Regardless of industry, most modern businesses incorporate Internet of Things (IoT) devices into their processes and environments. With organizations adopting technologies like smart TVs, network-connected printers, building access control systems, and connected security cameras, the growth in IoT devices is expected to be approximately 30 billion by 2030.  

Despite their ability to enhance operations, these technologies remain relatively new and often have inherent security weaknesses. Unlike traditional devices, no stand for developing secure IoT devices exists. While government and industry standards organizations seek to establish these standards, many organizations must be proactive and find ways to reduce risk on their own. 

To mitigate risk, organizations should implement appropriate cybersecurity configurations on their IoT devices. 

The IoT Threat Landscape

Increasingly, threat actors use vendors or suppliers as entry points into an organization’s networks and systems. 

IoT devices pose a remote access risk including:

• Default passwords: Manufacturers often publish default passwords online as part of their technical documentation. 
• Lack of device encryption: Most IoT devices lack the ability to encrypt data at rest so attackers that compromise devices can access sensitive information stored on them. 
• Limited support to address vulnerabilities: IoT device manufacturers either fail to publish or are slow to provide operating system (OS) and firmware security updates. 
• Check for existing patches at the initial install

These security issues make IoT devices easy targets for cyberattacks.

Best Practices for Hardening IoT Devices

To manage these risks and protect your organization, you should implement secure configurations. As a first step, you should implement a passive monitoring solution that enables you to identify all IoT devices on your networks so you have visibility into what you have and how it’s currently configured. Once you set a baseline, you can address risks by reviewing and updating their configurations. 

Assess Risk

Many organizations lack visibility into the IoT devices connected to their networks. Assessing risk starts before you connect an IoT device, sometimes even before you purchase it. Your risk assessment should include:

• Understanding currently deployed devices and their configurations
• Simulating risks to identify the most secure configurations
• Identifying the safest versions of a device or ones that require upgrades

Change Default Logins

When deploying a new device, you should ensure that you change any default login information, like username and password. Manufacturers often include this information in publicly available manuals. Threat actors often use this information as an initial step to gaining device access. 

Don’t Use a Flat Network

While using a flat network may reduce costs, it also means all devices are linked together. This network architecture increases risk by:

• Spreading malware and ransomware faster
• Enabling lateral movement which leads to unauthorized access to sensitive data and systems
• Making it easier for attackers to remain undetected

Configuring your network is as important as configuring the IoT device itself. Network segmentation and microsegmentation with appropriate network access control (NAC) implementations enable you to limit who and what accesses the network. 

Disable Unnecessary Features and Services

Many IoT devices come with features or services you don’t need. By disabling them, you reduce your attack surface since the device no longer needs to connect to an external resource outside your control.

Encrypt Network Transmissions

Since IoT devices often lack encryption, your networks should encrypt data in transit to reduce risks associated with man-in-the-middle (MitM) attacks and other types of communication interception attacks. 

Implement Multi-Factor Authentication (MFA)

MFA is the process of requiring two or more of the following before granting users access to a device or application:

• Something they know (password or passphrase)
• Something they have (token or mobile device)
• Something they are (biometrics like face ID or fingerprints)

By implementing MFA for access to IoT devices, you reduce risks associated with credential-based attacks, like brute force or credential theft. 

Identify and Remediate Vulnerabilities

According to the 2024 Data Breach Investigations Report, attacks involving vulnerability exploitation nearly tripled during 2024. For IoT devices, a passive scanning technology enables you to identify vulnerabilities without disrupting service. Once you identify vulnerabilities, you should assess risk to help you implement appropriate remediation steps. To appropriately address vulnerabilities, you need insights like:

• Exploitable vulnerabilities within the environment 
• Exploitable vulnerabilities for each specific device
• Threat intelligence with insights about real-time exploitability
• Mitigation recommendations that include applying security updates or implementing appropriate compensating controls, like deactivating unnecessary services or implementing microsegmentation
• Ability to extend the secure life of devices through recommended security measures that compensate for a lack of security controls on an IoT device

Continuously Monitor for Anomalous Activity

Once you configure the devices, you should also incorporate them into your continuous security monitoring program. You should understand normal connectivity and activity, like off-site connections that the device fetches firmware updates from, so you can identify anomalous activity, like a location that might be an attacker’s command and control (C2) server. 

Keep a Known Good Configuration  

Once you set secure configurations, you should maintain them. Configuration drift, when changes to a baseline or standard configuration change over time, often happens when you add new technologies to your networks or update software and firmware. Once you set your initial secure configurations, you should have a way to maintain them by reviewing IoT metadata, like version numbers or settings. 

Asimily: Secure Configuration Monitoring and Management

Asimily provides holistic context into an organization’s environment so organizations can identify all IoT devices, implement secure configurations, and manage configurations throughout the device lifecycle.

Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.