1
00:00:00,450 --> 00:00:01,283
Now, in addition

2
00:00:01,283 --> 00:00:02,790
to standard computers and servers,

3
00:00:02,790 --> 00:00:05,460
there are many other devices that utilize our networks,

4
00:00:05,460 --> 00:00:07,800
and these make up the Internet of Things.

5
00:00:07,800 --> 00:00:09,690
The term Internet of Things is used to describe

6
00:00:09,690 --> 00:00:12,390
a global network of appliances and personal devices

7
00:00:12,390 --> 00:00:13,710
that have been equipped with sensors,

8
00:00:13,710 --> 00:00:15,570
software, and network connectivity

9
00:00:15,570 --> 00:00:17,970
to report state and configuration data.

10
00:00:17,970 --> 00:00:20,190
These IoT devices can be managed remotely

11
00:00:20,190 --> 00:00:23,010
over an IP network like the internet as well.

12
00:00:23,010 --> 00:00:24,330
You've probably seen or even used

13
00:00:24,330 --> 00:00:25,860
some of these devices yourself,

14
00:00:25,860 --> 00:00:28,140
including building and home automation systems,

15
00:00:28,140 --> 00:00:30,300
heating, ventilation, and air conditioning controllers,

16
00:00:30,300 --> 00:00:32,880
IP video systems, audiovisual systems,

17
00:00:32,880 --> 00:00:34,500
physical access control systems,

18
00:00:34,500 --> 00:00:36,780
and scientific and industrial equipment.

19
00:00:36,780 --> 00:00:38,490
Building and home automation systems

20
00:00:38,490 --> 00:00:41,100
are going to focus on the management of lighting, HVAC,

21
00:00:41,100 --> 00:00:42,990
water, and security systems.

22
00:00:42,990 --> 00:00:45,210
These systems efficiently manage all the devices

23
00:00:45,210 --> 00:00:47,670
in real time to save money on utility costs

24
00:00:47,670 --> 00:00:50,370
and to increase the comfort of a building's occupants.

25
00:00:50,370 --> 00:00:52,200
It's important to remember all of these systems

26
00:00:52,200 --> 00:00:54,300
that may be fielded across your office buildings

27
00:00:54,300 --> 00:00:56,370
to ensure they aren't having any interference issues

28
00:00:56,370 --> 00:00:58,710
with other wireless devices you may be operating,

29
00:00:58,710 --> 00:01:00,060
as well as those devices

30
00:01:00,060 --> 00:01:02,010
making sure they're properly security enabled

31
00:01:02,010 --> 00:01:04,440
and that the power is being provided to those devices

32
00:01:04,440 --> 00:01:08,190
using power over ethernet or a battery power supply.

33
00:01:08,190 --> 00:01:09,930
While these systems can sometimes be placed

34
00:01:09,930 --> 00:01:11,970
on our business network to increase the manageability

35
00:01:11,970 --> 00:01:14,670
of that system, it is not considered a good idea

36
00:01:14,670 --> 00:01:16,830
and it goes against the best practices.

37
00:01:16,830 --> 00:01:18,960
Instead, devices like this should be placed

38
00:01:18,960 --> 00:01:20,880
on their own network and segmented off

39
00:01:20,880 --> 00:01:22,320
from the business network.

40
00:01:22,320 --> 00:01:24,510
If you need an example to prove to your CIO

41
00:01:24,510 --> 00:01:26,820
why you need a separate network for these devices,

42
00:01:26,820 --> 00:01:30,300
just look back to 2014 and the breach at Target.

43
00:01:30,300 --> 00:01:32,550
This is where hackers broke into the business network

44
00:01:32,550 --> 00:01:35,070
by exploiting a flaw in the HVAC controller system,

45
00:01:35,070 --> 00:01:36,990
and then they used that to gain access

46
00:01:36,990 --> 00:01:38,160
to the point of sale network

47
00:01:38,160 --> 00:01:39,900
and steal credit card information.

48
00:01:39,900 --> 00:01:43,500
Trust me, segregation of IoT devices is critically important

49
00:01:43,500 --> 00:01:45,900
for the security of your business network.

50
00:01:45,900 --> 00:01:48,240
Now, internet protocol or IP video systems

51
00:01:48,240 --> 00:01:51,060
are another type of IoT device you may come across.

52
00:01:51,060 --> 00:01:53,250
These IP video systems provide businesses

53
00:01:53,250 --> 00:01:55,470
with an excellent method of remote collaboration

54
00:01:55,470 --> 00:01:58,620
using systems like video teleconference suites and Skype.

