The Internet of Things is growing fast. McAfee sees the market for IP-connected hardware reaching 200 billion devices by the end of 2020. (See “A Guide to the Internet of Things” graphic, at the end of this post.) Given this widespread adoption, security should be a primary concern. The Dyn DDoS attack last year by the Mirai botnet demonstrates the power of IoT exploits. It is essential that IoT devices are carefully configured to reduce the chance of any security breach.
The following elements should be part of anyone’s best security practices to reduce IoT threats:
- Secure user interface (mobile and desktop)
- Strong transport encryption
- Secure network services
- Access-level control
- Data protection
- Updated secure firmware and software
Secure user interface (mobile and desktop)
The first consideration of IoT structure is device access. Ensure that the application interface used to access the device follows all application security steps. Some sample checks:
- The application should be secure from major data validation breaches such as cross-site scripting and SQL injection.
- The login page should not be vulnerable to applicable checks such as account harvesting, account lockout, insecure account reset mechanism, etc.
- The login password should follow strong password policies.
- You should receive an alert if the device is accessed from an unfamiliar source.
Strong transport encryption
The information exchange layer plays a critical role in IoT data exchanges. Keep the following points in mind during configuration:
- Make sure that latest secure encryption protocols (newest TLS version) is used to encrypt the information.
- An audit file should be generated for all login attempts.
Secure network services
A well-configured network device always reduces opportunities for hackers. While configuring the device, create a secure architecture. Key points:
- Ensure that no extra service port is open on smart devices.
- Ensure that network services are reliable and safe from attacks such as denial of service, fuzzing, etc.
If a device has more than one user-level access control, permissions should be set appropriately.
- Ensure that low-level users are restricted from access to high-level functions.
- The administrator should be able to review all access incidents.
It is very important to follow best security practices to protect privacy. Attackers often want to steal sensitive user data (login details, personal information, etc.). This data may be stored on access or IoT devices.
- Make sure sensitive data is never stored in devices’ memory.
- If the business needs to store data locally, it should always be in encrypted format.
- Devices should ask for only required information to complete any action.
- Ensure the separation of users’ data. Only an administrator should have permission to access users’ sensitive information.
Updated secure firmware and software
All active devices in the IoT infrastructure should be updated to the latest versions to secure them from known vulnerabilities. Key points:
- Ensure that embedded devices are patched with the latest firmware.
- Mobile or desktop applications should not use vulnerable software versions.
- Ensure that devices use auto updates.
- Updated files should be securely transmitted to devices.