CIS Benchmark SYSTEM HARDENING VULNERABILITY MANAGEMENT

The UK Government has released a draft code of practice designed to help manufacturers and end users better safeguard their Internet of Things (IoT) devices.

These practices have yet to be finalized, but this step by the government proves that if no action is taken, then Parliament will be forced to enforce legislation. The increased adoption of IoT devices poses a significant threat to both commercial and critical infrastructure and has left the government with no other option but to intervene.

The rapid pace of IoT device production and adoption has resulted in basic security safeguards being blatantly ignored. Gartner predicts that by 2020 there will be over 20 billion connected devices in the world, the vast majority of which being riddled with security vulnerabilities. Unlike our familiar computing platforms like regular operating systems, tablets, and smartphones where manufacturers are responsible to factor in security to their design, IoT devices are seldom, if ever patched, upgraded or hardened against misuse.

Both the internet-enablement of more devices, combined with the increased adoption of more function-rich application runtimes/environments, including full operating systems, has rendered these things much more vulnerable to misuse. And in a meshed-network world where everything has access to everything else, the potential for harm has increased exponentially, as the rapid and widespread of WannaCry showed.

A seminal moment where the IoT threat became real was the infamous Mirai malware attack which took down some of the most popular websites including Twitter, Spotify, and PayPal. From connected security cameras to DVRs and Smart TVs, the Mirai attacks were perpetrated by millions of cheap connected devices.

This advice is long overdue and signifies that the government is fully aware of the very evident risks IoT presents to both individual and public safety. While these best practices are still in draft form and the UK government hoped the free market would make these changes itself, inaction will force their hand, “if this does not happen, and quickly, then we will look to make these guidelines compulsory through law.”

Dealing with the potential threat posed by IoT devices first requires understanding what you have. Regularly scan for all network-connected devices and identify what they are. Anything new must be checked for how it operates, what its functions/capabilities are, and how it can be secured.

Changing default username and passwords is always a good first step in any successful hardening program, but disabling UPnP services where possible and firewalling where not, should be key. Thereafter System Integrity Monitoring is a key practice in determining if any suspicious activity has taken place that could represent an IoT based attack.

NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2018, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.