Five Steps to Connected Device Era Network Security

Or, The Internet-Of-Hey-Do-We-Really-Need-This-Thing?

Paris, FRANCE:  Olivier Mevel, head of Violet company, poses, 15 September 2005, with a 'Nabaztag' the first ever released wide-audience communicating device. Along with Violet's co-founder Rafi Haladjian, Mevel called the device ' Nabaztag', which means rabbit in Armenian. It may be connected to other Nabaztags through the Internet, using DSL and wireless means, and thus may, among other things,  play MP3, warn when emails are delivered and do so even when its owner's computer is not connected, thanks to the www.nabaztag.com website it'll be registered to. AFP PHOTO DAMIEN MEYER

The Nabaztag, the first generation of connected rabbits, from France. (Photo: Damian Meyer/Getty Images)

On Tuesday, Westinghouse Security is kicking off a Kickstarter for a connected home door lock, the Nucli. Wouldn’t it be ironic if a lock on your door exposed your office to privacy threats or worse? Whatever you might say about your current lock (it’s rusty, it’s loose, it’s easy to pick), it’s not posting logs of your comings and goings to a cloud database. Who knows what a connected lock might do? Such are the worries in the new era of increased convenience and functionality born of connected devices.

Eight Internet of Things security fails.

Right now, we are still working out what connected devices can or can’t do once they are added to a network. Recently, we wrote about eight significant fails in the Internet of Things. These were largely consumer failings, but there have probably been much more interesting failings at the enterprise level.

Big companies need to think carefully about letting their in-house gadget heads come in and put new junk on the network. We recently spoke to experts at Dell about ways big companies can balance experimentation with network hygiene.

The threats are much larger at the corporate level. If an employee brings in one of those Internet-enabled lights that shows him when his hockey team has scored while he’s working late and connects it to the company’s network, that might introduce a vulnerability that could give a hacker trusted access. Connected devices could have malicious code buried deep inside their chips, installed there by a bad actor at the factory, perhaps without the knowledge of the company.

Dell’s Jackson Shaw told us that after installing one of his company’s firewalls on his home network, he found that somehow his house was sending about 8% of its total traffic to China. Despite the fact that, as far as he knew, nothing he was operating should have been reaching out to China. So what was going on?

In the Internet of Things, there are many more ghosts in our machines.

Dell is recommending that any companies with sensitive data and networks engage in the following security practices in order to improve safety (the phrasing below is the Observer’s, but the spirit comes from Dell):

Westinghouse Nucli. (Courtesy photo)

Westinghouse Nucli. (Courtesy photo)

  1. Research your network. Do penetration testing. Identify desirable reasources your network might have and experiment with ways of trying to get at them.
  2. Audit your infrastructure. Find all the devices you already have connected.
  3. Segment your connected devices. Do your cloud-controlled LED lights need to access personnel files? Probably not. So set your company’s Internet of Things up on their own local area network.
  4. Prepare for failure. This is a technological Wild West within the Wild West that technology already is. We have hardly any standards, very little regulation, low oversight and—honestly—the best practices are fuzzy. So experiment, innovate but bet on trouble. It will come.
  5. Secure your data. Back it up. Encrypt it. Firewall it. Whatever your company’s most important digital resources are, make sure they have extra special guards up when new devices start joining the system.

We’re just going to add our personal favorite: change the default passwords on your connected devices. Both the administrative password and the password for accessing it. Seriously. Really. We’re not joking. Do it.

 

 

Five Steps to Connected Device Era Network Security