The Ultimate Guide to Network Security and Protecting Critical Information

With the steady increase of applications and devices requiring connectivity, and considering the maturation of hacking strategies, some of the largest companies in the world are realizing how difficult it is to completely prevent hackers from entering their networks. While security-driven network architecture to prevent breaches is significant, so is getting them off the network once they enter.

Security and IT managers at large companies realize that with savvy adversaries worldwide, detection and confusion are increasingly vital. Managers can keep potential attackers busy by fixing vulnerabilities as quickly as possible, isolating networks, changing firewall rules, moving files around, and constantly putting new controls in place — and by doing this consistently.

Even so, these defensive tactics haven't displaced the need for proactive security efforts. Strategies such as Parallel Networking with Cradlepoint's 4G LTE solutions physically isolate the corporate network on which Point-of-Sale and other sensitive data reside.

Not that long ago, it was a given that credit card information was the most sought-after data for hackers. Today, healthcare records have become the highest-value target.

A year ago, Reuters reported that medical information costs 10 times more than a credit card number on the black market. The malicious activity includes using names, birth dates, policy numbers, diagnosis codes, and billing information "to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers," according to the report. Also, theft of medical records usually isn't reported nearly as quickly as credit card fraud, which makes this type of data even more valuable.

If a company with 100 employees stores all of its valuable employee healthcare records on a USB drive inserted into various managers' computers, the risk for malicious activity is high. Once medical records are stolen, the adverse effects on both employees and the company can be extensive and last for years.

The sheer number of connected devices is truly staggering. Gartner estimates that 15.14 billion connected things will be in use in 2023.

In a branch store, the IoT could encompass a wide variety of things, including:

• point-of-sale machines
• digital signage
• security system and surveillance cameras
• breakroom refrigerator, toaster, coffee maker, and vending machines
• printers
• HVAC system
• lighting controls
• visitor WiFi
• … and more.

Out in the field, the scope of the IoT is even more vast. Wearables allow fire departments to monitor the location and physical well-being of firefighters. Cities monitor everything from traffic patterns to plowing progress during snowstorms. Industrial systems can be controlled and analyzed from a single remote location.

No one strategy or solution will keep networks secure and protect distributed enterprises. Companies can do their best to mitigate risk by educating employees, opening the lines of communication between staff and the IT department, engaging in penetration testing, and more. Cradlepoint contributes to the cause of best-in-breed security and cloud management solutions.

Even amid ever-expanding network threats, we can work together to protect the sensitive data entrusted with us.

A Washington Post article published in 2018 discussed how security researchers at that year's Black Hat USA conference continue to be concerned about IoT security. The article included these researchers' advice to policymakers in Washington (including the bipartisan list of Senators working on new IoT security legislation) on what they need to understand about the IoT and cybersecurity as they move forward in developing and implementing policies designed to make the IoT more secure.

The points highlighted in the article are important for policymakers to understand as they move forward – that more cyber attacks are coming, IoT devices need to be patchable, smart cities are vulnerable, and security researchers are your friends. However, there are also a few more issues I would recommend that policymakers – as well as IoT devices, manufacturers, solution developers, and customers – should learn more about as we work together to increase IoT security and resiliency by enhancing solutions and promoting improved IoT device security best practices.

Today, most IoT gateways, modules, and other connectivity devices can be upgraded with new firmware to fix security vulnerabilities as they emerge. However, without proper planning, it may be difficult, impossible or too expensive to deploy these patches to thousands or millions of devices in the field, resulting in critical gaps in IoT device security.

Local updates are costly because they require a technician to visit each device. Over-the-Air (OTA) updates are more scalable but require investment in a network management solution. OTA updates can also consume a lot of bandwidth, making it very expensive if, for example, the devices are deployed with a data plan only allowing 5MB/month while each security update is several times that size.

Even if bandwidth is not a concern, power might be. Battery-powered devices designed to last for years (because they transmit and receive very little data) can have their entire power reserves depleted by a single security update, necessitating expensive technician visits to replace batteries or the devices themselves. In some cases, so-called "Deep Edge" devices, which live in fringe coverage areas or deep inside buildings or underground, may achieve data rates only in the hundreds of bits per second, making a multi-megabyte download impossible. There are solutions to these issues, but they may require policy changes, the deployment of new technologies, and changes to the business models of IoT market participants.

