When I do media spots, interviewers often ask me, “What is the best single thing you can do to prevent cyberattacks?” I jokingly respond, “Unplug and turn off all your devices — it’s a 100 percent security solution!” Ironically, when discussing Internet of Things (IoT) security, some people believe turning all devices off is an actual strategy.

Absolute IoT Security Is Not Practical

According to Dan Lohrmann, chief strategist and chief security officer (CSO) at Security Mentor, Inc., we should be aware of three things. First, just as with Wi-Fi, cloud computing and bring-your-own-device (BYOD) programs, the global IoT boat has already left the dock. Don’t be the naysayer who simply opposes all IoT devices in the name of cybersecurity concerns.

Second, you’ve got to know what is connected to your networks. Learn what IoT devices are being used, both openly with management approval and in shadow IT. Is sensitive data being protected? Are security features enabled and sufficient? Have default passwords been changed? Is encryption needed?

Finally, some IoT devices probably do need to be disconnected. But this should be a last resort after you’ve done your homework and worked with customers on offering business answers.

Industry Experts Weigh In

Tyler Carbone, COO, Terbium Labs:

At this point, I think disconnecting IoT devices would be like trying to put the genie back in the bottle. We need to move past thinking of IoT as a completely separate kind of problem. At the end of the day, these are computers, and they’re on the internet for the same reason our desktops are: It adds a lot of value.

I don’t think we should any more disconnect the entire IoT than we should disconnect the rest of the internet. That said, we do need to start thinking of this connectivity with security in mind. Again, think of desktop computers. Some should absolutely be air gapped. Others need to be on a network, but their security is critical enough that access must be severely restricted. Others can be more permissively configured, but those shouldn’t have permission to touch mission-critical systems.

We’re used to thinking about these problems for computers. With the IoT, because the market is still fairly young, there is a fair amount of, frankly, sloppy decision-making and one-size-fits-all network connectivity. That’s what we need to address to improve IoT cybersecurity — disconnecting everything would be too blunt an instrument here.

Shahid Shah, CEO, Netspective Communications:

We need to consider working on a consensus standard that would only allow IoT devices or data into our networks that could be minimally validated to be secure. This is difficult to define, but necessary. Any devices that haven’t passed minimal cybersecurity checks should be taken off the network until they’re shown not to cause harm to other participants in the network.

Scott Schober, President and CEO, Berkeley Varitronics:

I always encourage users to think before plugging in to the internet. They need to weigh convenience against security because, invariably, the more convenient an IoT device is, the less secure it is.

This is especially true of low-cost consumer IoT devices and sensors that cut corners on security in order to sell to the consumer masses. These consumer-driven IoT devices are easy to plug and play, but have no means to update or handle firmware upgrades when vulnerabilities eventually surface. So my advice extends all the way back to the point of purchase: Ask yourself if you even need such a connected device before you buy it. Then, if you’ve gone ahead with the purchase, think again before connecting it to the internet.

A Delicate Balance

When it comes to IoT security, like all other parts of cybersecurity, there is always a balance between usability and safety. The security practitioner’s goal should be to constantly balance this equation against the risk of a breach.

Listen to the podcast series: 5 Indisputable Facts About IoT Security

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…