Articles

10 tips to minimize IoT security vulnerabilities

Online Trust Alliance spells out best practices for testing, purchasing, networking and updating IoT devices to make them and the enterprise more secure.

Jon Gold Apr 23rd 2018

Here’s a handy list of tips that can help you avoid the most common mistakes that business IT pros make when bringing IoT devices onto enterprise networks.

The Online Trust Alliance’s new list lays out 10 suggestions for using IoT tech in the enterprise without making the enterprise more vulnerable to security threats. The list centers on awareness and minimizing access to less-secure devices. Having a strong understanding of what devices are actually on the network, what they’re allowed to do, and how secure they are at the outset is key to a successful IoT security strategy.

Here's the list:

  • Every password on every device should be updated from the default, and any device that has an unchangeable default password shouldn’t be used at all. Permissions need to be as minimal as possible to allow devices to function.
  • Do your homework – everything that goes on your network, as well as any associated back-end or cloud services that work with it, needs to be carefully researched before it’s put into production.
  • It’s a good idea to have a separate network, behind a firewall and under careful monitoring, for IoT devices whenever possible. This helps keep potentially insecure devices away from core networks and resources.
  • Don’t use features you don’t need – the OTA gives the example of a smart TV used for display only, which means you can definitely deactivate its microphone and even its connectivity.
  • Look for the physical compromise – anything with a hardware “factory reset” switch, open port or default password is vulnerable.
  • Gizmos that connect automatically to open Wi-Fi networks are a bad idea. Make sure they don’t do that.
  • If you can’t block all incoming traffic to your IoT devices, make sure that there aren’t open software ports that a malefactor could use to control them.
  • Encryption is a great thing. If there’s any way you can get your IoT devices to send and receive their data using encryption, do it.
  • Updates are also a good and great thing – whether you’ve got to manually check every month or your devices update on their own, make sure they’re getting patches. Don’t use equipment that can’t get updates.
  • Underlining the above, don’t use products that are no longer supported by their manufacturers or that can no longer be secured.

The Online Trust Alliance was founded as a loosely confederated industry group in 2005, mostly as a response to email-based security threats and spam. The group’s aims have evolved substantially since then, to encompass a much wider range of technologies, including IoT. After becoming a recognized 501(c)3 organization in 2012, the OTA was absorbed by the larger Internet Society, and became a subordinate arm of that group as of October 2017.