Some out-of-the-box thinking is needed. For example, mobile network operators could be required to provide customers free or discounted bandwidth for security updates. Another possibility is that operational workflows could be utilized to update firmware through local interfaces where OTA updates are not feasible. For example, smart lighting firmware could be updated when changing a bulb. Perhaps sensors deep inside buildings could be updated over Wi-Fi utilizing a distribution server in a janitor's cart.

In addition, a Defense in Depth strategy as discussed below may offer sufficient protection for some use cases, eliminating the need for many firmware updates.

Defense in Depth improves IoT security by forcing an attacker to breach multiple security layers to compromise an IoT solution. When a vulnerability is detected in one layer, the other layers protect the integrity of the system until the breach can be detected and contained and the vulnerability can be corrected. For example:

• A private cellular gateway called an Access Point Name (APN), implements a network-level firewall restricting the hosts that can reach a device.
• A device firewall performs the same function in the event an attacker can penetrate the private APN.
• Using secure authentication on the services the firewall needs to leave accessible ensures that only authorized users may connect, creating another obstacle should an attacker compromise a device permitted to traverse the APN and device firewalls.
• Role-based access privileges limit what can be seen and done should an attacker compromise the credentials of an authorized user on a device permitted to traverse the APN and device firewalls.
• Up-to-date firmware helps ensure there are no vulnerabilities that allow attackers to bypass role-based access privileges.
• Cloud management and network operations platforms monitor device behavior for anomalies that may indicate an attacker has compromised the IoT device's security despite all the above protections.

Even the most robust safe will not stop a robber if the owner forgets to lock it. IoT devices, networks and cloud software can be built using the world's best security technologies. Still, users need to take advantage of these IoT security solutions by following best practices to ensure overall security is maintained.

However, even here, some responsibility falls to the IoT device, network, and cloud software providers. In addition to integrating security technologies into their products, they should not assume users will always follow security best practices. Instead, they should ensure their devices, networks and software are "secure by default."

For example:

• Devices should use cryptographically secure unique random default passwords instead of global shared passwords. This enhances security should users not change the default password.
• Device firewalls should default to blocking all traffic on network interfaces to force users to properly configure devices before use – and to protect the device should it be turned on and connected to the network using default settings.
• All non-essential services and/or ports should be disabled by default to minimize the attack surface should the device be deployed in its default state or reset to defaults in the field.

Still, there is only so much that IoT device, network, and cloud software providers can do. A strong security posture is possible only if IoT solution owners and users follow security best practices. How can we increase IoT owners and users' adoption of security best practices?

The most important step is education and training. One possible strategy involves Computer Assisted Training materials. These could be developed by vendors or a group of security experts and provided for free (or minimal expense) to customers. After a user completes the training, a security "certificate" could be issued and kept on file by the user's organization.

Even if IoT solutions use devices that are patched with all the latest security updates, have security deployed in-depth, and have users who are carefully following security best practices, there is still the possibility that the solution could be hacked – if not by an external threat actor, then by an internal one. Given this reality, developers, users, and owners of IoT solutions need to plan for the worst – that, in the future, their solution will be hacked, despite all their efforts. This means they must have a resiliency strategy to recover from the attack as quickly and comprehensively as possible.

This could involve backing up data from their IoT solutions, so that, if necessary, they can wipe the devices and then restart them with the backed-up data. In addition, IoT solutions used in mission-critical applications, such as for first responder communications or the control of critical infrastructure, failover systems should be deployed to take over in the event the primary system is compromised.

We hope that policymakers and IoT device manufacturers, solution developers, and customers will consider these issues while offering their ideas on how to work together to make the IoT more secure. While some may think discussions sow fear that slow the growth of the IoT, we believe that we need to be open about IoT security and constantly be working to improve it – because good security is foundational to the success of the IoT.

The security of IoT devices and data is one of the hottest topics for enterprise businesses — and one that has been lacking definitive guidelines, awareness, and standards for some time. Recently the National Institute of Standards and Technology (NIST) released a document that begins to fill this noticeable gap by helping everyone understand how to analyze various risks and threats to better plan and manage IoT devices in the enterprise.

NIST will provide more prescriptive guidance based on specific industries soon, but for now, the organization's "Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NISTR 8228)" outlines a few vital topics that everyone who has deployed or is considering deploying IoT applications should consider. These are mainly centered on differences between IoT devices and your typical IT endpoints.

Below are three considerations from NIST when adopting IoT. One of the significant differences in managing risk with IoT compared to IT systems is that IoT typically focuses heavily on protecting the confidentiality of data. Also, IoT use cases are more about availability and integrity because of their interactions with the physical environment.