The Internet of Things (IoT) is growing by leaps and bounds every day. But as the IoT grows, so do the security vulnerabilities of the linked objects. A security protocol to protect IoT devices will always be needed.

For example, an appliance manufacturer may want to link its air conditioning systems to smart home networks to increase sales, but it has never faced the problems of securely networking a product before. The IoT will never be secured until all its participants learn how to embrace security from the outset.

Building In Security Measures for the IoT

There are some obvious things that can be done to embed security in the IoT.

The most obvious one is securing the Web interface of the device. Simple things like making sure that default usernames and passwords are changed during initial setup helps greatly. And the changes shouldn’t allow the use of weak passwords. Perhaps measures such as an account lockout after three to five failed login attempts should be considered.

Attention should be paid to passwords beyond just initial setup changes. Checking network traffic to ensure login codes are not being sent in cleartext is a wise move, and that goes for any password recovery schemes, as well. Additionally, two-factor authentication may be needed for sensitive areas like administrator accounts.

Examining the Web interface for resistance to common attacks like cross-site scripting, cross-site request forgery and SQL injection should be done, too. These attacks are harmful if successful, but they’re also relatively simple in nature, which makes them preventable with the right proactive safeguards.

One trick attackers use involves scanning for open ports with a special program and then exploiting those ports. Universal Plug and Play (UPnP) has only exacerbated this problem by standardizing network access points. Open ports can now be used to launch denial-of-service (DoS) attacks as well as buffer overflow attacks across networks and devices.

Watch the on-demand webinar to learn more about securing the internet of things

Security Protocol Focuses on Protecting Critical Data

Protecting data during network transit is very important. Any data traffic between a device and the cloud (including information transmitted via mobile apps) should be examined to make sure it is secured. Transport encryption such as the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) methods can protect data — if employed in the correct manner. That usually starts with avoiding proprietary encryption protocols and sticking to commonly used and cryptologically validated ones.

Devices should be regularly updated so that any problems discovered after their release can be corrected, but the patching mechanism itself can be a way for malicious actors to get into a device. To protect against this threat, sensitive data such as credentials should never be hard-coded into the update. Encryption should always be used in the update process so that the patch isn’t readable by someone with a hex editor.

The cloud interface in general must also be secured since poorly guarded cloud interfaces are easy to discover. Review the connection to the cloud and ensure usual transactions like the password reset mechanism will not identify valid accounts. Again, encryption during transport will aid security.

Physical security of the IoT device may get overlooked, but not all threats come from external sources. USB ports, SD cards or other storage means may be a way for attackers to gain access to data stored on the device. If a hardware port is not needed in routine usage, deactivate it.

This is just a top-level review of IoT security, and many other attack vectors could be exploited. But considering the topics mentioned can only improve the security of any IoT-connected device within the enterprise.

More from Cloud Security

How I got started: Cloud security engineer

3 min read - In today’s increasingly cloud-focused business environment, cloud security engineers are pivotal in protecting an organization’s critical data and infrastructure. As experts in cloud security, they leverage their expertise to ensure that the ever-expanding amount of cloud data is safe from emerging threats and vulnerabilities. Cloud security professionals combine their passion for technology with a deep understanding of security principles to design and implement robust cloud security strategies. What experience do these security experts have, and what led them to the…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Lessons learned from the Microsoft Cloud breach

3 min read - In early July, the news broke that threat actors in China used a Microsoft security flaw to execute highly targeted and sophisticated espionage against dozens of entities. Victims included the U.S. Commerce Secretary, several U.S. State Department officials and other organizations not yet publicly named. Officials and researchers alike are concerned that Microsoft products were again used to pull off an intelligence coup, such as during the SolarWinds incident. In the wake of the breach, the Department of Homeland Security…

What you need to know about protecting your data across the hybrid cloud

6 min read - The adoption of hybrid cloud environments driving business operations has become an ever-increasing trend for organizations. The hybrid cloud combines the best of both worlds, offering the flexibility of public cloud services and the security of private on-premises infrastructure. We also see an explosion of SaaS platforms and applications, such as Salesforce or Slack, where users input data, send and download files and access data stored with cloud providers. However, with this fusion of cloud resources, the risk of data…