55
00:01:58,620 --> 00:02:00,180
The capability has saved organizations

56
00:02:00,180 --> 00:02:01,770
a ton of money for travel

57
00:02:01,770 --> 00:02:03,840
because employees can now conduct meetings virtually

58
00:02:03,840 --> 00:02:06,090
over a synchronous IP-based video stream

59
00:02:06,090 --> 00:02:07,200
from their conference room

60
00:02:07,200 --> 00:02:08,580
instead of having to fly across the country

61
00:02:08,580 --> 00:02:10,229
to have an in-person meeting.

62
00:02:10,229 --> 00:02:12,690
Now, when you're implementing an IP video system,

63
00:02:12,690 --> 00:02:14,640
you need to consider the level of quality of service

64
00:02:14,640 --> 00:02:16,800
you want or QoS that's going to be required

65
00:02:16,800 --> 00:02:18,780
for that system to operate smoothly.

66
00:02:18,780 --> 00:02:20,670
Also, these video streaming suites

67
00:02:20,670 --> 00:02:22,350
do require a lot of bandwidth,

68
00:02:22,350 --> 00:02:25,020
so that has to be factored into your network architecture

69
00:02:25,020 --> 00:02:26,460
as you're designing them.

70
00:02:26,460 --> 00:02:28,110
Plus, these systems can actually cost

71
00:02:28,110 --> 00:02:29,610
a lot of money upfront.

72
00:02:29,610 --> 00:02:32,520
For example, one conference room-based IP video solution

73
00:02:32,520 --> 00:02:34,470
I installed at one of my previous organizations

74
00:02:34,470 --> 00:02:38,400
cost us nearly $25,000 for the equipment and installation.

75
00:02:38,400 --> 00:02:40,710
These systems also require security patches,

76
00:02:40,710 --> 00:02:41,670
and they must be considered

77
00:02:41,670 --> 00:02:44,370
as part of your organization's security posture.

78
00:02:44,370 --> 00:02:46,320
Your organization's audio video systems

79
00:02:46,320 --> 00:02:49,050
can also be connected by using IP networks as well.

80
00:02:49,050 --> 00:02:52,110
For example, the high definition serial digital interface

81
00:02:52,110 --> 00:02:53,940
is used to stream live video productions

82
00:02:53,940 --> 00:02:56,520
across the globe or across the building.

83
00:02:56,520 --> 00:02:58,051
In many security operation centers,

84
00:02:58,051 --> 00:03:00,780
there's going to be displays all around the room,

85
00:03:00,780 --> 00:03:02,880
and they're all being centrally controlled and routed

86
00:03:02,880 --> 00:03:04,770
through a digital video switching system

87
00:03:04,770 --> 00:03:06,660
that runs over an IP network.

88
00:03:06,660 --> 00:03:09,210
Again, this network for this video system

89
00:03:09,210 --> 00:03:11,760
should be physically separated or logically separated

90
00:03:11,760 --> 00:03:13,268
from your production network.

91
00:03:13,268 --> 00:03:15,510
Now, physical access control systems,

92
00:03:15,510 --> 00:03:18,240
such as proximity readers, access control systems,

93
00:03:18,240 --> 00:03:20,280
security cameras, and biometric readers

94
00:03:20,280 --> 00:03:23,010
can also all communicate over the IP networks.

95
00:03:23,010 --> 00:03:24,810
These devices are used to determine if somebody

96
00:03:24,810 --> 00:03:26,940
should be granted access into a secure room

97
00:03:26,940 --> 00:03:29,130
by communicating back to the authentication server

98
00:03:29,130 --> 00:03:30,810
over that IP network.

99
00:03:30,810 --> 00:03:33,330
Due to the high security these devices need to provide,

100
00:03:33,330 --> 00:03:35,220
they should be placed on a separate network

101
00:03:35,220 --> 00:03:36,330
that has additional protections

102
00:03:36,330 --> 00:03:39,120
beyond the standard organization's business network.

103
00:03:39,120 --> 00:03:40,890
Scientific and industrial equipment devices

104
00:03:40,890 --> 00:03:42,690
are going to be found in hospitals,

105
00:03:42,690 --> 00:03:44,460
factories, and laboratories.

106
00:03:44,460 --> 00:03:47,310
These devices used to be unconnected, but over the years,

107
00:03:47,310 --> 00:03:50,040
they began the migration onto our IP networks too,

108
00:03:50,040 --> 00:03:51,450
allowing for centralized monitoring

109
00:03:51,450 --> 00:03:53,430
and management of all these devices.

110
00:03:53,430 --> 00:03:55,830
These devices, though, can pose significant risk

111
00:03:55,830 --> 00:03:58,320
to our network because they cannot easily be upgraded

112
00:03:58,320 --> 00:04:00,630
or patched when there's bugs that are discovered.

113
00:04:00,630 --> 00:04:02,550
Therefore, it is crucial to provide them

114
00:04:02,550 --> 00:04:04,440
their own physical or logical network

115
00:04:04,440 --> 00:04:05,520
so they can remain isolated

116
00:04:05,520 --> 00:04:07,500
from the rest of our business network.

