Tech leaders need a fundamental understanding of the tools and technologies their teams use to build solutions. In this course, IoT Device Security: Executive Briefing, you will learn foundational knowledge to protect your enterprise against attacks via connected cameras, door locks, smart speakers, and other IoT devices. First, you will learn how the attacks occur and spread. Next, you will discover simple strategies to segment, isolate, and prevent the spread of potential intrusions. Finally, you will explore selected real-world attacks that were mounted using non-obvious equipment. When you’re finished with this course, you will have a security-focused mindset to guide IT policies and prevent as-yet-unknown attacks.
Jeremy Willden has gone from hardware engineering to software development, his career ranged from the smallest startups to multinational corporations, creating products to give a competitive edge and fuel rapid growth.
The New Wild West of Connected Devices No longer a passing trend. For several years now the rise of internet connected devices has unleashed wave after wave of products enhanced, enabled, or dependent on internet connectivity. From surveillance cameras to door locks, voice activated personal assistants and entertainment boxes, printers and other office equipment, and even the vehicles on the highway. These devices generally provide remote control or monitoring, improving home security or energy usage, connecting the user in a way that was previously impractical. Sometimes called smart devices or the Internet of Things, abbreviated as IoT, as opposed to the internet applications used by people. The excitement generated by each new device may supersede taking a moment to consider the risks created by the use or misuse of the product. In most cases, the risks may be mitigated by appropriate installation, configuration, and patterns of use. This briefing is a high level summary of some of the potential security risks created by internet connected devices and an overview of a few strategies for mitigating these risks. While a primary focus is given to devices used to an office environment, high profile and high value targets, such as public figures and corporate officers may find their personal residences an attractive point of entry for a security breach, therefore, a brief discussion of home-focused IoT devices is included as well.
A Patchwork of Security Patches In the constant cat and mouse game of information security the most common defense is to update to the latest version of the operating system and application software. Generally, security improves with each new version and hence the first response to any help desk problem is to update the software. While desktop operating system updates typically occur at the most inconvenient time possible, interrupting a presentation or other high profile work they are a very necessary part of preserving software security, but how does one update the software in a door lock or a coffee pot? In smart devices the software is called firmware because it's closer to the hardware than ordinary software. Depending on the device, the firmware may be updated automatically, but others require intervention. In the case of a Bluetooth enabled door lock, as an example, the user must update the firmware using their phone, a process that takes about 20 minutes per device, and the phone must stay near the lock the entire time. This type of inconvenience discourages users from updating their devices even when a security threat might be imminent.
There’s More Than One Way In This brief overview of attack types may help identify risks in the enterprise or any high value target network. While they all may be used against a computer or information system, some deserve special attention when it comes to IoT devices. During product development it's not unusual for the developers to include a backdoor password so they can troubleshoot problems while the product is undergoing testing. However well intentioned, these backdoors, as they are called, if not removed before deployment leave a latent point of entry that cannot be removed without a software fix. Where the physical security of a device cannot be guaranteed, and the attack can get their hands on it in person a direct access attack allows the hacker to reset the device to factory defaults, reset user passwords or even replace the device with a different unit and take the original one to be analyzed at their leisure. Much like a car owner who leaves the keys on the seat of their vehicle with the doors unlocked, physical access to a device makes the hacking process much easier. Most enterprises employ substantial physical security on-premise reducing the risk of this type of attack, but the possibility certainly underscores the need for physical security of facilities and devices.