The recent DDoS attack against Dyn is an opportunity to highlight a primary reason for organizations to secure their systems against intruders. One of the common refrains I hear from IT managers is that their IT assets are of little value. Manufacturers, for example, don’t believe their control systems are of any value to hackers, as they don’t hold critical information and are easily reset to factory defaults if hacked. Hackers view such targets as precious resources.
The attack against Dyn had a sustained rate of 620Tbps. The result was the outage of several web services due to the inability to perform DNS resolution. According to security experts, the botnet was composed mainly of compromised IoT devices. Unsecured IoT devices are a treasure trove for botnet operators. It’s the responsibility of IT managers to ensure these devices remain protected against botnet enlistment. IT security vendors offer expensive protection products. Alternatively, here are three simple steps to protect your enterprise IoT against compromise, even if you have a limited budget.
1. Identify IoT devices
It’s common only to consider devices marketed as IoT in the past few years as targets for compromise. Common IoT devices include security cameras, industrial lighting systems, and manufacturing controllers managed by a web-based solution. An example is an IP-phone provided by a cloud-based PBX. However, an IoT device is any non-traditional endpoint with an IP address. It’s these systems that may fall through the cracks and become targets.
Some commonly overlooked IoT devices include multi-function printers, security scanners, and inventory scanners. A high-level place to start to identify non-traditional IoT devices is to take a look at your IP addressing system. If you have tight controls around IP addresses, the IP address inventory is a good place to start identification. Administrators should audit their IP address system for unmanaged systems. Another IP address source is the DHCP system.
2. Isolate the systems
Another best practice is to change default passwords and apply security updates to devices. In the case of some of the devices compromised in the Dyn attack, updates or changing the default password isn’t an option.
A potential security mitigation technique is to isolate the devices from the production network. There’s rarely a good reason for unmanaged, or even managed, IoT devices to reside on the same logical network as end-user devices and servers.
A solid approach is to create VLAN specifically for IoT devices. By placing the devices in an isolated network, administrators have the ability to apply layer 3 security policies to large swaths of the network. Layer 3 network isolation allows the use of existing access control lists on routers and traditional firewalls to control the flow of communication between IoT devices and the production network. The approach allows for mitigation of risk associated with IoT devices attacking production systems, such as workstations and servers.
3. Limit internet access
Placing IoT devices into an isolated network also provides the ability to deny internet access by default. Botnet operators want system resources that they can point toward targets on the internet. If the isolated devices neither have the ability to access the internet, nor infect other devices with an internet connection, administrators reduce the desirability of these devices to intruders.