There has been a lot of discussion recently about the “Internet of Things” (shortened “IoT”). The IoT is made up of devices, vehicles, appliances, or other non-traditional computers that can communicate independently over a network. In a financial institution, IoT devices often include cameras, thermostats, security sensors, and music or video systems.
In addition, some institutions are starting to use IoT technology to enhance services to customers by using Bluetooth “beacons” to detect and pre-announce customers at branches or by providing apps that allow bill pay via Amazon Alexa.
While IoT devices provide convenience, they can also have a dark side. Attackers sometimes use security holes in IoT devices to use them to attack other systems. In October 2016, the Mirai botnet used cameras and other devices to bring down large portions of Twitter, Netflix, CNN, and other sites.
Vulnerabilities have also been discovered in baby monitors, cardiac devices in hospitals, and even Jeeps. A recent vulnerability found in Google Home devices was found to allow an attacker to determine the physical location of the device within feet, allowing an attacker to use this data to launch blackmail or extortion attacks.
Financial Institutions need to be aware of the dangers of IoT devices and need to take steps to protect themselves from these dangers. Some steps that should be considered include:
- Inventory IoT Devices: Institutions should know what devices are in use within their facilities. The easiest way to do this is to make sure the asset management process includes periodic scans of all internal network ranges, with any previously unknown device investigated and identified.
- Separate IoT Devices: Devices which do not need to be on production network segments should not be. Be sure to keep these devices on separate physical or logical networks from where production data is stored if possible. If devices do need to have access to production networks, add controls to the network to ensure they have access only to what they need to access.
- Include IoT Devices in Vulnerability Management: Be sure to scan IoT devices during vulnerability management scans to be alerted to any vulnerabilities that are detectable and treat these vulnerabilities as importantly as those discovered on traditional workstations and servers.
- Patch IoT Devices: Periodically check vendor websites to see if updates are available and apply these updates when available.
- Include IoT Devices in Risk Assessments: To ensure that the risk of IoT devices is understood, the devices should be included in the annual risk assessment process. Document the risks, controls, and (where required) any further actions needed to bring the risk of devices within an acceptable range.
One of our passions here at Bedel Security is assessing risk. We'd love to help you assess the risk of your IoT devices. Just shoot us an email at support@bedelsecurity.com!
Additional Resources:
Your Fax Machine Can Let In Intruders
https://www.bedelsecurity.com/blog/your-fax-machine-can-let-in-intruders
The Most Underrated Control in Information Security
https://www.bedelsecurity.com/blog/the-most-underrated-control-in-information-security
Typ0squatting
https://www.bedelsecurity.com/blog/typ0squatting