At Schneider Downs, we understand that the continuous advancement of technology fuels a corresponding expansion in the variety of internet-connected systems and devices used by our clients. These devices have the potential to enable process efficiency, analytics, and even security. Common examples we see in organizations each day are camera systems and door lock systems. Often, these types of devices are designed to be easy to use, but may overlook various aspects of security.
It’s easy to underestimate the threats these devices can pose to your organization. While providing penetration testing services to clients, our security analysists have leveraged poorly configured systems like door locks to gain access to restricted areas and sensitive data. Device functionality will always be the primary selection criteria, but each device should also be looked at from a security perspective. Here are some security-focused areas that should be considered in the selection process:
Vendor Reputation – What’s the reputation of the manufacturer of the device you’re considering, and how long have they been around? If the manufacturer goes out of business or drops product support for your device, updates will stop, vulnerability management will become much harder and you may even need to retire the devices early. Considering product support plans and how long manufacturers have been in business can help ensure that your chosen device has longevity.
Credential Management – Many devices come with a default username and password to log in with, often as simple as admin:password. Ensuring devices can change the password, at a minimum, is essential to the security of data it may collect. Measures then need to be put into place to ensure those credentials are actually changed from their defaults. If not, your device will be vulnerable to anyone with a connection that’s smart enough to Google for those default credentials.
Encryption – Chances are if you’re exploring IoT devices for your organization, you’re interested in the data those devices can collect. Choosing devices that support encryption of data at rest and in transit will help that data stay confidential. Choices may be limited since many devices lack the computing required for secure encryption; your organization will need to determine whether or not the device’s connectivity and purpose warrant encryption. Devices with weak encryption or without encryption at rest can have risks mitigated through isolation on separate networks and the use of transport encryption through TLS.
Patching– Unpatched devices are one of the biggest risks to any organization. For IoT devices, patch-ability is twofold. First, make sure the device’s hardware is capable of being patched. If a vulnerability is exposed and your device can’t receive a patch, your best option to secure it will be to replace it. Secondly you must ensure that newly released patches are applied via automatic updates or a manual schedule. Further, some products may requiring manual updates may need physical access to the device for each update.
Final Thoughts
While the aspects discussed in this article are angled towards selecting IoT products, security considerations should be examined as part of any organization’s technology selection process. If we as consumers can consistently make decisions and ask questions based on security, there’s a chance more vendors will design products with these elements in mind.
Share
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.
This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.