innate security in them. Some are enterprise-grade while others are consumer-focused, but both types tend to offer far less security testing than a laptop, iPad, or other device that might be purchased by an IT department. .
  • They’re not well monitored, like the temperature control systems found in an office conference room. As long as the devices are running with reasonable performance, most businesses won’t notice if something is wrong, unlike a laptop with antivirus protection and other means of detecting intrusions.
  • There is a lack of device visibility and security in an increasingly distributed enterprise computing environment. Often devices are deployed inside the network, and while some can communicate externally with a public cloud or other internet-based systems, many only communicate internally with other systems on the network.

Security deployed around the network perimeter is blind to these communications unless the company is monitoring the internal network. And many are simply not. If these devices are compromised, they become a launching pad to other parts of the network. The school district’s number sign is positive proof here.

The main problem with IoT is that you don’t have to rely on physical security to keep things off a network. Many locations on the wired network are wide open and there is little network access control. There is more control and authentication on the wireless side, but, even there, devices that are authenticated are often dropped into an internal VLAN and from there not controlled.

Key steps that can be taken to better protect a corporate network:

  1. Determine what the “thing” should be allowed to do on the network. IoT devices are static in nature; they do the same thing over and over and only talk to one or two protocols. Determine what “good” behavior looks like for these devices.
  2. Watch for abnormal behavior. If a company sees a device performing outside of what is normal, something is probably wrong. Luckily, because you followed Step 1, you know what’s going on on the network, so it should be easy to locate a misbehaving device.
  3. Prohibit anonymous connections. Businesses need to know all connected device, be it a laptop computer or a sprinkler controller.
  4. Use the network to enforce these rules. A lot of people don’t take that last step, but, without enforcement, policies don’t mean much. If the cameras should communicate only with the network DVR, use the network to only allow this behavior.

Key to the issue of IoT security as we look to the future is the growing need for security and network people to talk to each other. Making collaboration a reality is easier said than done. In fact, the two groups can be contradictory, since they are looking for different results. Network operators are satisfied if all network packets travel quickly with high availability and low latency, even if all of those packets carry malicious traffic. The security group would probably be happier if nothing was circulating on the network.

The network plays a critical role in two areas: first, detecting when an attack is taking place, and second, responding to the attack by shutting down the device, throttling it, or slowing it down. You can do a lot with network infrastructure. IT staff will almost always want to depend on network firewalls to address security issues, but don’t tend to use a firewall for every switch port. Security capabilities must be built into the network itself.

This will mean cooperation between network and security groups. Because this is a cultural issue, it will have to start with high-level executives. This does not necessarily mean that both parties will fall under the same structure. However, security professionals will need to determine what needs to be protected, and network people will need to decide how to achieve this, right down to the network edge where devices connect.

Bringing IT and security groups together is a constant but necessary challenge to overcome. Without it, there will be more data breaches from a wider variety of things rather than end-user systems. HVAC controllers, TV screens, parking tolls and other IoT devices will continue to be exploited by attackers looking for the easiest entry points into critical parts of the network. And IoT devices aren’t going to improve anytime soon from a security standpoint, because many makers of these devices aren’t focusing on that.

Written by Jon Green, CTO for Security, Aruba Networks, an HPE Company.

Source link