Two areas of infrastructure that are too often neglected have been growing in recent years. The adoption rate, often unapproved by IT and management, has been on a steep incline in all areas of business from home offices to multinational organizations. This is of course the Internet of Things (IoT) and Bring Your Own Device (BYOD). IoT, otherwise known as simple connectivity of common devices to the internet. Sounds like any modern computer right? However, the separation exists in the device’s usage of this connectivity and their intent. BYOD is exactly how it sounds; personal devices brought in to corporate networks.
While these area of networking are not new, the rate of implementation is significant. Manufacturers often market such IoT devices for “remote control” or “access from anywhere” and the good news is that these are possible. Then again, the bad news is also that these are possible. There are benefits and times when such technology will align with business plans and makes good business sense with regards to Return on Investment (RoI) and risk. Closed Circuit Television (CCTV) systems now have the functionality of connectivity. This is great for monitoring your business remotely. Asleep at night and the alarm company calls? Fire up the remote viewer and see if it was a technical glitch or if you are being robbed. Many devices and systems do have legitimate places in business when implemented properly. But, management and IT must know of these devices to implement in a way that makes business sense.
There are many devices that are on the market that are not fit for the business world. There are hundreds of types of web enabled or IoT devices now from stuffed animals, watches, thermostats, coffee makers, refrigerators, and the list goes on and on. Why would someone need a coffee maker or thermostat to connect to the internet? For convenience. If you prep your coffee maker before leaving work one day, simply use an app on your phone and get it brewing before you leave the house the next morning. You arrive to a fresh pot in the break room. Forgot to adjust the thermostat to be more efficient for the 3 day weekend? No problem, launch the app and adjust accordingly and save some money. These sound like wise investments to many people, and they generally can be helpful. But, when not integrated properly they can be a nightmare for business.
These gilded IoT devices often times have a negative impact. These are designed to work quickly and easily. Once working, the developers often abandon them for the next generation model. Because of the quick turn-around, vulnerabilities and bugs go unpatched. Once connected to the web these can be exploited for an easy in to networks. Have a look at shodan.io. This is a search engine that finds connected IoT devices. Once these are located manually or through tools such as Shodan, they are easily exploitable. Then, an open door for attackers to see your internal network.
Intrusion capabilities aside, IoT devices have been known to have programming bugs, which can cause excessive network traffic. If these devices are not properly implemented on a network, they could be generating unwanted noise. This extra overhead causes bottlenecks, slowing down the flow of business. Couple this with the connectivity of the Bring Your Own Device (BYOD) pandemic of personal smart phones and tablets and things can really slow down. However, BYOD traffic congestion can be combated in the same way as that of other IoT devices.
To reduce risk from these, they must not be used in production networks. That is not to say they cannot exist within the physical building, but they should be isolated from production network traffic. We have briefly mentioned VLANs and DMZs in our Layering Security briefing. These should be utilized for IoT devices, as well as BYOD scenarios. Network segmentation is vital to allow for a scalable network to grow as your business does. BYOD has its own sets of issues, including data loss if devices are lost or stolen. Encryption and remote wiping capabilities are paramount on these devices. Management and IT can work together to develop policies and procedures to approve, isolate, and monitor these devices. Upton Technologies, LLC can work with your organization to develop and implement plans to isolate and limit the risk of using these types of devices.
Ryan Stephens
Senior IT Security Consultant at Upton Technology