How to Build a Better Defense for IoT Devices
Technological advancements can often feel like a double-edged sword.
Powerful computers masquerade as phones in our hands, smart devices connect our houses from door locks to the thermostat and Inspector Gadget-esque watches analyze our physical activity metrics — all thanks to the Internet of Things. But with the revolutionary benefits and convenience of constant connection also comes the opportunity for unwanted visitors to connect with us, leaving us exposed to malicious intentions without proper cybersecurity measures in place.
While most devices are easily pairable with the touch of a Bluetooth-enabled button, it’s crucial to remember that each individual device is unique and comes with its own set of security limitations. Without frequent updates and a dedicated device check-in window, it can be easy to fall victim to an unwanted digital intruder, identity theft, malware and more.
Built In Colorado caught up with SVP of Global Security and Enterprise IT Michael Lyborg to find out the biggest risks currently facing IoT systems, how technology teams can combat them and which methods will eliminate vulnerability through a stronger defense system.
Configuration is key
When it comes to IoT and security, I always look at defense-in-depth and observability. The key security risk factors that I have observed are generally attributed to device misconfiguration, and failure to properly separate and inventory the devices in order to mitigate or reduce any associated risks.
Since IoT devices often arrive with “weak” and embedded passwords, end users and organizations should ensure that all credentials and keys are updated, and inspect any egress traffic flow after moving them to a segregated network segment. For older devices, it was common to see that there was a lack of transport layer security (TLS 1.2+). As part of your vulnerability assessment, it is important to ensure that all older devices are enrolled in your patch and vulnerability management plans.
Michael Lyborg is the Senior Vice President of Global Information Security and Enterprise IT at Swimlane, an automated security operations platform.