By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering

 

Here’s an interesting article on the internet of things (IoT) and security threats. We’ve all been expecting IoT devices to be problematic and it’s good to see recognition that better controls are needed for the federal government.

 

The Department of Defense is hearing the IoT alarm bells.

 

Did you hear about the heat maps used by GPS-enabled fitness tracking applications, which the U.S. Department of Defense (DOD) warned showed the location of military bases, or the infamous Mirai Botnet attack of 2016? The former led to the banning of personal devices from classified areas in the Pentagon, as well as a ban on all devices that use geolocating services for deployed personnel. While the latter may not have specifically targeted government networks, it still served as an effective wakeup call that connected devices have the potential to create a large-scale security crisis.

 

Indeed, the federal government is evidently starting to hear the alarm bells, considering the creation of the IoT Cybersecurity Act of 2017. The act emphasizes the need for better controls over the procurement of connected devices and assurances that those devices are vulnerability free and easily patchable.

 

Physical and cultural silos

 

Technical, physical, and departmental silos could undermine the government’s IoT security efforts. The DOD is comprised of about 15,000 networks, many of which operate independently of each other. According to respondents cited in SolarWinds’ 2018 IT Trends Report, federal agencies are susceptible to inadequate organizational strategies and lack of appropriate training on new technologies.

 

Breaking the silos

 

Bringing technology, people, and policy together to protect against potential IoT threats is a tricky business, particularly given the complexity of DOD networks. But it is not impossible, as long as defense agencies adhere to a few key points.

 

Focus on the people

 

First, it is imperative that federal defense agencies prioritize the development of human-driven security policies.

 

Malicious and careless insiders are real threats to government networks—perhaps just as much, if not more so, than external bad actors. Policies regarding which devices are allowed on the network—and who is allowed to use them—should be established and clearly articulated to every employee.

 

Agencies must also try to ensure everyone understands how those devices can and cannot be used, and continually emphasize those policies. Implementing a form of user device tracking—mapping devices on the network directly back to their users and potentially detecting dangerous activity—can assist in this effort.

 

Gain a complete view of the entire network

 

DOD agencies should provide their IT teams with tools that allow them to gain a complete, holistic view of their entire networks. They must institute security and information event management to automatically track network and device logins across these networks and set up alerts for unauthorized devices.

 

Get everyone involved

 

It is incumbent upon everyone to be vigilant and involved in all aspects of security, and someone has to set this policy. That could be the chief information security officer or an authorizing official within the agency. People will still have their own unique roles and responsibilities, but just like travelers in the airport, all agency employees need to understand the threats and be on the lookout. If they see something, they need to say something.

 

Finally, remember that networks are evolutionary, not revolutionary. User education, from top management on down, must be as continuous and evolving as the actions taken by adversaries. People need to be regularly updated and taught about new policies, procedures, tools, and the steps they can take to be on the lookout for potential threats.

 

As the fitness tracking apps issue and the Mirai Botnet incident have shown, connected devices and applications have the potential to do some serious damage. While government legislation like the IoT Cybersecurity Act is a good and useful step forward, it’s ultimately up to agency information technology professionals to be the last line of defense against IoT security risks. The actions outlined here can help strengthen that line of defense and effectively protect DOD networks against external and internal threats.

 

Find the full article on SIGNAL.

 

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates.  All other trademarks are the property of their respective owners.