back to article Don't put the 'd' and second 'i' in IoT: How to secure devices in your biz – belt and braces

The enterprise is filling up with devices. Gone are the days when the only IT kit our staff used was phones, printers, scanners, desktop PCs, and servers that were bought, configured, installed, and maintained by our IT team. Now we have more different types of device than you can comfortably shake a stick at – which, of …

Unhappy

"No MDM no connection... if the user doesn't like it, tough"

So this is where I have a problem. The typical device and MDM suite combo is like a hammer to crack open a nutshell. Whilst this approach is entirely acceptable, to me, on a device provided by my employer it is completely unacceptable to me on my personal device.

Now, correct me if I'm wrong or out-of-date, but other than a handful of (unpopular) devices that have the concept of partitioning between personal and business data and apps, the big problem for me is that the MDM administrator, once the device is registered, can use remote wipe and will blow away all personal data in addition to their (supposed) target of business data.

I was given the option of being able to access business email on my personal device, with MDM enabled and remote wipe a possibility. You know what, I said no way and that my employer had to provide me a separate device. Since it would be a pain to carry two devices, when I was away on business I just carried my business device and used that for business and personal activities. So, basically, "tough" back at you.

10
1
Reply
Silver badge

Re: "No MDM no connection... if the user doesn't like it, tough"

This. No MDM will ever be allowed on my devices. But then, I actively don't want my personal electronics to connect to my work network. That presents too many security risks to me.

9
0
Reply
Anonymous Coward

Re: "No MDM no connection... if the user doesn't like it, tough"

From my experience working in large office buildings, there are generally poor 3G/4G coverage areas in sections or all of the building.

While I appreciate the security implications of allowing mobile devices onto corporate networks, if you don't have any regulatory issues making personal devices undesirable, the small amount of additional cost to put in a BYOD solution (i.e. a cutdown security profile that distributes Wifi certs for access to guest-like DMZ providing limited Internet access with bandwidth restrictions) to allow your end users to use personal devices will likely lead to happier employees and a soft benefit to the company.

Companies I've worked with that have had less flexible policies (i.e. corporate MDM or no access) tend to have "exceptions" that allow things that any sensible company security policy should forbid (i.e. non-corporate wifi devices with Internet access and unmanaged security or an internal Wifi network allowing access via WPA2 PSK with MAC filtering without appreciating how easy to guess the key is or how easy it is to change device MAC addresses)

I appreciate companies have different requirements, but it always surprises me how unnecessarily draconian some companies are, and some of the reasons given for the measures can easily be disproved by wandering around the offices (people going out of the building for coffee/smoking to get mobile coverage, people playing games on their phones at their desk but not having mobile coverage due to concerns about productivity etc)

2
0
Reply
Silver badge

Re: "No MDM no connection... if the user doesn't like it, tough"

My rule is my personal devices are never connected to the company's network for any purpose. If the company requires me to have a particular device or software they provide it on company owned kit. Segregating company from personal is always a sound policy. So no MDM configured per company on my personal kit, no problem.

4
0
Reply
Silver badge
Meh

Re: "No MDM no connection... if the user doesn't like it, tough"

"I actively don't want my personal electronics to connect to my work network"

assuming it's non-trivial to have 2 network configs, yeah (or to shut off the stupid MDM crap when you're using it outside of the office, or with a non-company login).

Very often a corporation will have a 'guest' network that anybody can use, the kind of thing you'd offer up for a visiting exec or a potential client. I would suggest leaving that as an unmanaged network outside of the normal company firewall, with minimal filtering on it [just enough to prevent obvious abuse] and also DISABLING uPNP on it.

then you don't need MDM stuff just to access company web-mail etc. via https using the 'guest' network. But yeah maybe some idiot upper manager bought some overpriced pile of software that included MDM for every kind of phone invented, and he needs to justify his purchase...

1
0
Reply
Silver badge

Re: "No MDM no connection... if the user doesn't like it, tough"

what? companies generally don't have a "Internet access only, limited at that" guest WiFi network? how do they handle external people that come to negotiate a contract or make a presentation or 50 other different things?

please don't tell me they get a corporate laptop with full access to internal network?

2
0
Reply
Anonymous Coward

Or...

you could just not buy the stuff in the first place. If it like those things that are called 'Smart TV's have a network connection, just don't connect them to your network.

