Best Practices for IoT Security Risk Management

Best Practices for IoT Security Risk Management

“From a security perspective, we often look at IoT in the wrong way. We look at these new devices as highly vulnerable and risky, whereas in reality, most IoT devices possess very low risk. Telcos need to look at each IoT device from a risk perspective and understand the function it carries out and its role on the network,” says Joseph Carson, Chief Security Scientist at ThycoticCentrify, in an exclusive interview with ITSecurityWire.


ITSW Bureau: In the coming age of IoT, why should Telcos be worried about IoT security and privacy risk?

Joseph Carson: It’s important to understand that not all IoT devices are equal. Today, IoT devices are much more specific, and their purpose is granular. Just like privileged accounts, they come in various forms such as sensors that collect basic data like the temperature of airflow and there are the more invasive types of IoT like CCTV that detect peoples’ body heat and collects facial recognition data, which can be more appealing for cybercriminals. We cannot look at IoT as one specific element but rather focus on its purpose or task.

Companies must be aware of the different functions of IoT devices that are connected to a network and what tasks they carry out.

From a security perspective, we often look at IoT in the wrong way. We look at these new devices as highly vulnerable and risky, whereas in reality, most IoT devices possess very low risk. Telcos need to look at each IoT device from a risk perspective and understand the function it carries out and its role on the network. For example, is the device a data processor, collector, or correlator? It’s important to change how we define IoT devices and how we perceive them. Once the function and purpose of IoT devices have been understood, they can then sort these into risk categories.

Also Read: The Impact of IT and OT Convergence on Industrial IoT Security

ITSW Bureau: How will PAM help Telcos in IoT risk management?

Joseph Carson: Privileged Access Management (PAM) helps security teams manage the accounts of users who have permission to view and change business-critical corporate resources. These users can be human administrators or devices and applications with machine identities that are all lucrative targets for cybercriminals. Companies must take the security controls along with privacy, very seriously.

Privileged access is important for all industries especially for Telcos, and it must be managed properly. When multiple users are accessing the network, from employees to external contractors, it’s imperative to ensure only authorized people are accessing sensitive data and making configuration changes.

With ‘access to view’ there are fewer security controls in place. However, for ‘access to change’. Companies must make sure that they are kept secure. Privileged access allows you to put more granular controls on the different types of roles and scope access that you would have. They will benefit from privileged access by enabling businesses to be more efficient and secure. For many Telcos, this is a big opportunity currently being missed.

ITSW Bureau: What are the possibly effective strategies that can help with IoT security?

Joseph Carson: IoT security should be seen from a function and risk perspective. As a result, companies must carry out efficient and holistic risk assessments in IoT rather than looking at it as an IoT device.

Telcos are not becoming just service providers of internet access but also providing more services. They will evolve to be more like banks from a transactional sense. They are starting to provide bandwidth, mobile connectivity, and digital content as well as security. Security acts as a differentiator where they offer control around access and management of accounts which is then viewed as a business enabler. So, there’s a twofold benefit for Telcos; one being the benefit of their own infrastructure and the second being securing access to the services.

Modern PAM can empower an effective strategy for IoT security. They offer capabilities that enable security and risk leaders to automatically randomize and manage passwords, control access to privileged accounts, and isolate, monitor, record, and audit privileged access sessions, commands, and actions.

There are many best practices organizations can adopt with PAM. Firstly, all users on a network must be viewed as being privileged, as virtually everyone in a business now uses applications that can access sensitive data via the cloud. It’s time to extend the term ‘privileged users’ to include every user.

Secondly, Telcos must consider an adaptive risk-based trust model. Although the least privilege approach is effective at limiting access to sensitive information, it can adversely affect productivity if not implemented correctly. An adaptive risk-based trust model uses contextual information to assess whether to grant access to a particular user. Other effective strategies include constant monitoring of admin rights and accounts, which frequently change as well as using PAM to stop attackers moving laterally across the network – a common tactic used to find and extract valuable data.

Also Read: Top Three Strategies For Successfully Implementing Zero-Trust in IoT Security

ITSW Bureau: What kind of AI and ML developments can help Telcos in the foreseeable future?

Joseph Carson: I believe that AI is a term that is often overused. Most ‘AI’ capabilities that organizations are using are, in fact, automation and machine learning. They are learning from historical data and possess the ability to optimize and provide more improved services.

It’s about machines gathering data and correlating it to understand the most optimum way of doing things. What options do people choose? How can we make sure that we provide the most effective available service to them? As a result, AI and machine learning are used to automate the processes as much as possible.

Joseph Carson is a Cyber Security Professional with over 25 years of experience in Enterprise Security & Infrastructure. He has been the CSS of ThycoticCentrify since 2016. He is also a certified Information Systems Security Professional (CISSP). An active member of the Cyber Security community and a frequent speaker at Cyber Security events globally, Joseph is also an adviser to several governments and cyber security conferences.