117
00:04:07,500 --> 00:04:09,840
Now, when you're looking at different IoT devices,

118
00:04:09,840 --> 00:04:11,160
you can generally break them down

119
00:04:11,160 --> 00:04:13,530
into one of four categories of components.

120
00:04:13,530 --> 00:04:15,510
This is either the hub and control system,

121
00:04:15,510 --> 00:04:18,720
the smart devices, the wearables, or the sensors.

122
00:04:18,720 --> 00:04:20,910
Now, a hub and control system is going to be used

123
00:04:20,910 --> 00:04:22,470
as a central point of communication

124
00:04:22,470 --> 00:04:25,650
for many automation and controlling of those IoT devices

125
00:04:25,650 --> 00:04:27,930
because many of them rely on different protocols,

126
00:04:27,930 --> 00:04:30,330
like Z-Wave and Zigbee for networking,

127
00:04:30,330 --> 00:04:33,210
instead of relying on things like Wi-Fi and Bluetooth.

128
00:04:33,210 --> 00:04:36,090
To make this work, your IoT devices need a control system

129
00:04:36,090 --> 00:04:38,640
or a smart hub for the different devices and sensors

130
00:04:38,640 --> 00:04:40,380
that are going to be connected to them.

131
00:04:40,380 --> 00:04:43,230
For example, if you have an Amazon Echo in your home,

132
00:04:43,230 --> 00:04:45,870
this is a perfect example of a hub and control system

133
00:04:45,870 --> 00:04:46,710
that can be used to control

134
00:04:46,710 --> 00:04:49,230
all of your other smart devices and sensors.

135
00:04:49,230 --> 00:04:51,120
Next, we have smart devices,

136
00:04:51,120 --> 00:04:53,400
and these are the IoT endpoints that are going to connect

137
00:04:53,400 --> 00:04:56,010
back to that central hub or control system to provide you

138
00:04:56,010 --> 00:04:58,260
with some kind of automation or function.

139
00:04:58,260 --> 00:05:00,570
For example, if you have a smart light bulb,

140
00:05:00,570 --> 00:05:02,730
a video doorbell, or a Nest thermostat,

141
00:05:02,730 --> 00:05:05,070
these are all examples of smart devices.

142
00:05:05,070 --> 00:05:07,560
In my studio, for example, I use a wide variety

143
00:05:07,560 --> 00:05:09,750
of smart devices to control my environment,

144
00:05:09,750 --> 00:05:12,330
including a smart thermostat to control the temperature,

145
00:05:12,330 --> 00:05:14,040
smart light bulbs that allow me to control

146
00:05:14,040 --> 00:05:15,570
the color and tone of the lighting,

147
00:05:15,570 --> 00:05:17,550
and smart outlets that allow me to turn on

148
00:05:17,550 --> 00:05:19,920
or turn off various devices around my studio

149
00:05:19,920 --> 00:05:21,570
using simply my voice.

150
00:05:21,570 --> 00:05:23,550
For example, if I tell my smart system

151
00:05:23,550 --> 00:05:25,230
to get ready for filming,

152
00:05:25,230 --> 00:05:27,360
it's going to turn on my camera, my lights,

153
00:05:27,360 --> 00:05:29,700
my air conditioner, and all the other equipment I need

154
00:05:29,700 --> 00:05:31,050
to begin recording.

155
00:05:31,050 --> 00:05:33,990
If instead, I tell it to get ready for podcasts,

156
00:05:33,990 --> 00:05:36,180
it's going to power down everything that I don't need

157
00:05:36,180 --> 00:05:37,770
to record an audio podcast

158
00:05:37,770 --> 00:05:40,860
and instead set me up for audio recording only.

159
00:05:40,860 --> 00:05:42,660
This is a convenient way for me to save time

160
00:05:42,660 --> 00:05:45,330
instead of having to turn on 10 or 15 different devices

161
00:05:45,330 --> 00:05:47,370
located all around my studio.

162
00:05:47,370 --> 00:05:49,209
Third, we have wearables.

163
00:05:49,209 --> 00:05:51,240
Wearables are a category of IoT devices

164
00:05:51,240 --> 00:05:53,640
that are designed as accessories that can be worn.

165
00:05:53,640 --> 00:05:55,860
This includes smart watches, bracelets,

166
00:05:55,860 --> 00:05:58,590
fitness trackers, smart glasses, and headsets.

167
00:05:58,590 --> 00:06:00,690
Basically, a wearable is just a smart device

168
00:06:00,690 --> 00:06:02,040
that is designed to be worn.

169
00:06:02,040 --> 00:06:04,320
Otherwise it's just considered another smart device

170
00:06:04,320 --> 00:06:06,030
in a different form factor.

