By Josh Erdman
You do not have a cell phone, you have a computer in your pocket that can make phone calls; you no longer drive a car, you are driving in a computer whose computer case is shaped like a car and is designed for transportation. The same can be said about thermostats, X-ray machines and yes – security camera systems. We now know these internet-connected devices as the ‘The Internet of Things’ (IoT) and we in IT have a joke about it. Here it is:
“What does the “S” in IoT stand for?”
“There isn’t an “s” in IoT.”
“S” is for Security
With the quality varying in the vast array of IoT devices, there is plenty of low hanging fruit for bad guys to take advantage of. Usually, this means hackers taking control of a device so they can add it to their ‘zombie’ network of infected, remote controlled Internet devices. You may have heard of this before, it is called a botnet. Remember when Twitter, Netflix, CNN, and Reddit went down late last October? That was a botnet.
“P” is for Protected
To address the security of your network, answer these two questions:
- How do we ensure that none of your equipment would become part of an infected botnet?
- How do we protect your office network from the bot-nets that already exist?
I previously mentioned that the bad guys go for the low hanging fruit. What does this look like? Take network-based, wireless security cameras for example – aka “nanny cams”. You can find these devices ranging in price and quality from $35 to well over $2000. Parallel to this large span of pricing lies a huge difference in features, and quality.
When we focus on quality there are certainly the physical tangibles: ability to withstand abuse, quality control of the product before it leaves the manufacturer, quality of the lenses and the image the camera takes. However, what is frequently overlooked by the consumer is the quality of the intangibles: quality code (code that is secure, stable, and frequently updated).
You Get What You Pay For
The equipment on the lower-end of the scale, like a nanny cam, is most likely rushed through production – with the only requirement being that the equipment functions as advertised with little to no effort spent on reliability and security (despite the claims on the box).
If you happen to purchase such equipment – you alone would be responsible for visiting the manufacturer’s website to download and install firmware updates for security – and that is assuming the manufacturer even releases security updates. This kind of sloppy security can lead to hackers watching your nanny cam feed – even if it is password protected. Effective security and automatic updates are what companies pay for when they purchase more expensive network equipment.
The Cost of Security
A deep investment in network security means your servers are protected with patch management, the routers are the only equipment directly connected to the internet, monitored, and the firmware is upgraded regularly of each device monitored remotely. The rest of your equipment, access points and switches are commercial grade, also monitored, and not directly connected to the internet so if they were to get infected, it would have to be an ‘inside job’.
Now that we know what is necessary to prevent your equipment from being infected, let’s focus on the second half – how do we protect your already healthy network from the millions of infected devices on the internet? By putting all your equipment behind a firewall so the outside world cannot directly communicate with them.
Long story short, when it comes to your IoT, YOU are responsible for adding the “S”.