The Online Trust Alliance’s new list lays out 10 suggestions for using IoT tech in the enterprise without making the enterprise more vulnerable to security threats. The list centres on awareness and minimising access to less-secure devices.
Having a strong understanding of what devices are actually on the network, what they’re allowed to do, and how secure they are at the outset is key to a successful IoT security strategy.
Here’s the list:
- Every password on every device should be updated from the default, and any device that has an unchangeable default password should not be used at all. Permissions need to be as minimal as possible to allow devices to function.
- Do your homework – everything that goes on your network, as well as any associated back-end or cloud services that work with it, needs to be carefully researched before it is put into production.
- It is a good idea to have a separate network, behind a firewall and under careful monitoring, for IoT devices whenever possible. This helps keep potentially insecure devices away from core networks and resources.
- Do not use features you do not need – the OTA gives the example of a smart TV used for display only, which means you can definitely deactivate its microphone and even its connectivity.
- Look for the physical compromise – anything with a hardware “factory reset” switch, open port or default password is vulnerable.
- Gizmos that connect automatically to open Wi-Fi networks are a bad idea. Make sure they don’t do that.
- If you cannot block all incoming traffic to your IoT devices, make sure that there are not open software ports that a malefactor could use to control them.
- Encryption is a great thing. If there is any way you can get your IoT devices to send and receive their data using encryption, do it.
- Updates are also a good and great thing – whether you have got to manually check every month or your devices update on their own, make sure they are getting patches. Don’t use equipment that cannot get updates.
- Underlining the above, do not use products that are no longer supported by their manufacturers or that can no longer be secured.
The Online Trust Alliance was founded as a loosely confederated industry group in 2005, mostly as a response to email-based security threats and spam.
The group’s aims have evolved substantially since then, to encompass a much wider range of technologies, including IoT. After becoming a recognised 501(c)3 organisation in 2012, the OTA was absorbed by the larger Internet Society, and became a subordinate arm of that group as of October 2017.
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers