Here’s a quick highlights video from CISO Series Video Chat: “Hacking IoT Vulnerability Remediation: An hour of critical thinking of what to do when you find vulnerable devices on your network.”
Our guests for this discussion were:
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor Viakoo
Best Bad Ideas
Congrats to Phil Wolff, co-founder, Wider Team for winning this week’s Best Bad Idea!
Other honorable mentions go to:
“NEVER update IoT device firmware; just replace with new device because new devices always have up to date firmware” – John Gallagher, vp of marketing, Viakoo, Inc.
“Use dummy IoT devices instead of real ones; no one knows which are working anyway” – John Gallagher, vp of marketing, Viakoo, Inc.
“Only staff the SOC during normal business hours – nothing bad can happen if nobody is in the office, right?” – Brian Colt, information security engineer, DASH Financial Technologies
“Use Band Aids with Disney princesses to mark and classify each IoT device.” – Steve Tatem, sr. IT director, information security, Aspen Dental Management, Inc.
“Source IoT devices from manufacturers having a ‘going out of business’ sale. Think of the money you’ll save!” – Brian Colt, information security engineer, DASH Financial Technologies
“Let the ioT vendor decide the sensitivity of the data on the device.” – Drew Brown, IT security manager, Commonwealth of Pennsylvania
“Establish a governance structure specific to IoT. Apply cyber hygiene principles to IoT devices. Conduct data requirements analysis to be sure only necessary data is collected/retained.” – Drew Brown, IT security manager, Commonwealth of Pennsylvania
“Have Network Access Control on all office switchports, requiring user and device authentication to be put onto corporate network. Require approval from a user to be put onto guest network (internet only). Require MAC authentication on separate IoT network.” – Brian Colt, information security engineer, DASH Financial Technologies
“Configure beer refrigerator to unlock only after Fitbit indicates daily step goal has been reached.” – Sean Kelly, manager, enterprise information risk assurance, Highmark Blue Cross Blue Shield of Western New York
“Assign static IPs or create DHCP reservations based on MAC addresses for IOT devices; place IOT devices in one or more VLANs; restrict connections between IOT VLANs and the Internet; restrict connections between IOT VLANs and other VLANs. Regularly update IOT firmware. Change IOT default passwords. Disable SNMP v1/2 on IOT devices. Disable telnet on IOT devices. If possible, add SSL decryption certificate from your IPS system as a trusted certificate on your IOT devices.” – Michael Zinn, systems engineer, Micro Systems Management
“Find a way to assign an identity to all IOT devices and track them like you do your personnel identities” – Craig Hurter, director security operations, Colorado Governor’s Office of Information Technology
“Think outside the enterprise. Convene vendors, their vendors, partners, rivals, and everyone that touches your IoT fleets. You’re in IoT together and you need to work together.” – Phil Wolff, co-founder, Wider Team
“Besides having all IoT devices officially being deployed managed and monitored scan your network regularly on new shadow IT devices and either block their addresses or bring them in in an official way.” – Roland Mueller, self-employed
Quotes from the chatroom
“If you can’t monitor the activity (in a meaningful way) where you can identify what is happening, then you can’t determine if the activity is malicious or benign. If you can’t determine if it is malicious or benign, high security requires that you assume it is malicious.” – Michael Zinn, systems engineer, Micro Systems Management
“IOT is all about providing new functionality, so innovation in what the device can do resists ‘best practices’ like secure coding” – Rick Woodward, cyber security architect and manager
“I keep seeing device makers forcing themselves to be data intermediaries. You buy the gear but the data flows through them first.” – Phil Wolff, co-founder, Wider Team