As a result of the increase in cyber-attacks launched by nation-states, cybercriminals, hacktivist groups and other entities, it has become increasingly important to understand the ecosystem of hardware, O/S, software, and services that are used in each organization’s network, including the data/telemetry that is collected and sent outside the organization’s network.
This problem is especially magnified with the emergence of the Internet of Things (IoT), which is turning “heterogeneous networks” into “super-heterogeneous networks” of intelligent devices.
Figure 1. Corporate network then (L) vs the corporate network now (R): The Internet of Things (IoT) is turning “heterogeneous networks” into “super-heterogeneous networks” of intelligent devices
In the past, IT personnel have had to manage the deployment life cycle of a seemingly diverse array of PCs, notebooks, smartphones, tablets, printers, routers, etc., within their business environment.
This includes initial configuration, adaptation/optimization, updating, and securing these devices over their deployment lifetime. Several decades ago, the word “heterogeneous” was used to describe networks with a “mind boggling” variety of largely PC’s, notebooks, routers, printers, etc.
Now consider that this same task must be done to an increasingly more diverse “super-heterogeneous” collection of intelligent devices that will have a broader diversity based on several different factors such as an organization’s industry and region.
Consider the possibility that there will not only be coordinated smart device deployments on the corporate network, but also arbitrary deployments of devices by employees – Bring Your Own Thing (BYOT).
Just as many have traditionally deployed their own routers or printers within their office environment, employees may arbitrarily deploy other, less traditionally-understood smart devices on the organization’s network. At first glance, it may not be entirely clear as to what these devices actually do- the benefits they bring, vs. the perils.
Knowing about the existence of a smart device deployed on a corporate network will be an increasing challenge for an IT administrator. This is because, beyond having a basic Media Access Control (MAC) address, many smart devices today don’t have a common way to identify themselves on the network. Due to the current lack of standardization for identifying these devices, a series of methods will be needed to properly identify each individual device. Historically NMAP has proven useful for this task, but tracking down the physical location of a device will be a challenge in many cases, due to the lack of device discovery information available, along with possible challenges visually identifying the device due to its form factor.
Knowing about Device Problems
Knowing about issues related to specific brands and models of IoT devices is critical. An IT administrator will need to be more proactive about monitoring additional sources of information about smart devices deployed across their network, including but not limited to government entities (ex: CERT’s), hacker forums and organizations, industry groups, media, and manufacturer web sites.
Availability of Updates
Once a problem is known, the next challenge is how to correct the issue. For instance, if a firmware update is needed, how to obtain it?
Currently, there are no “Patch Tuesday” bulletins or “Windows Update” notifications available for IoT devices. These relatively well organized schedule and deployment instruments were implemented only after years of pain, along with a mass of complaints from affected organizations. Due to the variety of device manufacturers, an IT administrator will need to spend more time tracking down and downloading available firmware updates.
How to Apply Updates and Policy Changes
Once you know there is a problem with a smart device, the next step is how to apply the solution (if one exists). Consider that there may be several thousand of these affected devices deployed across the organization’s global network. Given that many smart devices have their own proprietary way to apply firmware updates and policies, evolved tools will be needed to perform this patching and policy correction to smart devices en masse In addition, we can assume many devices will have limitations as to how much “policy” can be applied. For instance, you might need to change the hostname of a smart device, so that it conforms to an IT policy, or eases identification and manageability. The device may or may not let you do this.
Data Collection and Transmission
Another issue is the collection and transmission of data from the organization. Most smart devices include some form of communication with their manufacturer and possibly other providers.
There are several ways that devices collect data about the organization’s day-to-day operations. For instance, a motion sensor on a thermostat may collect telemetry about the presence of people in an office.
Another example might be devices that listen for “hot words”, and have the ability distinguish between different voices, and possibly, people. The company that manufactures this device, along with their partners that may also have access to this data, can monetize/trade using this refined “data revenue”. More significantly, this telemetry can be used as part of a coordinated attack on a company.
It’s important to understand what type of data is being transmitted outside of the organization, and whether or not it is properly encrypted. Additionally these devices use new types of protocols that allow them to be more accessed from outside the organization. Monitoring systems within an organization might sound alarm bells when this communication is attempted, since it may vary from what is considered to be normal. This may in turn also trigger automatic blocks or lockdowns as networks and systems act to protect themselves.
Typically, attacks against cloud infrastructure are popular as they can yield a high amount of “data revenue”. Organizations need to consider how securely their device-collected data is in the manufacturers or their partners cloud. What if the manufacturer or one of their partners goes out of business—what happens to this data? Will it be scrubbed, sold to another organization, or will it end up lying in an arbitrary bay of servers at a computer auction?
For more information, refer to my previous post titled Is Your Data Safe In The Internet of Everything?.
Over time, the device must be regularly updated to assure continued operation. How does the collection and transmission of the data change with each update? This is a time consuming process, but needs to be understood.
Spying in the Workplace
IoT empowers more covert spying within the workplace through the emergence of an increasingly diverse range of inconspicuous, Internet-connected monitoring devices. Though these highly consumer-friendly devices have been built with the best intentions, they can very easily be deployed, controlled, and monitored via a smartphone or tablet for nefarious purposes.
Some examples are:
- Placing an inconspicuous-looking home environment monitor, or even a baby monitor on a shelf within a conference room to listen in, watch, or record a confidential meeting
- Deploying a series of activity sensors on doors & windows in strategic locations within the workplace to monitor employee presence and activities
- Deploying a power line-based Ethernet extender to make the corporate Ethernet network accessible via a power outlet in an external area such as a parking lot that is subject to less physical monitoring
It is critical for the IT personnel to be able to fully identify new devices on their network, and understand the implications.
Aside from security specific issues, the overall increase in the diversity of devices on the corporate network will also bring additional unforeseen administrative burdens on IT staff – such as the need to replace batteries in devices on a regular basis as an example these issues are further discussed in the Administrator of Things.
A more user-friendly and diverse “super-heterogeneous” range of devices with more permutations of hardware, OS, software, and cloud platforms means more work is required, more frequently to continue to protect the organization.
Device visibility and intelligence is crucial to empower IT staff to proactively protect their organization from the additional risks incurred deployment of smart devices across their organization’s network.
Organizations need to weigh the value being delivered by the new technology vs. the costs required to use it, and the risks that it brings to their organization. The knowledge gained from this process will help to continually evolve the existing IT policy to properly accommodate IoT devices.
For some key security considerations for IoT devices, please refer to our guide titled What to Consider When Buying a Smart Device.