cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Are Vulnerable Routers and IoT Devices the Achilles Heel of Your Network?

Recent news headlines report alarming intrusions into otherwise strong, well-defended networks. How did these incursions happen? Did perpetrators compromise executive laptops or critical servers? No, these highly visible endpoints are too well defended. Instead, hackers targeted low-profile, low-value network components like overlooked network routers, switches, and Internet of Things (IoT) devices.  

Why are network and IoT devices becoming the target of choice for skilled hackers? Two reasons. First, vendors do not engineer these devices to rigorously repel intruders. Unlike servers and desktops, the network/IoT device OS is highly specialized, which ironically may make it more difficult to secure. However, vendors do not make the effort to harden these platforms. Second, these devices are out of sight and out of mind. As a result, many of them may be approaching technical obsolescence and are no longer supported.

Many of us remember recently how the Mirai IoT botnet compromised millions of Internet-enabled DVRs, IP cameras, and other consumer devices to launch a massive distributed denial-of-service (DDoS) attack against major DNS providers to “brown out” vast regions of the internet. For many, this attack was simply an inconvenience. However, what if IoT devices or weakly defended routers and switches were compromised in a way that impacted our offices, warehouses, and storefronts? We can easily see how weak devices are targeted and compromised to disrupt commercial operations. Many companies use outdated routers, switches, and weakly secured IoT devices. So how do we protect ourselves?

One solution is to forbid any outside electronics into the workplace, which is my vote, though I know this is increasingly unrealistic. But “where there is a will there is a waiver” is a common response I hear. A second solution is to retire old hardware and upgrade firmware containing verified vulnerabilities. Another approach would be to design, build, and implement a separate network access scheme to accommodate IoT devices so they do not interfere with corporate network productivity. Once this network is operational, then it is the job of the corporate technology engineers and security to ensure they are used in an appropriate manner. To complement these strategies, it’s helpful to have mature change management processes, a network configuration, and a change management (NCCM) solution with EOL, vulnerability assessment, and configuration management capabilities. 

Fortunately, these solutions are straightforward. By using a combination of technical and procedural controls, you can alleviate much of the risk. There is a direct correlation between configuration management and security management. So in reality, one of the best security tools in your toolbox is your network configuration and change management software. Using the right tools and taking deliberate and sensible steps can go a long way to keep your company out of the headlines.

About the author

Eric Hodeen is a Solarwinds expert and THWACK MVP with over 20 years’ experience in network engineering with expertise in network management and operations and STIG, PCI and NIST compliance.  Eric has designed, implemented and managed networks for the Department of Defense across the US and Europe.  He earned his MS Management of Technology with a specialization in security from the University of Texas at San Antonio and holds numerous certifications including Cisco CCNA R&S, CCDA, CCNA Security, CCNP Security, Juniper JNCIA/JNCIS, ITIL V2, Security+CE and COMPTIA CASP.

23 Comments
MVP
MVP

As hinted, yes they can be...especially general consumer routers where the end user has not changed the default password.

Once upon a time I worked for an IT Manager who believed in the "just say no" philosophy.  It kept us safe and secure, and saved us a boat load of money by keeping us from going down paths that were dead ends or money pits or security nightmares.

Enough saying "no" and he was out the door in favor of someone who'd not question what they were asked/told to do.  Now we're spending $$ on plugging holes while we're simultaneously opening more holes up with new / unknown IoT access.

Hmm . . .  Didn't I hear something similar in the news this week about an A.G. who stood by her principles and was let go?  Uffda!

I also heard something that rang true this week--something to the concept of:  If you don't seek and use professionals to guide your design / implementation, by definition you end up with an unprofessional design.  I kind of like that.

I've long asked Management why they believe in the 150-mile Rule (I.T. advice from our internal experts can't be state of the art or include new solutions; only an outside contractor from at least 150 miles away would have that expertise).

Well, maybe that goes for IoT security issues, too.  When my team is reticent about allowing/enabling/installing/configuring them, it's not unusual to be instructed to just do it, despite our misgivings about the security holes these devices could open in our network.

In 2003, I took over a project to install some sensitive equipment.  Right out of the gate we put them on their own network and restricted their access using access lists and firewalls.  With that in mind....

For years we have been "Red Team" scanning all IP's inside and out.  As the scans pointed out issues we took action.

Isolate and restrict.

I want to get to network access lists for most systems and application white lists.

The struggle is real.

RT

Level 13

We took that approach with the facilities HVAC system controls, and campus security's key fob and other security systems.  Those were so old and vulnerable it was almost worse than IoT stuff.  We couldn't scan the HVAC IPs inside though, it crashed the systems controlling the HVAC.  Bad stuff there.

MVP
MVP

Thanks for sharing the same

Level 13

we don't allow IoT, so no...routers? we keep a close eye on them (LEM)

Interesting, the use of the word 'forbid'. I wouldn't say that resolves the security risk.

