Vote Zero Trust on IoT
Updated: Mar 9, 2020
Then we have the question of privacy. Many IoT devices have both cameras and microphones that watch and listen to you. Moreover, they all do one thing -- collect data. And since data has surpassed oil to become the most valuable commodity on earth, companies large and small are literally fighting for every bit. In a recent study, security researchers found that 72 out of 81 IoT devices surveyed had shared data with a third party other than the original manufacturer.
So you think you can trust your IoT device?
Let's start with these three facts:
IoT devices (out-the-box) are only equipped with "minimum" security features.
IoT devices increasingly are involved with botnet attacks and crypto-currency mining.
IoT devices are built on multiple operating systems rendering them difficult to monitor.
Still think you can trust your IoT device? Well, according to security research done by Deral Heiland at security firm Rapid7, "inter-chip communications" (how data flows throughout devices) between key components like the main processor, Wi-Fi processing chip, or a Bluetooth chip, was found to possess a number of weaknesses. A few of which being the ability for a hacker to determine things like:
Sensitive information about authentication keys used to secure the device, (i.e.: whether they were short enough to potentially be brute-forced).
If the system always required authentication, or applied it inconsistently.
Whether or not the IoT device-keys change or are always the same.
If we were to take into account the fact that there are millions of older generation, un-patched, insecure IoT devices currently connected to the internet, the case for placing trust in an IoT device starts to fall apart.
Bottom line: in the immortal words of our 40th president, it's time that we "trust, but verify". However, if you're like me and would like to take it even one step further, let's explore another security model -- Zero Trust.
What is Zero Trust?
Instead of assuming that all devices (IoT and otherwise) behind a firewall (hopefully you have one) are safe, a Zero Trust framework always anticipates a breach by verifying each information request as though it came from outside of your home or commercial network. The main attribute of Zero Trust is that every access request is authenticated, authorized, and encrypted before being granted permission.
Zero Trust has six key components:
Identity
Device
Application
Data
Infrastructure
Network
In order to create the best possible strategy for protecting IoT devices from malicious code and subsequent data breach, each of these components should figure prominently in any home or business security plan. Any reputable security plan must also address and provide guidance on data encryption, real-time network insight, and device verification.
Operation High Ground
Nine Mile Security Group employs Zero Trust as part of our virtual CSOC (Cyber-Security Operations Command) solution. Our CSOC, which directly supports 'Operation High Ground', continuously monitors IoT devices and protects your critical assets while staying true to three key Zero Trust standards:
Strengthening credentials.
Reducing attack surface area.
Automating threat response.
Build cyber-resilience with Operation High Ground's threat detection, prevention and remediation solutions. Whether you need only augment, are looking to integrate, or would like to fully level up your cyber defenses, we can help.
Contact us to protect what's important to you.