The vulnerabilities associated with the IoT are amplified by the explosive growth in the number and types of devices.
In campuses across the country, high-speed internet has been piped to most every dorm since the ’90s, so has been common for students to have multiple connected devices for a long time now. In fact according to some estimates, there were nearly 12 billion connected IoT devices worldwide at the end of 2020, surpassing non-IoT connections (such as smartphones, laptops and desktops) for the first time.
Our WootCloud telemetry counts for higher education range from 4-7 connected devices per student at higher education institutions we work with.
With many students gauging quality of WiFi connection as an important criteria for attending higher ed institutions, it is common for universities to operate wide-open wireless networks that spill into public spaces around their campuses.
Security and Privacy Put Under Immense Scrutiny
With the confluence of IoT, 5G, and Work/Live-From-Anywhere, IoT and Devices will be at the core of the smart world we live in, the smart buildings, schools, homes, cars, even bodies we inhabit.
To secure IoT and Device environments, higher education relies on a mix of network segmentation, network separation, asset management, and vulnerability management tools corraled by policies
For most IoT devices, he says, the greatest danger of an attack is that the device will be used as a launching point for hackers to infiltrate portions of the network that house sensitive data
Old Security Ways Fall Short
Network security systems, endpoint protection, mobile device management (MDM), active vulnerability scanners, and log analysis tools were never designed to handle devices with locked-down operating systems or embedded control systems. In turn, most IoT devices fall short of modern desired security states.
Furthermore, many SLED institutions like state university systems have been codifying things around the NIST (National Institute of Standards and Technology ) 800-171 set of standard guidelines.” This “Special Publication” was developed after the Federal Information Security Management Act (FISMA) was passed in 2003 and resulted in several security standards and guidelines.
IoT devices often have weak network and security stacks, connect using custom protocols (ie DICOM) as well as light operating systems that may not allow software agents to be installed.
As a result, education IT is largely blind to the behavior of these devices and vulnerable to potential compromise. These departments typically operate with much smaller teams and budgets than enterprises of similar size (and revenue).
Key cybersecurity challenges from IoT on campus include:
• Increase in attack surface — There may never be a way, nor should there be individual IoT device registration by a student or faculty. From fitness apps on watches or jewelry to assistive learning tools, IT teams need to accept that IoT is here to stay in explosive numbers.
• Sideways motion from smart devices — Bluetoothenabled devices which are susceptible to BlueBorne4 can be used as a gateway to other devices on other radio frequency (RF) spectrums. Bluetooth-enabled devices may likely have a WIFI radio and possibly a NIC. Those can be used to start a denial of service attack on DHCP servers, or via robotic access points. If there are enough devices affected, it can become a DDoS attack and take down a network.
• Student Device Vulnerabilities — From laptops, smartphones, to tablets, printers and watches – these devices are on campuses to stay. Access control policies and device fingerprinting is key to keeping them safe and available.
• Patching and Security Updates — CCTV systems, smart routers, and others have all been used in highly-publicized attacks over the last few years, and these are nigh mandatory security systems for campus safety. However, many IT departments argue with physical security on who owns these devices, especially where patches and firmware updates are concerned.
How to Protect Your Organization
Although many IoT vendors have started paying more attention to cybersecurity in recent years, it is still up to institutions to protect themselves, Price notes.
As we have covered in our back to basic series, instrumenting basic policies including:
• Updating all default credentials on IoT devices
• Creatimg standard user accounts for the operation of IoT devices and demanding vendors make this possible
• Identifying and patching vulnerabilities in real or near real time
More advanced policy-based controls include:
• Network segmentation – keep those IoT hardware components completely separate from the research, financial, health, and other critical computing areas of your educational institution.
• Active asset management – you can’t manage what you can’t measure so visibility into all devices, IT managed and unmanaged, to secure them, keep inventory for licensing, and financial manage is critical.
• Identification of managed and unmanaged IoT and Devices. Sensors from WootCloud, MIST, and Meraki help see all devices in your airspace. Ideal is 100% device detection scanning multiple spectra that WootCloud also provides.
Our mission, like yours, is to provide your employees, students, faculty and more with a safe, user-friendly and secure environment by:
- Giving Full visibility – with RF and Network sensors seeing 100% of your devices and infrastructure encompassing all stages of attack – infiltration, persistence, and exfiltration
- Reducing Mean Time to Resolution (MTTR )– with AI/ML-powered, automated remediation that drives >70% reduction in threat hunting times
- Boosting User Experience – by reducing support ticket volumes, lowering alert noise for a >60% gain in operational efficiency (~1.4 FTE Service Savings per site/ per shift)
Each of these benefits on their own can offer 5-6 figure USD savings per year, shortening the payback period on your investment.
The perfect cybersecurity storm has arrived. Consider intelligent device and infrastructure security today.
To learn more, read our education whitepaper.
To try WootCloud in a zero touch, no obligation Demo or POC in your own environment, please contact us.