Endpoint Security and the Internet of Things

Data networks are exploding in size. A few years ago, a small business network might have consisted of a few computers and a router. Today, it’s likely to include tablets, smartphones, VoIP phones, and more. One of the fastest growing categories is “smart devices,” which make up the Internet of Things (IoT). Light bulbs and thermostats could be part of the office network.

Each one is an endpoint, a point of access to the network. That makes each one a potential security risk if not set up properly. A lot of these devices really don’t have much security. Botnets of smart devices apparently played an important role in a huge denial-of-service attack recently, and more exploits taking advantage of their weak security are sure to come.

This makes endpoint security a more critical and complex matter than ever.

Understanding endpoint security

Endpoint security means a network-wide approach to the security of each device which has access. At one time it may have been enough to encourage the user of each device to install protective software and be careful with email and downloads. Today a lot of devices don’t have users. They’re just installed and forgotten. An endpoint security policy is necessary to make them safe.

You usually can’t connect a terminal to a smart device or run anything more than a menu through its controls, so it’s a different situation from assessing security on a desktop computer or even a smartphone. It’s generally difficult to figure out just what the device is doing, but you have to know before you can decide whether to trust it.

Steps to security

The first step is to make sure that only devices that meet certain standards can connect. Most IoT devices connect by Wi-Fi, and too many of them use unencrypted connections. Even the old WEP encryption is very breakable. Routers and access points should be configured to accept only WPA or WPA2 connections. Accepting only WPA2 would be safest of all. If a device can’t use WPA, return it for a refund. It’s worse than worthless.

Some IoT devices are WiFi access points, for no better reason than that it makes them easier to set up. This takes them outside the realm of endpoint security. In fact, it takes them outside the realm of security. Don’t touch them.

This brings us to selection of the devices. A business needs to know how risky a device is before letting it onto the network. If it doesn’t offer any configurable security features (e.g., no password to set), it’s not safe to allow it onto the network. Check the manual online before ordering the device.

Next comes configuring the device. The endpoint security policy should spell out the requirements. If possible, use a wired connection for the initial configuration, to make sure it doesn’t leak any information by Wi-Fi. Change the password from the default to something hard to break, and use a different password for each device.

Ongoing use is part of endpoint security. Devices need to upgrade their software periodically. The policy should specify how recent a device’s operating system needs to be and exclude any devices that can’t upgrade to that level. It may not always be possible, though, to determine what system software a device is running. Be wary in those cases.

Defense in depth

Endpoint security needs to be part of a layered defense. Smart devices should be heavily firewalled off, so that no one can log into them from outside and they can’t perform activities which they shouldn’t need to. Monitoring should be set up to detect any unusual flurry of activity. Maybe it’s just performing a software upgrade as it should, but find out.

BWS provides support services to help you to negotiate with the growing complexities of the Internet. Contact us to learn what we can do for your business.