BUSINESSES HAVE STRUGGLED for decades with “shadow IT”—printers, laptops, smartphones, cloud services, and more being installed or subscribed to by users without permission or knowledge of an IT admin. In that same vein, users are now connecting smart devices of various kinds to the corporate network, giving rise to the term “shadow IoT.”
It’s a much bigger problem too, according to Zeus Kerravala, principal analyst at ZK Research, "because the scope has broadened. Things you never would have connected before are now connecting." As an example, he cites the Target breach from a few years ago. "The AC system was compromised, and it was on the same network as the point-of-sale system." When the hackers went through the AC system to the POS server, red flags theoretically should have gone up and the AC system should have been immediately quarantined.
The problem, essentially, is “a lack of proper controls and visibility on the part of IT and security staff," says Kevin Beaver, principal information security consultant at Principle Logic. Once users connect these systems they’re staying connected and flying under the radar.
Security risks are inevitable, Beaver says. "These devices can have vulnerabilities— unsecure configurations, weak passwords, missing patches, and so on—that can be exploited, leading to the compromise of business systems across the network."
The work-from-home rush as a result of the coronavirus pandemic has made corporate networks somewhat more at risk from shadow IoT, adds Kerravala. "You may have a secure VPN from a user to the corporate network, but that's a dedicated pipe for all the home devices as well. Xboxes, garage door openers, smart ovens, and more could be compromised and become back-door access points to the company."
Securing IoT devices can be tough, says Kerravala, because many are made as low cost as possible and never designed to be secure. They also find and connect to networks with no help from users.
One particular area of concern is healthcare, where IoT devices range from large and expensive, like network-enabled MRI machines, to small and transient ones carried by visitors. "This area really is life and death," Kerravala says. Beyond that, healthcare systems are juicy targets for hackers.
"People think hackers go after credit cards," says Kerravala, "but they really want medical information. If they know your illness they can prey on your hopes with phishing emails." If a family member has cancer, for instance, any email offering a webinar on a new treatment will have a higher click rate. Healthcare IoT devices are often the access point to such information.
With businesses grappling with the complexity of shadow IoT, it’s an opportunity for channel pros and IT integrators to help them get proper tools and infrastructure in place for management and protection, says Kerravala, who adds that there are scanning tools available that look up devices by their MAC address in the Manufacturer Usage Description database. "You can search for devices, find any issues, resolve them, and analyze their network's baseline behavior.”
For example, he says, “If you find an Android device that connects to Peleton.com once a day, you can track it to an exercise cycle. You need to know what all these devices are, set a baseline of normal activity, then catch a device when it changes its normal routine. If the coffee machine connects to the accounting server, it needs to be quarantined."
Once you find devices, the next step is to manage and secure them. Modern tools like those mentioned earlier will trace where these devices connect, says Kerravala. "Network access control vendors like ORDR(link is external) and Forescout(link is external) specialize in IoT security." Beaver suggests dedicated IoT discovery and risk management systems provided by vendors such as Securolytics(link is external).
MSPs can then offer a managed service to monitor and mitigate any rogue devices in the future.
Kerravala has one final word of advice for channel pros about capitalizing on shadow IoT: "Chaos is opportunity for a channel partner to become a trusted partner to customers."
The ChannelPro Network is dedicated to providing IT consultants, VARs and MSPs who serve the IT needs of small and midsize businesses (SMBs) the news, insights, resources and best practices necessary to help them grow their businesses and better serve their SMB customers.