IoT devices are making their way into the office and onto corporate networks. Are you ready to audit them?
As IT auditors, we've audited mainframes, servers, applications, and many other IT devices and systems for years and have become proficient in determining the reasonable effectiveness of a company's suite of controls to safeguard them. Today, a new breed of interconnected devices, affectionately called the Internet of Things or IoT, is presenting new auditing opportunities along with a few challenges.
These devices, which include smart TVs and lots of other devices that can now be found in many coporate offices, do not follow the typical rules of those we've historically attached to our networks. They have firmware instead of operating systems, for example, and many can be used on both home and personal area networks (HAN/PAN), as well as in our corporate networks. They also use a different communications protocol which focuses far more on customer satisfaction than on security.
Already, IoT devices are making their way into offices and onto corporate networks, and cyber-attacks that leverage them have also already begun. In fact, a recent breach that has caught the attention of many executives and board members is one that was launched in October against cloud-based internet performance management company, Dyn. The attack targeted Dyn with an “zombie botnet” comprised of poorly secured PAN's. The attacker hacked into hundreds of thousands of IoT devices and infected them with malware set to overload targeted servers with enough online messages to shut them down.
So, what defines an IoT device?
The IoT category includes devices that do not have their own operating system and which can communicate and share information through interconnected systems. They range from Smart TV's and Amazon’s Echo smart speaker, to various network appliances including some routers and firewalls. Many of the new “automated home devices,” including smart thermostats, door and window sensors, cameras, intercoms, and automated switches and outlets are just part of the growing legion of IoT devices. We also cannot forget about cars and appliances. And many of these devices are moving from the automated home to the automated office.
How do these devices connect?
To illustrate how IoT devices are typically connected, let's start with a typical home network.
The cable company provides a preconfigured cable modem. Well-constructed PANs should also have a second router/firewall between the cable modem and the personal devices connected to the network. All devices that communicate are connected either through physical cable or wirelessly via the assigned network key. The security settings of most IoT devices are controlled through a configuration screen or management console.
What are the common threats and vulnerabilities?
Of course to audit the use of IoT we need to know about common IoT vulnerabilities and threats. The best place to start is the National Vulnerability Database (NVD), which collects a summary of known vulnerabilities including those confirmed on IoT devices. Reviewing online resources, including NVD and USCert, a government-run organization which provides information on cyber-attacks, will aide you in understanding vulnerabilities and exploits along with recommended remediation. You can also learn about successful exploits by using sites including the Privacy Rights Clearinghouse.
How can we protect ourselves?
So how can companies and individuals protect themselves if we wish to use this technology? For starters, make sure you enable security firmware updates. That will alert us to when new patches are introduced or even push the new firmware update when the device is connected to the Internet.
Beyond enabling updates, here are the IT controls that should include IoT and items typically in scope for an IoT assurance engagement:
1. Validate the existence and completeness of an inventory of IoT devices with designated owners
2. Ensure the use of Hardening Guides and checklists specific for each class of IoT device
3. Verify that network diagrams exist depicting what segments of the network contain these devices and how they are isolated from segments containing proprietary, GLB, PCI, PII and HPI data.
4. Ensure configuration records are being captured (preferred automatically) for each IoT device attached to the corporate network
5. Validate that patching procedures have been developed for IoT devices, and that devices which can't or don't allow for firmware updates are documented in exception management with tested compensating controls
6. Verify that user awareness training has been provided to everyone who installs, maintains, or uses these devices, including rules for connecting IoT devices such as popular Amazon Dots and Echos to corporate networks, and require them to accept requests to apply security patches when prompted
7. Assess the completeness of IoT device activity monitoring and logging procedures
8. Ensure the Incident Response Plan articulates how to conduct triage, analysis, containment, and eradication of various IoT targeted exploits, including the results of a round table exercise that involves an IoT scenario
During planning and fieldwork, the auditor should collect the evidence noted above and perform a compliance review that includes taking a sample of IoT devices from the population and have someone go into the settings for each device and confirm that the security update settings are enabled.
Ensuring that controls such as those listed above could go a long way to keeping IT and audit professionals from having to explain to senior management and the board how the corporate network was infiltrated by an army of online baby monitors and thermostats.