This past year, we saw a lot of hype around connected devices. These technologies have become so integrated into our daily lives and our business practices it’s hard to imagine how we previously managed to get by without them.
But while the latest and greatest technology can be exciting, it’s important for all users – security professionals and the general consumer alike – to take the time to rethink through a few key aspects to add that extra layer of protection from a cyber-attack.
Strengthen all links in the chain
There is an inherent side effect to the interconnections of these devices. The advantage is sharing information allows us to do things we used to not be able to. However, these chains of devices also often mean a breach of one device can expose information in the entire chain.
For example: your credit card may not be on the physical device, but if it's stored in the cloud application or on your phone there is the potential it’s at risk. This is analogous to what we saw a few years back with Target. The security of information is only as strong as the weakest link, and criminals more and more are showing they're willing to put in the time to carry out sophisticated multi-stage attacks.
Isolate the devices
Enterprises should really think about network segmentation and firewall rules when setting up connected devices. In most cases, they actually need very little access to other information stores and computing devices in the network. The more isolated these devices are, the harder it is for an attacker to try to use them to compromise other systems. In an enterprise context, it is less likely these devices are going to be the primary target of an attack. Rather, they're more likely to be a stepping stone to some other system.
Consider the risk
It’s important for both security professionals and the average user to trace back through how a hacker might get to a piece of sensitive data. Because the positives of the network effects of data sharing are touted, all users can remain blissfully unaware of the potential down sides. That's not to say people shouldn't be leveraging these technologies to make their life better.
What enterprises and consumers should do is take the time and diligence to weigh the benefits you get with the technology against what proprietary or personal information these different devices have access to. From there, you ultimately judge if it is worth the risk.
Educate yourself and understand features
There is a lot of overlap in functionality with many of these devices. The breadth of functionality is amazing, but it widens the attack vector. When securing systems, make sure to only run the things needed and disable any extraneous programs and communication devices.
The challenge many face with IoT devices is it's often not obvious what all is running on a device and what communications technologies – like Bluetooth or WiFi – they are using. Before you start using the device or integrating it into your systems – educate yourself and your team on the capabilities of the devices. Understand what options you have for disabling features you do not need.
Build strong and unique passwords
Building strong passwords may seem obvious, but it’s surprising how many people with access to organization’s most private data bypass this step. One step to help protect data with connected devices is to separate the accounts and passwords you use to access services and systems.
Many IoT devices have a cloud or smartphone based application for managing them. In many cases, you will create an account with an email address and password to access them all. Increase your security and never use the same email address or password for your IoT device accounts as you do for bank, credit card or other important services.
When emails or passwords are breached, attackers often try them on other sites with a higher value, such as banks and credit card providers. This is one of the reasons breaches of seemingly low risk web sites can still have devastating effects.
One of the most important things is to stay up to date and informed. Security is beginning to receive a greater focus in the consumer space, and important updates and vulnerabilities are now more likely to be covered online. It can often be a challenge to stay up to date with a 24-hour news cycle and demanding jobs. However, in the instance of a breach – time is truly of the essence. It is vital for key decision makers to be up to date – and when possible – ahead of the curve.
(About the author: Kurt Wescoe is chief architect at Wombat Security Technologies)