| |NOVEMBER 20249CIOReviewtesting, QA processes, and other steps mentioned in frameworks like damage, reproducibility, exploitability, affected users, and discoverability (DREAD) or spoofing, tampering, repudiation, information disclosure, denial (STRIDE). · Pre-contract, third-party risk management (TPRM) processes and reviews. This can include analysis of the IoT supplier's publicly accessible assets using tools like BitSight or Security Scorecard. It is reasonable to assume if the IoT supplier is exhibiting publicly facing security vulnerabilities these tools can reliably identify, its products are likely insecure as well. · Commitment to bug bounty programs or inclusion in software assurance communities that leverage crowdsourcing to uncover hidden bugs or security flaws. Bug bounties, performed parallel to new software releases can help ensure product safety. These programs help demonstrate that cybersecurity is not an afterthought. Safeguarding the established IoT Environment Even if proper due diligence was performed, additional IoT device risks must be carefully weighed. Organizations are then tasked with asking "What considerations or security controls should now be evaluated to ensure secure network operations for IoT devices?" The below list serves as a non-exhaustive set of controls to evaluate, track and improve upon over time to properly secure the organization's IoT ecosystem: · Ensure asset inventory practices include secure management of IoT devices. Their small size and restrictive hardware usually will result in the absence of typical remote management and monitoring (RMM) solutions deployed to IoT devices. Organizations may have to maintain IoT asset inventories, device version details or installed software using other means like vulnerability scanning and dynamic host configuration protocol (DHCP) logs. · Network Segmentation via firewall zones and virtual local area networks (VLAN). IoT devices should typically be placed in isolated portions of the company network, restricted to only the necessary ports, protocols and services, to fulfill their business objectives. · Routine Vulnerability Management efforts. Weekly scans against devices in the IoT subnet or VLAN defined in the previous step help ensure critical security flaws are quickly identified, quickly getting these devices on the radar for prioritized patching. · Ingesting appropriate product security advisories. Resources like the Center for Internet Security (CIS) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) provide critical resources to learn about IoT-based security vulnerabilities in real-time as they are announced. · Engage in routine third-party penetration testing of the company's IoT fleet. It is usually helpful to bring in experts with a fresh perspective to poke at this environment to reveal unusual security flaws that are undetected by other controls. The technology-driven future needs strategic planning and awarenessAs we move toward an increasingly interconnected world in 2025, securing the rapidly growing ecosystem of IoT devices becomes not just a necessity but a critical imperative for both individuals and organizations. By taking proactive steps to ensure IoT devices are properly vetted, segmented, and monitored, the risks associated with these devices can be significantly mitigated. From procurement through ongoing management, IoT security integration measures will help safeguard sensitive data, protect networks from cyber threats, and ensure that technological advancements serve as a benefit rather than a vulnerability. By fostering a culture of security awareness and prioritizing robust defense strategies, we can harness the full potential of IoT while minimizing its associated risks, paving the way for a more secure and resilient future. Weekly scans against devices in the IoT subnet or VLAN defined in the previous step help ensure critical security flaws are quickly identified, quickly getting these devices on the radar for prioritized patching
< Page 8 | Page 10 >