June 27, 2017 By Scott Koegler 2 min read

Organizations contemplating Internet of Things (IoT) deployment projects must look at both past and future challenges through the lens of security. Enterprise data security is not a new topic, but for many companies, IoT deployments present new challenges because they extend the perimeter by introducing thousands of additional endpoints, each of which represents a new opportunity for exploitation.

Four Steps to Secure Your IoT Deployment

Security leaders need to look beyond traditional considerations when launching IoT deployments. Below are four key focus areas to help analysts maximize the value and minimize the risks associated with connected devices.

1. Prioritize Security

If enterprise security isn’t already a priority, analysts working on IoT projects should put it at the top of the list before considering anything else. Even though the primary purpose of an IoT deployment is to enhance interactivity with customers and bring more control to remote devices, every feature and function built into the project must be secure by design.

2. You Can Run, But You Can’t Hide

Even the smallest and least visible endpoints are discoverable. Your IoT devices may be insignificant in terms of functionality and cost, but some bot scouring IP addresses is sure to find them eventually. Once found, they will be attacked by automated functions that search tirelessly for vulnerabilities.

That single entry point can provide access to enterprise resources, and advanced threat technologies can plant components on company systems that hibernate and run at a future date, leaving no trace of where, when or how they gained access.

3. Plan to Be Wrong

Once your IoT devices leave manufacturing, it’s possible that they will never again be touched by human hands. They may be housed inside other devices or appliances that only connect wirelessly. But that version of the device may also require updates to address vulnerabilities and improve functionality.

Your design needs to include secure methods to deliver updates automatically. This can be tricky, because the access rights you design can also be discovered and used to deliver code that mimics valid functionality, but also provides backdoors to the devices and connections to the enterprise.

4. The End Is in Sight

Technology products don’t live forever. While customers may use devices long after their intended lifespan, changes in the technology landscape can cause problems that were never anticipated when the products were conceived and produced. That’s why it’s important to build in some kind of end-of-life function that can be used to deactivate IoT devices when necessary.

In the case of consumer products, this function could alert customers to a change of capability when the company terminates support for the device. Commercial products may need to meet more rigorous contractual conditions that should be spelled out clearly at the time of sale.

Weathering the IoT Storm

The IoT world is still in development, and there are plenty of unknowns that will become problems as deployments become more complex. To weather the storm, keep security at the center of all IoT project planning and consider how to address the most complex issues from the very start.

Listen to the podcast series: 5 Indisputable Facts About IoT Security

More from Network

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Databases beware: Abusing Microsoft SQL Server with SQLRecon

20 min read - Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA). As I navigate my way through these large and often complex enterprise networks, it is common…

Easy configuration fixes can protect your server from attack

4 min read - In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents. It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today