The FBI has warned that “hackers can use those innocent devices to do a virtual drive-by of your digital life.” The issue is the smart digital technologies encroaching into all aspects of our lives: “Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure. Are private pictures and passwords safely stored on your computer? Don’t be so sure.” The FBI suggests that to secure home networks, “your fridge and your laptop should not be on the same network—keep private, sensitive data on a separate system from your other IoT devices,” Forbes reported.
IoT devices are easy targets for hackers as they often couple traditionally poor vendor support and sparse patching with a lack of ‘security by design’ standardization and regulatory compliance. With billions of devices already connected, many manufactured up to 7-10 years ago, the existing installed base is quite old and vulnerable. Each of these devices represents a potential point of vulnerability to be exploited by hackers. The bottom line is that you cannot expect IoT devices to take care of their own security.
Although security by design is a must-have, personal devices, and the existing vulnerable installed base, must be protected from the network for both remote and on-premise devices. Fortunately, there are measures that can be taken to improve the security situation of IoT. In “IoT Security Demands a Multi-Layered Approach”, Frost and Sullivan stated that the best way to protect against IoT attack is by having your CSP play a key role “not only connecting your IoT devices but in systematically mitigating the cyber risks those IoT connections create.” Allot is a pioneer in this new category of CSP network-based cybersecurity solutions for the consumer and the IoT markets.
Cybersecurity threats are creating opportunities for CSPs. They are best positioned to protect device security and prevent a device from being used to conduct cyberattacks by implementing security at the endpoint. The challenge is that IoT devices are diverse and generally have low power and performance, making it almost impossible to install anything on the devices themselves.
The network is a real asset for providing IoT security services, it’s like stopping the bad guys at the entrance to your city instead of at the front door of your house. Protecting against IoT attacks in the network itself provides significant benefits to both enterprises and consumers, including a centralized solution that is device/end-point independent, mass-market activation of IoT security to all devices, use of global threat intelligence in real-time and the ability to blocking the threat before it enters the home or the device.
For IoT devices, it\’s also important to pay attention to change default passwords (which are sometimes simple empty or too weak) and to ensure they are only connected to a separate \”guest WiFi\” network and never to the full enterprise network. Always prefer IoT devices from well-known vendors such as Apple and Google and ensure they are up-to-date with the latest firmware updates from these vendors.
IoT devices are definitely part of a \”high risk\” group of devices. However, it\’s even more important that enterprises pay attention to normal employee laptops/desktops/tablets that are used at home / on external WiFi networks and later get connected (directly or indirectly) to the enterprise. These devices, sometimes as part of a bring-your-own-device program, should be assumed to be compromised and malware on these devices has an easy way to infiltrate enterprise resources.
Therefore, similar segmentation guidelines should apply not just for IoT devices, but also for any unmanaged/personal device that is connected to external/risky networks. Enterprises should make sure unmanaged laptops with personal apps don\’t get mixed with corporate/sensitive/privileged apps.
This is in line with Microsoft\’s recommendation to segregate day-to-day email/internet access from access to sensitive corporate systems and data. Microsoft recommends providing a separate dedicated \”privileged access workstation\” that is not mixed with other activities.
Hysolate allows enterprises to create this kind of segmentation of unmanaged and managed operating systems on a single device, in a seamless way. The same device can have both a personal/risky operating system that is forced to connect only to external networks and – at the same time – a managed enterprise operating system connected to the enterprise network. From the user\’s perspective, it looks like a single desktop environment and apps run in the correct operating system automatically.