IoT Is Here Whether You Like Them on Your Network or Not

Personal Internet-connected electronics, designed primarily for home use, are rapidly finding their way into the enterprise. From web-enabled streaming video cameras to connected digital picture frames to large commercial refrigerators, it feels as though everything in our lives is now connected to the Internet. Remember when “Shadow IT” wasn’t a thing and the biggest concern we had was that someone would bring in an external modem so that they could remotely connect? Those were the days.

Now we have to worry about what our users are bringing into the office that might connect to the Internet, must connect to the Internet to operate, or may be exploited for malicious data exfiltration. Welcome to the Internet of Things (IoT).

I’ll draw on an example from some research I performed back in January of this year. Shortly after Google announced that they were acquiring Nest, I started poking around to see exactly what the thermostats could communicate with. A quick Google search for nest firewall ports (which is what I commonly append to a product/application term when looking for what ports are used) provided 433,000 results. Phew, that’s a lot. After looking at several pages, the general consensus from Nest users was that port 9543/tcp needed to be allowed through their respective home routers for the product to work. One page provided the FQDN that the Nest thermostat connects to a domain in the format of:

The domain is hosted in Amazon AWS and uses an IP address associated with Amazon’s Elastic Load Balancing (ELB) service, likely to help distribute the load across multiple guest instances. It’s probably safe to assume that Nest is using Amazon’s VPC functionality given the number of devices it has claimed to have sold to date (~1 million according to a Forbes post). Unfortunately, without getting the device-to-server count directly from Nest, I doubt we’ll ever really know the final number. It’s also probably safe to assume that the IP addresses employed by Nest are load balanced (using ELB) to the servers within its VPC network.

This workflow, though somewhat time consuming, would be invaluable data to help decide if I wanted to utilize this device on my home or corporate network.

5 Things to Consider When Evaluating Internet of Things Devices

Before rushing to open unfettered access for an employee’s shiny new toy, here are some tips on how to evaluate IoT devices prior to allowing them on your corporate network:

  1. Create a separate IoT network that allows for Internet access but limits (or blocks) connectivity to internal network systems. Does a digital picture frame need to be on the same network as your HR systems? Probably not. Isolate the non-enterprise devices to their own network.
  2. Design a policy that evaluates new Internet of Things devices prior to allowing them on your network. If a user wants to use their shiny new Internet connected toy at work, ask them to borrow it for an afternoon to research it. The only thing they could say is “no”, at which point you can tell them the device won’t be connected to the network – or the device is relegated to the new IoT network mentioned above.
  3. Read as much online documentation about the specific device as possible. This is likely going to be the most difficult aspect of this testing plan as few IoT vendors detail the ports and protocols required for proper Internet-bound communication. Most simply say “Allow https on your router to the Internet” which, in the enterprise, simply isn’t informative enough. Nor is it smart to allow unfettered access for any Internet-connected system. The ‘principle of least privilege’ must be applied.
  4. As nearly all IoT devices utilize standard SSL to encapsulate their respective data streams (i.e. https) you may want to consider deploying a deep packet inspection (DPI) tool that has the ability to decrypt SSL communications. Alternatively, you may need to deploy separate SSL-decryption technology if your DPI tool lacks the ability. Decrypting SSL may not be necessary to understand how the device operates, but you may find it important if you’re concerned about hidden data leaving the network.
  5. Consider dusting off that old 10/100 hub, connecting the IoT device to a test network, and running a packet capture tool against its communications to understand how the device works. Though somewhat time-consuming, this approach allows for a deep understanding of how new IoT devices will work on your network. I recommend using something as simple as tcpdump, tshark, or Wireshark for the visually inclined. Also, keep a sample of the traffic in case you need to revisit the communications requirements during an incident response or forensic exercise.

Hopefully these tips will help you think about evaluating IoT devices in the enterprise. Consumer devices are coming, whether you like them on your network or not. How you handle their deployment, however, is entirely up to you.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…