Why You Need Timely Patching and Multi-Factor Authentication in IoT
There’s no magic wand for making cyberattacks disappear once and for all. Perpetrators constantly update their strategies and tactics to exploit new attack vectors, so security measures must continually evolve to cover all bases in an organization.
In the first part of our series on the best practices for IoT security, we focused on network segmentation. It mitigates risk by segmenting internal traffic from that of external parties, like guests. That reduces the attack surface across the network, restricts traffic flows and makes threats easier to contain. Plus, segmentation simplifies regulatory compliance and lessens key dangers within the vast Internet of Things (IoT).
Beyond segmentation, many other best practices are integral to comprehensive protection. Let’s look at two more, as covered in our webinar, “Protect Your Business: Top 5 Best Practices for Connected Devices.”
Best Practice #2: Why You Should Plan the Patching of Your IoT Infrastructure
The dangers of unpatched PCs and servers are well understood. They’ve been front and center in some of the most prominent attacks in recent memory, including WannaCry ransomware. In the IoT, even routine patching is more complex and risk-prone.
For example, medical device hijacks (aka MEDJACKS) typically involve the lateral movement of malware across networked, interconnected platforms that perform tasks such as MRI processing, picture archiving and communications, and blood gas analysis. This essential infrastructure is highly vulnerable to these types of attacks, in part because of the difficulties associated with patching.
To further complicate things, it’s difficult to maintain these systems considering their environment, especially those devices that require special handling to upgrade. Still, even mundane office equipment such as printers, as well as relatively simple IoT appliances like embedded sensors, usually aren’t patched as rapidly as traditional endpoints, such as laptops or mobile devices.
What’s the solution? Given the immense variety of IoT infrastructure, there’s no one-size-fits-all approach. However, the periodic use of a vulnerability scanning tool is a good starting point. Once vulnerabilities are identified, you need to carefully consider their severities, the end-user impact, and operational downtime as you prioritize patching your systems. In many cases, you might not have to completely disable an essential IT function, but instead simply limit its functionality as you perform patches.
Best Practice #3: The Importance of Two-factor/Multi-factor Authentication for IoT Admin Accounts
Passwords have been the bane of information security and the user experience since the time they were necessary for switching between users on time-sharing systems. Too often, they are weak enough to be overcome with dictionary attacks, too complex to remember–or both.
Enter two-factor or multifactor authentication (2FA/MFA). Among consumers, 2FA/MFA is probably best known as the SMS code required for verifying actions such as opening new accounts or making unusual bank transactions. For organizations, it can be enforced much more systematically, with additional factors that are safer than text messages.
A business-class 2FA/MFA system might require the use of biometrics (usually a fingerprint, retina scan or facial recognition pattern), hardware tokens and/or separate devices in addition to a standard password. These requirements are particularly important for ensuring the integrity of administrator actions pertaining to IoT devices.
Unlike laptops or smartphones, many IoT devices are so minimalistic that you can’t log on to them from their own interfaces directly. Their entire security depends on administrator actions, making the thorough verification of any changes or updates mission-critical.
While 2FA/MFA is central to IoT security, it is not as widely used as it should be. A U.S survey conducted by Duo Security found that only 28 percent of those surveyed were using 2FA/MFA and that less than half of respondents had even heard of it. There was some good news: Two-thirds of those who used push notifications or security keys for 2FA/MFA think they’re convenient.
Further Actions for Securing Your Connected Devices
Segmenting your network, devising a systematic patching strategy, and enabling 2FA/MFA on administrator accounts all contribute to more secure IoT devices. In the final entry in this series, we’ll look at two more steps, you should take for comprehensive IoT security. Also, be sure to check out the full webinar and learn more about how a security operations center improves your position in IoT.