A case for IoT Device Fingerprinting and Automated Controls
Last year’s Smart City Expo was the biggest yet, full of hopeful topics like digital transformation, mobility, inclusivity and sharing – all of these laudable and achievable goals for building a better society for everyone. Meanwhile, we have explosions of IoT devices that grow and spread through the corporate environment without the most basic controls such as identification, ongoing inventory, and tracking – let alone automatic security controls. Some of the vast sums spent on physical security needs to be allocated to more holistic network controls, including IoT device fingerprinting and automated control and responses.
While we embrace a smarter city, building, and devices in general as modern practice, due diligence for the cleanliness of the back-end network systems demands that IT security leaders keep holding up red flags. The back-end network systems that marry up the HVAC, CCTV systems, and even fish tanks need a cautious approach and greater security scrutiny than has ever been offered before.
IP theft is lucrative in almost every business, from Retail and Casinos to Biotech, and is often the key objective of cyber espionage efforts. DLP is typically the go-to solution everyone thinks of to protect IP, with stories of malicious insiders and compromised credentials. For organizations using cloud and SaaS offerings, there’s Cloud Access Security Brokers looking at data patterns flowing in and out of the network. These technologies do a fine job on traditional devices and services.
It’s the non-traditional devices that may be lurking in and around your enterprise that can provide ingress for bad guys. As described above, these innocuous devices wouldn’t cause your CISO to think twice about causing a data leak, but yet it keeps happening. The key to building a safer -and- smarter organization is device visibility and context.
Device visibility is nothing new. The additional visibility of non-traditional devices brings more awareness and control. Device context is derived from managed, unmanaged, traditional, non-traditional as well as IoT devices, no agent required. By looking at the behavior of the devices rather than network traffic and user behavior, we gain a deeper understanding of the devices’ role in the organization; which helps us to understand good and bad behaviors. We call this HyperContext.
In the case of the casino fish tank hack mentioned above, WootCloud would have identified the anomaly based on the activity of a headless device (the fish tank thermometer) making a connection to the high rollers database server. Additionally, the unusual amount of data from this connection being sent out to the cloud would have been another anomalous behavior alert.
The hacking of AV systems was demonstrated back in 2013 at BlackHat EU. As a result of the Polycom HDX hack publication, many compromised organizations had been subjected to IP loss in a non-traditional way (via eavesdropping) – something DLP cannot prevent. WootCloud Labs’ HyperContext discovered the botnet based on anomalous behaviors exhibited by the Polycom HDX servers and other non-Polycom devices.
Whether a fish tank or an AV system, any of these kinds of alerts can automatically be responded to within the WootCloud Platform or can be used to trigger incident response / remediation through security orchestration. Many companies that build internet-controlled fish tanks, or air conditioners, or cameras, are not specialists in the development of hack-proof technology – it’s not their core competency. Their developers know a lot about fish health, but they may not be experts at programming in the demand for a password change for administrators, or multi factor authentication.
Consider, that the higher the number of IoT devices in your smart building or city, the higher the chance of vulnerabilities.
If you’d like a Demo of Wootcloud’s Smart Device risk assessment for your smart devices, please contact us.