Having a company policy vs technical solution to prevent harm is a debate I have seen many times.

Level 16

Good segmentation is a must

There are so many applications that should be in air gap segments

Avaya Hypersegmentation Secures The Everywhere Perimeter

Air gap (networking) - Wikipedia

Level 13

i still don't get why people don't change default passwords...simplest proactive security measure.

MVP
MVP

Level 10

We don't have too many vulnerable routers.  Our devices are pretty locked down by security.

Plenty of people get sold on projects but don't necessarily know what they're doing. It's not unsurprising in this industry.

Do you use ISE or ACI to accomplish your restrictions preemptively / proactively?  We recently adopted both, but without receiving sufficient training for my teams.  The result is they're an unknown and a challenge.  But they LOOK like they're exactly what is needed to do the job right.

Level 14

The Miria IoT botnet wasn't developed from devices sitting behind strong, well defended networks.  These devices were primarily on home and small office networks that are no better defended than the average front yard.  At least your home has locks and you know how to use them.  Most home users have no idea how to secure their network, nor do they really care.  Once they get everything up and running, they don't touch it again, even to lock it down.

I wish IoT scanning/vulnerability is the next vertical SolarWinds explores so as to bundle with IPAM, LEM, UDT, to fully compliment their security product offering. I have a need now and the vendors are $$$and their dashboard is sloppy comparatively.

Level 21

network defender​ I totally agree with you on this.  The question then becomes who should be responsible?  Should home users be expected to be more aware and secure their stuff or should the product vendors enforce better security on their products out-of-the-box?

Level 21

I personally think having a separate network for IoT devices in the workplace is probably the best compromise.  It provides nice separation and also gives you a nice demark that you can watch very closely for unusual behavior.

MVP
MVP

I would concur....keep them separate and watch their traffic while keeping them out of other networks.

Level 13

moi ausie...we do that for specific appliances we're not sure of (ie cameras)...

Level 14

Perhaps a compromise.  Have the IoT device vendor build a better layer of security into the device with specific instructions intended for the average end user?

Level 14

Don't allow them on the production side.  Have a dedicated network location.  Have a policy in place BEFORE allowing this.  Monitor to no end

MVP
MVP

considering the average end user...they won't follow the specific instructions...they'll get the Best Buy Geek Squad to install it with the bare minimum effort to do so.

Level 14

Agreed.

About the Author
EDUCATION MASTER OF SCIENCE (12/2003)-University of Texas San Antonio, San Antonio, Texas: Mgt of Technology with specialized focus in Information Technology Security BACHELOR OF SCIENCE (12/1993)-Pfeiffer College, Misenheimer, North Carolina: Computer Info. Systems CERTIFICATIONS Cisco Certifications – CCNA R&S, CCDA, CCNA Security, CCNP Security IT Infrastructure Library v2 (ITIL v2) COMPTIA – Security+, Security+CE, CASP-02 Solarwinds - SCP Juniper Networks - JNCIA, JNCIS HP OpenView Certified Consultant (HPOV) – Expired 2004 Sun Certified System Administrator 9(SCSA) – Expired 2004 Author: Boson.com HP OpenView Network Node Manager 6.0 - 2002 Sun Solaris System Administrator 8 - 2002 CompTIA Network+ - 2012 CAREER SUMMARY As a Senior Network Engineer, I have designed, installed, implemented and managed multiple LANs/WANs for many Department of Defense Commands and organizations in the United States and Europe. I have been practicing the FCAPS (Fault, Configuration, Accountability, Performance, and Security) Management Model for over 20 years to provide high availability and reliability for the networks under my supervision. This type of management style requires research and development of new and existing technologies to provide the 99.999% availability that I strive to obtain for my networks. My coworkers and supervisors consider me to be an extravert and outgoing individual, which was developed early as an entrepreneur and in customer service type occupations in high school and college. This type of background has given me the chance to excel in solving problems, developing creative strategies and solutions, and working with others in varying parameters and environments. Commands Supported JFCOM – Joint Forces Command (Formerly Joint Training, Analysis, and Simulation Center) NCTAMS-Europe – Naval Computer and Telecommunications Area Master Station Europe DISA-Europe – Defense Information System Agency Europe AFIWC – Air Force Information Warfare Center SPAWAR – Space and Naval Warfare Systems Center Charleston NUWC – Naval Undersea Warfare Center EUCOM – European Command SOCEUR – Special Operations Command Europe 754th ELSC\HQ – Air Force Intranet (Formerly CITS / Block 30) ADF-East - Aerospace Data Facility – East USMS-HQ – United States Marshal Service Headquarters USN-MSC – United States Navy Military Sealift Command DISA-OKC - Defense Information Systems Agency Oklahoma City PACOM - U.S. Pacific Command U.S. Army - INSCOM - GISA Pacific