How Zero-Trust Should be Expanded to Include your Embedded Devices/IoT

By Chris Rouland, Founder and CEO of Phosphorus.

Earlier this year, Ubiquiti, a Silicon Valley-based IoT device maker, disclosed that it had been hacked. Customer account credentials were exposed which allowed hackers to gain full access to all application logs, databases, user database credentials and information required to forge single sign-on (SSO) cookies. This level of access would allow the attackers to remotely authenticate to countless Ubiquiti cloud-based devices, putting customers’ devices, such as routers, network video recorders and security cameras, deployed in corporations and homes around the world at risk.

With an international presence in 200 countries and more than 85 million devices deployed, Ubiquiti had a colossal challenge on its plate. Once the vulnerabilities were identified and credentials were changed, customers were encouraged to reset passwords and implement two-factor authentication.

Security veteran, Brain Krebs recommended that all Ubiquiti customers change the passwords on any devices that haven’t been changed since January 11, 2021. He also suggested users delete any profiles on these devices, ensure devices have the latest firmware, re-create those profiles with new and unique credentials, and seriously consider disabling any remote access on the devices.

While this is a good first step, challenges exist on a mass scale at the enterprise level.

Automation in the Enterprise

On average it takes 4 hours per year to manually secure each device. If an organization has 40,000 devices, that nets out to 160,000 man-hours per year to keep those devices secure without automation. Automating basic security hygiene measures, including inventory management, patching and credential management, is crucial for IT teams not just when recovering from an attack but to harden the network and complete the basic security control conditions for defense-in-depth. In addition to helping IT teams keep pace with device proliferation, it is cost-effective, allows teams to focus on more important matters and be better protected against attack.

By automating device security, organizations can remove software bugs, malicious code, and increase performance of devices. Invest in a solution that automatically and periodically rotates credentials on your IoT devices to keep your things in compliance.

Secure the Networks with a Zero-Trust Approach

When thinking about the zero trust model, CIOs often prioritize the network and the cloud, but ignore devices. They are often overlooked or thought to be a smaller part of the pie, however, devices actually make up about 43% of the access points. Organizations that are not including devices as the third prong in their zero-trust strategy are leaving themselves massively vulnerable.

In many cases, it is unlikely IT teams are able to manually track all IoT devices in an organization. However, a zero-trust model must ensure that unknown and unwanted devices cannot gain access to the network. The zero-trust approach reinforces that not all devices are automatically trusted, and constantly checks and re-checks each user when trying to access data. With all these t new IoT devices that touch nearly every aspect of the workplace connecting to the network, the potential attack surface is greatly widened. Without including IoT devices as the third prong in a zero-trust strategy, organizations are spending millions on security but still leaving networks vulnerable by not including IoT in that strategy.

With IoT devices being used in nearly every industry and McKinsey estimating that 127 devices hook up to the internet for the first time every second, organizations need to be better aware of and prepared for the increasing attack surface. Including IoT devices in your zero-trust strategy and ensuring that basic hygiene measures are taken care of will greatly harden your network and protect against vulnerabilities that may arise from IoT device manufacturer hacks, like what happened with Ubiquiti.

About the author: Chris Rouland is founder and CEO of Phosphorus. He is a renowned leader in cybersecurity innovation and has founded several multi-million dollar companies, including Bastille, the first to enable assessment and mitigation of risks of the Internet of Radios, and Endgame, the leader in endpoint security. He was also Chief Technology Officer and “Distinguished Engineer” for IBM and Director of the X-Force for Internet Security Systems. Chris holds a 20+ patents and a Masters’ Degree from Georgia Institute of Technology.



Source link