Second part of our dossier dedicated to IOT, after having seen the threats that weigh on these new tools that accompany our daily lives, let’s now see how to protect ourselves.
What better way to understand an attack, than to put yourself in the shoes of the potential enemy?
It is essential to keep in mind that the cybercriminal is not targeting the devices themselves but using those same IoT devices as an entry point into the overall corporate network. The attacker is an opportunist, he will always look for clever ways to divert connected objects from their primary functionality to meet his own objective. He will be looking for the slightest vulnerability, flaws that will allow him to get into the system. Faced with this observation, how can we protect these new objects that are part of our daily lives?
Securing the manufacturer's side
Gartner states that IOT manufacturers favor usability, commercial aspect, priority to be first to market, they tend to speed up the development process forgetting the security steps. Manufacturers must be involved in security. This must be done upstream of the manufacturing process and therefore, of course, before the purchasing process. Each manufacturer must make a risk analysis.
"The majority of major vendors are making efforts to address these safety concerns, but the majority are not yet at that stage. They are prioritizing convenience, ease of use, time to market, over any other safety considerations. "
For example, studies have shown that some manufacturers’ web or mobile interfaces are not secure, that the authentication system is insufficient or that configuration options are limited.
From component manufacturers to resellers, the entire process must be checked. It is imperative to have end-to-end security.
Manufacturers must therefore ensure that they have a reliable PKI infrastructure. The role of the PKI (Public Key Infrastructure) is to issue digital certificates, which guarantees :
- confidentiality: personal data must not be intercepted. Encryption must be activated to guarantee confidentiality.
- data integrity and authenticity: any message sent must be certified, i.e., ensure that the recipient or the message has not been modified.
The designers must master these security aspects but also measure the impact of such a failure. This security assurance will finally be a competitive advantage and a proof of seriousness from the company.
Now since the RGPD law of 2018, designers are obliged to maintain a “development book” indicating all the security measures considered. (Rights of information, access, rectification, deletion of data, data traceability and the right to portability).
The low level of security can also be explained by the diversity of existing standards among large companies.
Securing the business side
Most employees have a smartphone, a tablet, even a connected watch or any other connected object. They sometimes use them intentionally (this is the case with smartphones, to read work emails) or unintentionally in the context of work. It should not be assumed that IoT devices are inherently secure. Another point to note is that many times the employer is not even aware of them.
The IoT thus becomes the privileged target of attacks, we saw it in our previous article, let’s see how a company can best secure these new tools.
A cyber attacker can take control of a mobile device that an employee uses for personal and professional purposes to send emails for example, and thus access the company’s data. For this reason, employees should not access company information over unsecured wireless networks. No IOT should be connected without the approval of the technical or IT department.
The company must ensure that it has a secure network. Each device, each peripheral, USB key, etc. must be authenticated and encrypted to avoid any compromise.
With the mobility of employees, due to the pandemic in particular, companies must adapt and also understand that their mobile park is a vector of danger. Such intrusions can be terrible for a company: interruption of operations, denial of service, data theft, even ransomware. Many devices are now vulnerable because they have been forgotten, yet they are the object of attackers’ covetousness. Security departments must not forget to deploy patches and security upgrades for these new mobile devices. Zero trust for IoTs is therefore the order of the day. All devices that connect to the corporate network must be monitored.
Unified endpoint management is an essential security solution: the UES technology from TEHTRIS meets this need. According to GARTNER, this solution allows “managing, securing and deploying enterprise resources and applications to any device from a single console.”
TEHTRIS UES is the combination of 3 technologies:
- an EPP, an anti-virus with extended capabilities.
- an EDR, an agent specialized in incident response and defense in depth. TEHTRIS EDR includes numerous detection and neutralization engines capable of analyzing known and unknown threats. It is compatible with all OS, even obsolete versions.
- and the MTD, which allows to protect mobile devices, such as smartphones and tablets.
The human factor is always an important consideration in securing.
Here are our 10 protection tips to put in place:
- Make your employees aware of their own security and, by the same token, that of the company. Connected objects are no exception.
- Take responsibility. Customers should evaluate the security of the products they buy and check the standards, and make sure that the object they buy does not have any potential vulnerabilities. Choose items that have been proven to work, so they have been updated many times.
- Check secure settings before connecting a device to the network, e.g. make sure that external ports are disabled, that the guest Wi-Fi network and your IOT in general is off the main network.
- Remember to remove obsolete or unused objects from the network.
- Change passwords regularly, and have a multi-factor authentication.
- Think about encrypting your exchanges, use secure channels. Depending on your IOT, use a secure VPN.
- Do not store your data on the device, prefer a secure location.
- Apply the patches available to IoT, keep your connected object up to date with the latest versions.
- Avoid unofficial application stores and limit application permissions.
- Protect your IoT with appropriate technologies. Have a reliable security solution, such as the TEHTRIS MTD technology that protects your smartphones. TEHTRIS MTD is a solution for fighting threats on mobile devices, to prevent them from being the gateway to your entire network. Our technology can detect abnormal behavior and raising different types of alerts.
For more information about protecting your connected devices, you can visit these websites
The level of security requirements is changing
Internet of Things (IoT) devices are among the least secure connected machines, but they are also becoming ubiquitous in our lives, so their security should not be overlooked. Manufacturers have understood this and are becoming more and more vigilant. Companies are also taking the measure of the danger of these objects for their structure.
Finally, regulations have evolved, the European Telecommunications Standards Institute (ETSI) has established cyber security standards to protect users of smart devices, and new laws are strengthening requirements for manufacturers to protect both consumers and organizations.