In addition to managing security for your computing infrastructure and computers, you also should think about other systems that interact with your computing infrastructure. Today, that includes everything from coffee makers to smart white boards to copiers. These devices are becoming more and more connected, and some of them are even IoT devices. While these devices have had computers embedded in them for some time, they used to be standalone devices, not connected to your network, so a compromise was extremely limited and quite rare. Today, you need to consider the following information when managing your embedded devices:
- Some devices are configured by default to contact the manufacturer to report health information or diagnostic data. You need to be aware of such communication. Disable it when possible. At a minimum, ensure that the configuration is such that additional information cannot be sent out alongside the expected information.
- Some devices, by default, accept remote connections from anywhere. Sometimes the connections are for remote management. You should eliminate remote connectivity options for devices that do not need to be managed remotely.
- Many embedded systems and IoT systems are built for convenience, functionality and compatibility — security is often last on the list, so authentication and authorization are sometimes non-existent. Additionally, many systems are small and have limited battery life, so encryption is often not used because it drains the batteries too fast and requires ample CPU power. And your existing systems for managing device security and managing patches are not likely to be compatible with IoT devices, which makes managing software versions and patches difficult. Attackers have already exploited flaws in IoT devices; for example, one company was infected with malware that originated from a coffeemaker. As the number and sophistication of the devices increases, hackers will likely explore this attack vector even more.