One of the biggest security concerns, when it comes to IoT devices, is unauthorized access. Unbeknownst to the everyday user, each device can act as an entry point into a network. Leaving them unsecured could create a large and unmanageable attack surface.

The Mirai botnet malware attack, which struck two years ago, showed just how high IoT risk really is. To carry out the attack, hackers gained access to millions of routers and IP cameras through hardcoded default passwords, like admin/password or root/1234.

They then created a botnet leveraging the hijacked cameras to conduct a coordinated DDoS (distributed denial of service) attack that rendered much of the Internet inaccessible on the United States' East Coast.

More recently, VPNFilter malware targeted IoT devices, infecting SOHO (small-office-home-office) routers through well-known software vulnerabilities.

"Who cares about SOHO routers?" you might ask. Well, these devices are used by critical infrastructure, such as the energy sector. Imagine the impact this kind of malware could have on the U.S. if it could shut down energy grids.

The potential ramifications of compromised IoT devices could be detrimental to both our online and physical safety.

As these examples show, IoT devices have the potential to create a high-risk security environment capable of widespread, crippling damage -- not to mention a complete headache for security executives and their teams.

Managing Your IoT Devices

• Give devices an identity: To achieve this, you must first embrace a different mindset. View IoT devices not as pieces of technology, but rather as privileged users who have access to sensitive information. By assigning a device and identity and provisioning them appropriately, their activity can be monitored and managed throughout their whole life cycle on the network.
• Apply device governance: Once each device is given an identity, you should apply policy-based authentication and access control. It's easy to deploy an IoT device and forget about it, but the reality is that these devices are a conduit between the internet and your environment, making them an easy attack vector for unauthorized users to gain access to sensitive corporate information. Device authentication and access should be governed and routinely revisited during the full device lifecycle -- through software updates, bug fixes, new firmware, routine maintenance and diagnostic improvements.
• Employ the principle of least privilege: Just as you would only give an employee the minimum access to data and systems they need to do their jobs, businesses need to limit the access of their IoT devices. Employ firewalls and permissions to safeguard against unauthorized devices obtaining proprietary or privileged information. For example, your smart printer doesn't need access to the CFO's income statements folder. The less access you give an IoT device, or employee, the less damage either could bring to the enterprise.
• Manage device passwords: Similar to users, IoT devices contain passwords that grant them authentication to systems, files and data. Best practices for managing user passwords -- such as requiring routine resets and multifactor -- also apply to IoT passwords. These passwords must be updated routinely and closely managed to protect the vital information they store.
• Monitor the device: Devices should be monitored 24x7 to identify unusual activity, check for necessary patch updates, and confirm each device is still in the right network segment. Machines are highly predictable, and abnormal behavior can be a clear giveaway if there is an unauthorized user controlling the device. Without the right monitoring processes in place, these abnormalities -- and thereby potential malicious actors -- can go undetected.

Managing IoT devices as employees, as part of your identity and access management processes, is the best way to ensure any access is kept in check and potential threats or anomalies are monitored. Although there can be thousands of IoT devices connected to a network at once, it takes only one poorly managed machine to inadvertently breach an organization. As more of these devices join the network, businesses that employ these best practices can work to eliminate IoT as a threat, and begin to realize the productivity potential it was designed to bring them in the first place.

Source internet ...