This article has been authored by Rajat Mohanty, Co-Founder and CEO of Paladion Networks
Take this scenario: after a long tiresome day, you enter your home exhausted, and fall flat on the couch; and you are in no mood to go on a cumbersome remote-hunting endeavour. In this situation, what do you do? You decide to give out a series of voice commands:
“Switch on the AC, set the room temperature at 20. Reduce the room brightness and turn on the television. Set a reminder for my favourite daily show, and give me the latest news updates in the meantime.”
Welcome to the future! With the Internet of Things or IoT making rapid advances on the technological forefront, tomorrow will be very different – and indeed a lot more convenient – than it is today. The impact of IoT will not just be restricted to homes, for the technology is benchmarked to play a much greater role in workplaces and businesses.
But a major concern is hindering the coming of this new and vibrant future – security. It has not been long since October’s massive IoT botnet-based DDoS attack in US which disrupted the service of major websites including Twitter, PayPal, PlayStation, and Netflix. The IoT infrastructure possesses certain vulnerabilities which can be leveraged to compromise the security of an entire network. According to Gartner, 6.4 billion IoT devices are already in use by now, a figure which will further triple by 2020 according to the agency’s projections. Ensuring the security of these devices, therefore, has become imperative in order to eliminate vulnerabilities and ensure a secure interconnected work environment.
Stated below are some key methods that can help ensure maximum security within an organisation:
1. Removing default accounts and passwords in IOT devices
Mirai worm demonstrated the impact of having default usernames and passwords on IoT devices. In many cases, these were hardcoded into systems. This is most common vulnerability that can come up in IoT devices and given the sheer volume of devices, this vulnerability has high impact. The most obvious answer to this vulnerability is that owners of each IoT device should reset the default accounts and passwords. But that is easier said than done given the huge amount of awareness drive to be created and inertia people have to make changes to their device default configurations. A better way would be for the IoT vendors to device methods such as forced change of password during set up by an user or having default passwords made unique to each device linked to some device identifier.
2. Securing the web applications that interact with IoT devices
IoT devices can be compromised through the web applications that control them. The vulnerabilities on web applications have been documented widely including at OWASP project and solutions are known for fixing such vulnerabilities. Organizations that have large IoT devices and applications should have periodic web application scanning and mitigation.
3. Security monitoring of traffic and commands
Every security attack, and the subsequent compromise, leaves a trail of substantial information behind it. This information can be in the form of disrupted network topology or traffic flow, or modified configurations of the IoT device. These can serve as an indicator of security compromise and can enable the organisation to not just spot vulnerabilities before an attack, but also to detect an attack which is in progress. Hence, security monitoring and analysis becomes imperative to ensure safety of a network.
4. Software security practices in design and coding
IoT devices cannot be easily patched on regular basis unlike applications and systems running on PCs and servers. Hence its critical that the applications and systems running on IoT devices are designed and coded with lot for focus on security. This includes having security architecture reviews, testing for abuse cases, adhering to secure coding guidelines and developer trainings.
5. Securing the network control options between devices and to network
The transport layer security will include stronger authentication between devices and encryption of data in the network. Periodically testing the network layer for open ports and other vulnerabilities that can lead to common IoT attacks such as DDoS, buffer overflow or fuzzing attacks.