The Truths and Lies of IoT Security

The Truths and Lies of IoT Security

As the Internet of Things (IoT) accelerates the pace of the enterprise with data-driven decision making, it will soon be required to outsmart the competition. CEOs, CIOs, and CISOs understand these pressures. But how do they get in the game while not jeopardizing the integrity of their global IT network and company data?

Executives are making the dash for the IoT playing field, but many are getting tangled in the truths and lies of IoT security. Yesterday’s security techniques and legacy networks don’t always transition well into the new world of IoT. There’s a lot to consider and key strategies for the new IoT era. To expose the certainties as well as the snare traps of misconception, let’s play a game of “two truths and a lie.”

Truth or Lie? CISOs need to take into account special security considerations when implementing an IoT program.

The Answer: Truth

Maybe that question is too easy, but here is what’s difficult: the long list of IoT security considerations. IoT is a magnet for hackers, because connected watches, housewares, and manufacturing machines give them new territory to exploit. The same cyber hacking methodologies used to attack endpoints are now being used to attack connected devices.

Once entry is gained, attackers move progressively closer to high-value targets. These lateral movements are the key indicators of network infiltration and a telltale sign of a hacker. The bottom line is: you need advanced tools and techniques to prevent, monitor, identify, and quickly respond to lateral movements as well as a host of other indicators that may arise from the IoT infrastructure. Whether it’s a company-owned device or “rogue devices” connected by employees or guests who forget to inform the enterprise IT department, security protections are key.

Security considerations for IoT include:

Truth or Lie? Monitoring the security of thousands of connected devices is the same as monitoring thousands of endpoints.

The Answer: Lie

Many assume that end-point detection tools can be applied to connected IoT devices, making it easy to monitor hundreds or even thousands of connected things.

But that’s a fallacy. These models cannot be practically applied to IoT.

Why? Because of the lack of standardization. Not every connected device is running on the same operating system, which causes logistical and scalability challenges. The end-point detection and response tools we have today aren’t fit for IoT because:

  • Devices use a variety of communication protocols,
  • Potential vulnerabilities come from disparate proprietary systems, and
  • Security patches are not easily available or deployable (much less available for testing and quality assurance).

Therefore, we can’t apply monitoring standards across all devices and manage that complex operation from a central system. Our technology simply isn’t there yet.

Truth or Lie? Network segmentation techniques are effective in securing an endless number of connected devices.

The Answer: Truth... but...

Yes, enterprises should isolate IoT devices on their own network, separating device traffic from other critical network infrastructure. But, it’s important to note that segmentation is just one of many security strategies that should be deployed with IoT.

Network segmentation is highly effective for IoT, because it is a primary approach for security and isolating threats from within. As one of the strongest techniques for security, it improves access control, monitoring, response to incidents, and containment. Creating isolation zones (discrete virtual networks and Layer 3 VPNs) puts layers of protection in place with incremental gates that help limit the attack surface in the event that a hacker compromises a connected device.

Isolated zones are helpful because IT teams can write security policies and rules for each one depending on the type of traffic originating from each zone. This helps create granular controls that can be applied only to those connected devices. With the IT infrastructure broken into components, enterprise IoT programs increase security posture. Here’s a great resource on segmentation best practices that keep your network design and security operations aligned.

As IoT’s insights become a requirement for competitiveness, CIOs and CISOs must generate a holistic security strategy and a modern network capable of underpinning the enterprise’s digital vision. Executives need to understand the truths and lies of IoT security.

Call on Masergy to prepare your network and security for IoT. Contact us for a free consultation.

About Craig D' Abreo

VP, Security Operations, Masergy
Craig oversees the Managed Security, Threat Intelligence and Security Professional Services departments at Masergy. He is responsible for Masergy’s proactive enterprise cybersecurity threat management and operations program. Craig holds a bachelor’s degree in Computer Science and an MBA in Information Security. He is a Certified Information Security Systems Professional (CISSP) with over a decade of experience in the security industry and holds various network security certifications. He has written on various security blogs, spoken on a range of industry panels and is a recognized thought leader in the cybersecurity space.

We use cookies to improve your web experience, better understand how our site is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. Read more and make cookie choices by visiting our privacy policy.