Oh, and don't use 192.168.0.* or 192.168.1.* for your internal network.

Now to get back to brekkie in my IoT free home.

9
0
Reply

Re: Or...

"Oh, and don't use 192.168.0.* or 192.168.1.* for your internal network.". Curious. Why these 2 address ranges but not any other RFC1918 addresses?

6
0
Reply
TFL

Re: Or...

Probably because they're common default ranges, so that barely-configured devices have to be specifically set up to talk on the intended network. If the given ranges are used, the device with next to no configuration might be connected without anyone paying attention or having applied any of the other hardening recommendations.

5
0
Reply

Re: Or...

"Oh, and don't use 192.168.0.* or 192.168.1.* for your internal network.". Curious. Why these 2 address ranges but not any other RFC1918 addresses?

Technically there's no reason not to.

However, I would suggest that if you are connecting networks together at any point, maybe 50% of the worlds networks use 192.168.0.x and/or 192.168.1.x, causing problems with either routing, site-to-site VPN's or client VPN access.

You maybe able to use NAT to workaround the issues, but reducing the pain of NAT or renumbering will make your life easier in the long run.

2
0
Reply
Alert

"even with a minimal set of tightly configured, rigorously controlled systems, you can never guarantee absolute security."

Cut off all USB sockets / WiFi / network devices etc, wire in the keyboard and mouse, use VGA (coz modern monitor connectors have bi directional out of band protocols), lock it in small locked room with no windows and with armed guards outside. Allow one user at a time, always accompanied by three heavily armed BOFHs, and the PFY does all the typing as instructed by the user, while the BOFHs watch everything very closely.

OK, you are correct. You'd have to turn it off completely as well, and fill the room with concrete. Then maybe, maybe, you can guarantee absolute security, perhaps.

3
0
Reply
Silver badge

Very good list of things to think about

Now please paste it on a baseball bat and bash the management on the head with it until the message goes through.

The problem with IoT, apart from its stupendous lack of security and tendancy to phone home everything it can (whether or not it should), is not the peons, it's the management.

They want the shiny, they have the clout, and your list of worries is not their problem because when - not if - the breach happens, it'll be your fault, not theirs.

4
0
Reply
Anonymous Coward

good luck with the ceo

If you can get the bastards password changed more than once, you're a genius.

4
0
Reply
Bronze badge

NIST

“Use it to enforce the basics such as mandating a six-digit unlock code that has to be changed regularly”

I thougt we’d move on since that out-dated advice of making end-users change credentials often?

9
0
Reply

Re: NIST

"When do we have to change out passcodes"

'On the first of the month, every 3 months'

"When is the next change"

'1st of October'

"So my passcode is 180701 then?"

1
0
Reply
Silver badge

It's simple, really

The points that the author makes are correct. My list is even simpler, though:

1) Don't all the use of IoT devices at all unless there is a very strong reason to do so ("very strong reason" means that you'll lose a lot of business and/or money if you don't).

2) Don't ever allow IoT devices to talk to the internet or vice versa, period.

3) Don't ever allow IoT devices to exist in the same network as everything else. Set up an isolated subnet for them. That subnet should have no internet access.

4) Don't "install and forget". Make sure that your network monitoring is up to snuff, and evaluate the logs generated by your routers. Of course, you should be doing that anyway, IoT or not.

1
0
Reply
Silver badge

Re: It's simple, really

And what about those items that are expensive bricks without internet access ? Or where a significant part of their function requires external communication ?

1
0
Reply
Silver badge
Childcatcher

Everything old is new again

Gone are the days when the only IT kit our staff used was phones, printers, scanners, desktop PCs, and servers that were bought, configured, installed, and maintained by our IT team.

If you can get your organization to accept that just these items are to be handled by IT staff, you're ahead of the game. Mostly, this article says that there should be the same standards put in place for the new stuff as the old. This might end up being a curse for many locations as they don't have the older tech under control yet, much less have bandwidth for the new.

3
0
Reply

The obvious comment

What do you get when you add ID to IoT?

1
0
Reply
Silver badge

Bookmarking this article

Exactly what I have been looking for, many thanks!

Is there an IDIoT's guide to network hardening for IoT devices anywhere that someone could share please?

1
0
Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018