IoT Security in Layers: Defense in Depth
by Exosite, on July 11, 2017
When it comes to developing a practical IoT security strategy, you really can’t get enough of the basics. That’s why your security strategy should involve layering proven security technologies, which creates a depth that yields better results and deters more hackers.
This concept of defense in depth becomes extremely beneficial when you consider how hackers typically begin—not by suddenly gaining access to critical data and control, but instead through incremental steps where they tend to throw the widest net possible to find the most vulnerable systems. Case in point, the Verizon 2016 Data Breach Investigations Report found that the average attack took days, not minutes.
In response to this known behavior, a series of strategies should be used to respond to attackers at each step of their process to minimize the impact of hacking events:
Proactive strategies are created to deal with the inevitable successful hacker. Methods incorporating social engineering against hackers allow you to see the behaviors and motives of hackers, as well as gain an understanding of where real potential vulnerabilities are. A few examples are mirrored environments and the creation of fake, insecure endpoints.
The easiest way to prevent an intruder from controlling your critical assets is to simply take away the ability to control the asset’s functionality. Granted, it might take away some of the appeal of the capabilities of a connected system, but it allows you to tune the level of security to the application and still benefit from the data collected from it. There are other designs you can implement, such as isolating user permissions and virtualization of your application.
Taking steps to secure the identities of system users is a pretty obvious critical step in IoT security. Incorporating a properly managed two-factor authentication system can create a solid barrier in front of would-be hackers looking to control a device or gain access to data through phishing and other scams. Depending on the level of risk associated with a solution, you may want to consider other options like text verifications and phone-based authentication apps that provide significantly better protection than security questions.
Governance, risk management, and compliance are the components of process control can play an essential role in IoT security within your organization. IoT-specific processes should dictate the activities of workers within an organization, but workers should also have governance to ensure compliance with company and regulatory processes.
For more pointers on how to create a no-nonsense IoT security strategy, download our white paper below. If you want to begin connecting devices to a secure IoT platform, get started with a free account on Murano and connect up to 10 devices.