If You Connect It, Protect It!
Meet Humphrey
Humphrey is a gray squirrel that a friend of mine rescued as an abandoned baby squirrel. For weeks, my friend and his family nursed the young creature by hand. While Humphrey was growing, he became very friendly with the family members, often perching on their shoulders and snuggling in their arms for naps. Humphrey was permitted the run of the house and had a basket for his sleeping quarters, which he often used at night. As time passed, he grew strong enough to survive on his own and the family released him back into the wild to enjoy the life of a healthy gray squirrel. Having grown fond of his human family, Humphrey built a nest in a tree just outside their back door and still hops on laps and shoulders while the family sits together outside.
The “Tail” of Two Cities
So how does a story of a rescued squirrel connect with our timely topic of cybersecurity? As I reflected on the topic of cybersecurity, there is a rampant and significant vulnerability that exists for homeowners and enterprise businesses alike, and in many ways correlates with Humphrey’s story.
In our technology-laced society, “connected things,” or the Internet of Things (IoT), are sprawling. The IoT moniker represents the plethora of internet-connected items that provide useful but narrowly focused benefits. An estimate from SecurityToday.com states that there will be 31 billion (with a b) IoT devices installed in 2020 and more than 75 billion connected by 2025! I know in my own house, my refrigerator and stove are both connected to the internet as well as my home’s thermostat, doorbell, TVs, and smoke detectors. Additionally, there are “smart” coffee makers, slow cookers, lightbulbs, speakers and the list goes on and on. Pretty soon, if a device plugs into the wall, it will also “plug” into the internet.
So, what is the cybersecurity concern that haunts every CIO and should also haunt every homeowner and manufacturer in our country? The reality is IoT devices are engineered to be functional, inexpensive, easy to setup and easy to use, but not necessarily secure. As a result, there is a rapidly growing installation base of questionably secured devices that are providing a heyday for hackers. The true vulnerability is not necessarily losing function of an IoT device to a hacker, but rather, offering a hacker backdoor access into a corporate or home network; potentially exposing valuable data for theft or destruction. This is how Target was hacked in 2013, resulting in over $200 million in losses for the company.
This is Nuts!
Stop and consider the valuable data that lives on your home or business’s network. If a hacker were to infiltrate your environment and launch a ransomware attack, removing your access to all of this information, would you be able to recover without paying the ransom? Making matters worse, what if the hacker first destroyed your backups prior to launching the ransomware attack. Do you have offline data backups that you could use for recovery? We could stop here and write an exposé on the need to implement a resilient backup solution, but that is for another day.
Reflecting on Humphrey’s rescue, we don’t need to pause too long to recognize the risks of handling a wild animal. While Humphrey is cuter than cute, he also has sharp nails, sharp teeth, and powerful jaws. If we were only to focus on the beauty of the animal but fail to take reasonable safety precautions, a trip to the emergency room would not be unexpected. Similarly, with our IoT devices, if we only focus on their functionality but ignore their inherent security risks, we are simply in the queue, waiting for our data and systems to be victimized.
Squirrel Cage
In order to protect our sensitive data from hackers, we need to reconfigure our networks so that we can enjoy the functional benefits of our IoT devices while maintaining separation from our valuable data systems. The networking terms for this are segregation and isolation.
Reflecting back on Humphrey’s situation, he fortunately never bit or scratched his rescuers to the degree they had to seek medical attention, but if he was protected by using a cage during the day, his own safety would have been assured as well as reducing the risk of harm to the humans. Similarly, with our IoT devices, we need to consider putting our valuable assets in a “cage” in order to protect them from a possibly hacked IoT device. Additionally, since numerous IoT devices typically coexist on a network, we may also want to isolate each IoT device into their own cages to prevent a hacker from being able to continue their hack once they penetrate one device.
Stay in Your Lane
Be it a small home network or a large corporate network, segregation and isolation is a fairly easy solution to implement, although it does take planning and requires capable hardware. There are numerous guides available on the internet to give specific instructions on how to segregate and isolate devices on specific pieces of hardware, namely firewalls, switches and wireless controllers, but we will only address this conceptually.
Segregation allows our IoT devices to operate on our network and connect to the internet, but then limits their ability to “talk” to other internal network devices. This solution effectively places a firewall between each IoT device which allows a network administrator to specifically limit the connections permitted from that device to other devices. Using segregation and isolation, if an individual IoT device was compromised, the hacker would be isolated from the rest of the components in the network.
Acorns and Twigs
As squirrels use native building supplies for their nests, segregation and isolation also use their own unique set of configuration tools and settings. Most home and small office wireless routers have the ability to create an additional guest wireless network that is separated from the full access primary wireless network. Guest settings are a preconfigured segregation solution offered in many routers that will only permit connected systems to access the internet and will prevent them from connecting to devices on the other networks, wired or wireless. Additionally, some routers will also offer isolation which will prevent these devices from being able to see any other device connected to the guest wireless network. Consider connecting non-critical IoT devices to the guest network to implement segregation. For enterprise networks, segmentation is accomplished with virtual local area networks (VLANs), routing rules and access rules, which provides an enhanced level of customized protections.
IoT devices generally do not allow access to their built-in management tools, so we largely are unable to perform simple security functions on them, such as changing default usernames and passwords. As such, separation is our primary tool for securing these devices within our networks. As we seek to live in harmony with a “friendly” wild animal, be it Humphrey or our beloved IoT devices, implementing sensible safety protocols will help us all to live safely, securely and happily ever after.
This article originally appeared on NIST’s Manufacturing Innovation blog and is reprinted with permission