(Internet of) Things Change, and Not Always for the Better

Posted by:

I was chatting with one of my IT Admin friends the other day. Let’s call him Gary to spare him blushes. He has been working in offices for years, and I asked him what little things annoy him these days. Not the Big Stuff like ransomware and corporate spying, I just wanted to know about the day-to-day frustrations.

He said:

 “When I started out as ‘The IT Guy’ in the office, people would come and ask me to solve problems with anything that had a plug on the end of it. 

“‘Can you help me work the projector in the boardroom?’ ‘Can you fix the coffee machine?’ ‘Can you take a look at my air-con unit if I bring it into the office?’ 

“And I’d politely say “‘Look, that thing isn’t a real computer. If it’s not a real computer and it’s not on our company network then (with all due respect) it’s not my job to fix it’.

“Now what’s happened is that everything today does have a real computer inside it. Not only that. but all these things desperately want an internet connection. And now these unpatched security nightmares are finding their way inside my secure, firewalled network.”

==

So it seems that those decades of IT folks telling people that ‘dumb’ electronics weren’t an IT problem has opened a whole new can of worms, because now we really do care to know about today’s ‘smart’ gizmos that are being plugged into the network without a thought for the security or network implications. 

Perhaps he old-school legitimate IT mantra of ‘not my problem’ is now biting IT teams and organizations in the you know what.

Just listen to what Jeff says turned up in his office. 

“Well, the most obvious thing is the shiny new refrigerator. It has a screen on the front that displays a calendar showing whose turn it is to clean it. It has cameras inside, presumably so people can figure out who is stealing other people’s sandwiches. And naturally, it’s got a microphone in it because why wouldn’t you want to talk to a fridge. But hey, it cost $2500 and now that someone in IT has noticed it, it’s our job to make it secure.

“Next up we had the TV. We had noticed a spike in the internet usage at random times in the summer last year. The surge would last about two hours before it stopped. It turned out that some people were booking ‘meetings’ during the soccer World Cup to watch the games on the Ultra HD TV they’d snuck in – and worse, using the illegal streaming box they’d hooked up to it.

“Finally, a lot of the ageing HVAC units were due to be replaced, including the ones in the server room. This was all handled by ‘Facilities Management’. After the work was complete, they were proud to show off their new app which would let them monitor and control the units over the internet. The facilities management team had given the Wi-Fi details to the installers. No one had checked with us in IT as to whether this was a good idea, or whether we would be in the slightest bit concerned that a hacker might be able to remotely shut down our server room a/c.

==

These stories make an interesting point in terms of IoT. Users are not aware that IoT devices, like white goods, smart speakers, and the like can pose a huge problem for companies. The problem is of course that these devices do not necessarily meet the security requirements of the organization. 

I asked Jeff what he did when he found out about all this stuff: 

“The first thing was to do a full audit and risk assessment. These are the jobs many of us in IT say we always do but never quite get round to. We created new Wi-Fi networks for the devices people can’t seem to live without. We monitor and audit everything on the network more than we used to. But the main thing has been to keep reminding people that anything that needs internet access is a security risk.

“This kind of thing is happening offices up and down the country. People want their shiny things; their home comforts at work. It is unavoidable these days, especially in the less ‘corporate’ offices where security policy is not enforced with an iron fist. If someone wants internet-enabled, colour-changing light bulb speakers in the bathrooms, they might be a lot more sneaky than you think.”

==

So, TBG security advice for all companies with networks that have sprawled into the internet of things domain includes: 

Take a full audit of everything that’s on the network and every way in. Don’t rely on co-workers to admit what they’ve been up to!

Carry out a full cybersecurity assessment to ensure these devices are not posing any risk to the organization.

Schedule security assessments every three to six months. The network continually evolves as more devices are added, people change roles, leave or join the company. Maintaining good network hygiene is the key to running an operation with a minimal cyber risk. 

If you’re not sure where to start with auditing and risk assessments, speak to the experts at TBG Security. We are here to help. Contact us today.

 

 

 

2
  Related Posts

Comments

  1. DENIS  December 10, 2019

    Hi Carole, thanks for the post. I can certain relate to this. In fact just last week i was at a customer site helping them to remove the vending machine that was vulnerable to EternalBlue. The attack surface is certainly expanding my friend.

    thank again!

    • Carole Theriault  December 10, 2019

      I hear you. I suspect every office in the US has some form of IoT inside that IT is not YET aware of. IT guys and gals better keep their wits about them. It’s going to be a rough ride until we get all this stuff under control.

})
SEC Cybersecurity Exams