Tactics for defending IoT devices from hackers often overlooked, experts say

While it may seem like a no-brainer to update device firmware, cybersecurity experts say cybercriminals are exploiting these lapses in upkeep.
By Bill Siwicki
10:34 AM
Share
IoT device security

Healthcare security professionals have their hands full with protecting Internet of Things devices from attacks. There are many ways to safeguard IoT devices in healthcare. But infosec pros can benefit from the sometimes-overlooked methods of protection, which security experts point to as high-value tactics against hackers.

“IoT devices are clearly becoming pervasive, and when it comes to healthcare devices, the impact on safety is substantially higher,” said Sam Rehman, chief technology officer at Arxan Technologies, an IT security firm. “A number of measures should be enforced to reduce the chance of attacks and the level of impact and reach.”

Rehman offers a list of best practices, including:

  • Do not leave devices deployed in factory settings. Most bots use default settings as an initial entry attempt.
  • If devices do not need Internet access, restrict their web access to local ring-fenced networks only. Otherwise, only allow outbound internet; no open listening ports.
  • Make sure devices are up to date on firmware.
  • Always protect firmware with binary protection so that it cannot be taken apart easily.
  • Protect embedded credentials and keys with both application protection and white box cryptosystems.
  • Periodically check software health and deployment of devices.

“IoT devices are now being used by hackers to find secrets and protocols to access the back-end services and bypass access controls in data centers; hijack nodes to either deny services, steal data or forge transactions, or even as hop points to attack other nodes; run unauthorized transactions that could affect patient safety; and hijack nodes and servers to demand ransom,” Rehman said. “These aforementioned practices will both make it substantially harder for hackers to gain control of your devices and secrets, and also reduce the spread and impact of attacks.

John Bartolac, senior manager for business development industry segments and North America cyber strategy at Axis Communications, a security technology vendor, also shares some IoT device protection tactics that may be overlooked by some healthcare security shops.

“Enforce password management policies and consequences for non-compliance of password protection,” Bartolac advised. “Always make sure you have a plan to catalog all network devices and ensure regular reviews every six months at a minimum so all devices have the latest updated software or firmware. Also, only install trusted applications and disable unused services.”

Turning off unused services can be key to preventing a malicious assault.

“Leaving unused services enabled when deploying a device may leave it vulnerable to attack,” Bartolac said. “The same is true of downloading applications from an untested developer since they may contain malicious scripts that attackers can exploit. Disabling unused services and only installing trusted applications reduces the chances that a would-be perpetrator could breach the network through IoT devices.”

Lastly, don’t neglect sound password management practices. Most IP-based devices ship with default passwords and settings. Failing to change these and not enforcing proper management across all devices provides an easy way for hackers to gain unauthorized access to a system, Bartolac said.

“The most effective ways to leverage passwords to stop attacks are to set hard-to-guess passwords with a minimum of eight characters and include complex character usage, change passwords on a regular basis and enforce strict management policies toward passwords,” he added. “If the devices support use of certificates of authenticity, always use these in lieu of passwords if your network architecture supports this.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn