Data Security, Secure-By-Design, and IoT

An increase in IoT-enabled products means an increase in the amount of private data we transmit each day. So what is “secure by design,” and how do we know our information is protected?

IoT devices are designed to make our lives better—keeping us safe, monitoring our health, allowing us to operate more efficiently. But, without stringent security measures, there’s a genuine possibility that these digital wonders of the modern age could put our data—and even our lives—at risk.

IoT Vulnerabilities

McKinsey estimates that 127 devices connect to the internet for the first time every second. As more and more devices connect to the internet and each other, the risks increase. More devices and connectivity mean more opportunities for malicious hackers to launch attacks on unsecured devices, access private information, shut down networks, and crippling infrastructure.

In the last few years, we’ve seen several large-scale examples of IoT hacking. In October 2016, an IoT botnet launched the largest distributed denial-of-service (DDoS) attack on service provider Dyn. Once computers were infected with a type of malware named Marai, they searched the internet for vulnerable IoT devices such as digital cameras and DVR players and infected them with malware.

This resulted in massive portions of the internet going down, including giants such as CNN, Twitter, the Guardian, Reddit, and Netflix. Here is only one example of exploited IoT vulnerabilities. If manufacturers and developers don’t take extra care to secure devices at the hardware level, stories like this will continue to feature in the news. But what about the network layer? By having a virtually impenetrable IoT network, you can build in defense by default.

Securing IoT Networks

A zero-trust model ensures that unknown entities are unable to gain access to a particular network. By default and design, devices and users are not automatically trusted. Instead, the system constantly checks and re-checks each user when they try to access any data. This should be implemented at both a device level and an IoT network level.

Including IoT devices and networks in your zero-trust strategy goes a long way in protecting against vulnerabilities that may arise from IoT device manufacturer hacks.

End-to-End Encryption

End-to-End encryption (E2EE) is a method of communication that prevents third parties from accessing data while it's transferred from one end system or device to another. All data should be encrypted from the point it is generated to wherever it is transmitted.

With E2EE in place, data is encrypted on the sender's system or device so that only the intended recipient can decrypt it. Along the way, it’s secured against any tampering from a hacker, internet service provider, application service provider, or any other entity or service. End-to-end encryption works in conjunction with the zero trust principle so that even if an “eavesdropper” accesses a network pipeline, end-to-end encryption ensures confidentiality.

IoT Security Lessons

1. Never implement devices that cannot have their software, passwords, or firmware updated.
2. Make it mandatory to change the default username and password of any device on the internet.
3. Make your passwords for IoT devices unique per device.
4. Always patch IoT devices with the latest software and firmware updates to mitigate vulnerabilities.