Connected IoT devices offer huge potential for innovation - and can still pose a major problem for IT: three major security risks and recommendations for concrete measures to increase IoT security in the long term.
The IoT market is growing dynamically in many areas: from smart household appliances and intelligent building systems to self-monitoring industrial plants. The networked devices offer countless advantages, but also represent a large attack surface. In detail, users should always keep an eye on three security threats that the IoT brings with it: hard-coded credentials, the infrequent IoT firmware updates and the limited IoT -Visibility.
Hard coded credentials
Many IoT devices use standard credentials that are hard-coded or embedded by the manufacturer. Attackers can use these credentials to access vulnerabilities in the IoT system software and firmware, and also use them to penetrate other corporate systems. To minimize these risks, hard-coded passwords should be replaced by strong individual passwords and all IoT credentials and secrets should always be secured and managed in a protected vault. In addition, access to each IoT device in the network should be consistently controlled and audited.
IoT firmware updates
Many IoT implementations lack built-in capabilities for software and firmware updates. It is so very difficult for security teams to fix vulnerabilities in a timely manner; sometimes years or even decades go by without an update. This can leave any IoT device — from hotel door locks to life-saving medical equipment to critical utility infrastructure — vulnerable to attack. One of the most effective ways to mitigate such attacks is to limit what devices can access on a network. Before access is granted, an identity security strategy should always include verifying identity, validating the device, and limiting access to what is really needed. This reduces the potential attack surface, preventing large-scale damage to the company.
Limited visibility
A big part of the IoT security problem lies in the lack of transparency. Organizations struggle to identify all IoT and OT devices present on their network, let alone efficiently manage them throughout their lifecycle. An automation solution can make the work easier here and provide much-needed visibility, for example by continuously searching for new devices on the network. By automatically changing default credentials, rotating passwords, and updating device firmware, security teams can save valuable time while improving device protection.
“IoT devices offer great potential for accelerating digital transformation. But without a consistent concept for managing the devices, the IoT harbors significant cyber security risks,” emphasizes Michael Kleist, Area Vice President DACH at CyberArk. “First of all, it is important that companies are aware of all the IoT and OT devices that connect to the network. In addition, all login data must be secured and managed. Last but not least, companies should also secure remote access by external providers for firmware updates or maintenance measures - with controlled access to systems and devices for both human and non-human users".
More at Cyberark.com
About CyberArk CyberArk is the global leader in identity security. With Privileged Access Management as a core component, CyberArk provides comprehensive security for any identity - human or non-human - across business applications, distributed work environments, hybrid cloud workloads and DevOps lifecycles. The world's leading companies rely on CyberArk to secure their most critical data, infrastructure and applications. Around a third of the DAX 30 and 20 of the Euro Stoxx 50 companies use CyberArk's solutions.