Thanks to the Internet of Things (IoT), we're on the lookout for invisible devices that are now capable of becoming vectors for all kinds of nasty services. The webcam attack on Brian Krebs is only the beginning. Could you imagine the focal power of a wide variety of IoT devices being brought to bear on Amazon? Or on Google? The potential for destruction is frightening. But it doesn't have to be. It just takes a little effort up front.
If It Talks Like A Duck
One of the best things about IoT devices is that they are predictable. They have static traffic patterns. Thermostats should only ever talk to their control servers, whether they be in the cloud or at a utility service provider. Lightbulbs should only ever talk to update servers. In the enterprise, devices like glucose meters and Point-of-Sale credit card readers also have traffic profiles. Anything that doesn't fit the profile is a huge clue that something is going on that shouldn't be.
Think back to the Target POS data breech. The register payment scanners were talking to systems they had never talked to before. No matter how small or isolated that conversation, it should have been a warning that something fishy was happening. Investigation at that point would have uncovered a breech before it became a publicity nightmare.
IoT devices should all have a baseline traffic profile shortly after they are installed. Just like a firewall port list, you should know which devices they are talking to and what is being transmitted. It should be incumbent on the device manufacturers to provide this info in their documentation, especially for enterprise devices. But until we can convince them to do it, we're going to need some help.
Tools like SolarWinds Network Traffic Monitor can help you figure out which devices are talking to each other. Remember that while NTM is designed to help you ferret out the worst offenders of traffic usage in your network, IoT devices may not always be trying to send huge traffic loads. In the case of the IoT DDoS, NTM should have seen a huge increase in traffic from these devices that was out of character. But in security cases like Target, NTM should be configured to find out-of-profile conversations with things like accounting servers or PCI devices.
You Need To Walk Like A Duck
I know I said it before, but your company absolutely has to have some kind of IoT policy in place. Today. Not after a breech or an incident, but ahead of time. This helps you control the devices flowing into your network from uncontrolled sources. It allows you to remind your executives that the policy doesn't require them to have Hue color-changing lightbulb. Or that they need to remove the unauthorized security camera watching the company fridge for the Lunch Bandit.
Sure, IoT is going to make our lives easier and happier. Until it all falls down around our ears. If I told your security department that I was about to drop 300 unsecured devices onto the network that can't been modified or moved, they would either have a heart attack or push back against me. But if your monitoring system is ready to handle them there won't be any issues. You have to walk the security walk before you're giving the security talk to a reporter from the New York Times.