Business technology leaders are sending 4- and 5-star feedback after a webinar with CI Security’s Fred Langston.
In a survey, one called it, “thought provoking.” Another wrote to Fred to say, “Outstanding job on the webinar Fred. Excellent Q&A. Very helpful!”
Fred is the EVP of Professional Services for CI Security. The topic of the January 31 webinar was the insecurity of IoT devices. Attendees not only provided positive feedback, they also spent 30 minutes after the main event asking questions.
If you would like to watch the webinar, go here.
Highlights from the Q&A:
Since the Q&A portion of the webinar was so lively (going 30 minutes over time), we wanted to share a few of the questions and answers below. You can watch the entire Q&A session here.
Do you think vendors who create these devices have their own back doors built in?
Yeah. Without a doubt some of them do. The scary part is they don't even need to build back doors. They already know they're insecure. Especially in the light bulb space, the camera space, most of those people don't care about security. They can't. It's not economical. They can't stay in business because this stuff is commodity. They're pumping this stuff out just like regular light bulbs, right? Stopping to think about, "Is it secure?" is just not on their checklist of things to do.
So yes, some are having back doors built in, but the even sadder part is the technologies are so easily compromised in most cases that you don't need a back door, right? You can spend five minutes on the Internet, Google your device and say, "How do I hack," name your device. Chances are you're going to get something.
I will tell you, our penetration testers here at CI Security, they have a field day with these devices. It kind of makes it unfair, because it makes it really easy for them to be successful when we find them on most networks, because people never think about securing those devices.
What are some methods you would recommend to mitigate IoT devices from being used for points of attack?
Yeah. I can't stress isolation enough. This goes for IoT, operational technology, your HVAC system, your card key system, if you have a building with card keys. All of those types of technologies should be on their own network. You can share an operational technology network amongst these different technologies. It may be more difficult to do good monitoring, because you can't recognize things out of a lot of traffic, but isolate.
Isolate is the key thing here. Don't even allow them to connect back your network if possible. Sometimes that's not possible, but you want to make sure that they're not on the same network as all your critical assets, or frankly any of your other assets. Put them on their own network. VLAN them off. Put them on another leg on the firewall.
The other thing to keep in mind is some of, in particular, the more advanced devices and some of the medical devices were very difficult to upgrade, but they're finally, the US government has been pushing the medical device manufacturers. There's been a bunch of publications on how medical device manufacturers should be implementing security. They're finally getting to the point where they're able to reach out over the Internet and go get patches, which is a good thing, because years ago they weren't able to do this. You got to consider what they need to do to stay secure. Do they need to reach out to the Internet? The other part is, do we want them on the same network as our other stuff? Probably not.
How do you keep IoT at home secure?
That's a tougher one. I would suggest most people probably don't know their home router. If you've got, say, a Comcast router at home, you may not know that there's capability on many of them to add another segment. It's, again, that isolation of traffic I'd mentioned. You can actually do that with many home routers today, although most people don't know that function exists, and frankly, it's pretty clunky in a lot of implementations, but that's what I would do. I would keep my home laptop, my home workstation, the things that have sensitive data on a separate network than what I have my IoT devices.
Remember you're always communicating inbound, so if I'm trying to connect to my internal camera, I have to poke a hole right in my firewall usually, so I can see in and allow the ability to see what's going on in that camera, so it makes sense to not poke a hole in the same network segment where you have your key systems and your home computers with your tax returns, et cetera.
How do you vet IoT manufacturers?
That is a good one. I think there's some reputation that's starting to be built up out there. When you're looking at the operational technology environment, the industrial stuff, it's getting pretty good. Many of the vendors have taken, actually, a leading position on understanding that they need to put security into their products.
But when you're looking at the consumer market, that's dicey. That is really dicey, because you don't know what's in a device until you open it up. As I'd mentioned, you open up those IoT cameras, the innards are the same in 90% of the devices out there. It's the same company that makes one board that has a built-in processor and wireless on it and has no power to do much more than that. It's in almost all of them, but you won't know that until somebody, somewhere, like a security researcher has torn it apart and published about it.
I'm sad to say, right now, there's probably no great source for just the consumer style IoT as to who's a reputable manufacturer or not. I think that will shake out, but I'm not sure I have a great recommendation at this time.
Interesting in learning more about how CI Security can help you with your IoT security issues? Find out more here.