171
00:06:06,030 --> 00:06:08,970
Now, the fourth category we have is known as a sensor.

172
00:06:08,970 --> 00:06:10,800
Now, an IoT sensor can be used to measure

173
00:06:10,800 --> 00:06:13,050
lots of different things, including temperature,

174
00:06:13,050 --> 00:06:15,330
sounds, light, humidity,

175
00:06:15,330 --> 00:06:16,740
pressure, proximity,

176
00:06:16,740 --> 00:06:18,870
motion, smoke, fire,

177
00:06:18,870 --> 00:06:20,970
heart rates, and many other things.

178
00:06:20,970 --> 00:06:23,850
Again, your smart devices, wearables, and sensors

179
00:06:23,850 --> 00:06:26,520
can all connect back to that central hub and control system

180
00:06:26,520 --> 00:06:29,670
using a variety of communication methods to send their data.

181
00:06:29,670 --> 00:06:32,370
Now, this includes things like Z-Wave, Zigbee,

182
00:06:32,370 --> 00:06:34,830
Wi-Fi and Bluetooth depending on the capabilities

183
00:06:34,830 --> 00:06:37,470
of your specific hub and control system.

184
00:06:37,470 --> 00:06:40,260
When it comes to IoT, I believe there are many things

185
00:06:40,260 --> 00:06:42,120
you should be doing within your organization

186
00:06:42,120 --> 00:06:43,890
to best protect yourself.

187
00:06:43,890 --> 00:06:46,560
First, you need to understand your endpoints.

188
00:06:46,560 --> 00:06:49,740
Each new IoT device brings with it new vulnerabilities,

189
00:06:49,740 --> 00:06:51,390
so you need to understand your endpoints

190
00:06:51,390 --> 00:06:53,340
and what their security posture is.

191
00:06:53,340 --> 00:06:54,780
If you're adding a new wireless camera

192
00:06:54,780 --> 00:06:57,030
or a new smart thermostat, each one of those

193
00:06:57,030 --> 00:06:59,220
brings different vulnerabilities that you need to consider

194
00:06:59,220 --> 00:07:01,830
before connecting those devices to your network.

195
00:07:01,830 --> 00:07:04,557
Second, track and manage your IoT devices.

196
00:07:04,557 --> 00:07:07,110
You need to be careful and don't just let anyone

197
00:07:07,110 --> 00:07:09,420
connect any new IoT device to your network.

198
00:07:09,420 --> 00:07:11,010
Instead, you need to ensure you have

199
00:07:11,010 --> 00:07:13,320
a good configuration management for your network

200
00:07:13,320 --> 00:07:15,780
and follow the proper processes to test, install,

201
00:07:15,780 --> 00:07:19,050
and operate these IoT devices when you connect them.

202
00:07:19,050 --> 00:07:21,210
Third, patch vulnerabilities.

203
00:07:21,210 --> 00:07:24,120
IoT devices can be extremely insecure.

204
00:07:24,120 --> 00:07:26,250
If you're deploying a device, you need to understand

205
00:07:26,250 --> 00:07:29,040
the vulnerabilities and patch them the best you can.

206
00:07:29,040 --> 00:07:30,750
After that, you're still going to be left

207
00:07:30,750 --> 00:07:34,080
with some residual risk here, but there may not be a bug fix

208
00:07:34,080 --> 00:07:36,720
or a security patch available for that IoT device.

209
00:07:36,720 --> 00:07:39,360
If that's the case, you need to conduct some risk management

210
00:07:39,360 --> 00:07:41,310
and determine if you're willing to accept the risk,

211
00:07:41,310 --> 00:07:43,740
or if you need to put additional mitigations in place,

212
00:07:43,740 --> 00:07:45,810
like putting them on a separate VLAN.

213
00:07:45,810 --> 00:07:48,450
Fourth, conduct test and evaluation.

214
00:07:48,450 --> 00:07:50,940
Before you connect any IoT device to your network,

215
00:07:50,940 --> 00:07:52,950
you should fully test it and evaluate it

216
00:07:52,950 --> 00:07:55,140
using penetration testing techniques.

217
00:07:55,140 --> 00:07:57,390
It is not enough to trust your manufacturer

218
00:07:57,390 --> 00:07:59,100
when they say their devices are secure,

219
00:07:59,100 --> 00:08:01,560
because many of these devices are not.

220
00:08:01,560 --> 00:08:03,840
Therefore, always conduct your own assessments

221
00:08:03,840 --> 00:08:06,600
of their security by conducting it on a test network

222
00:08:06,600 --> 00:08:09,660
or lab before you attach it to your production network.

223
00:08:09,660 --> 00:08:11,790
Fifth, change default credentials.

224
00:08:11,790 --> 00:08:13,260
Just like network devices,

225
00:08:13,260 --> 00:08:16,200
each IoT device has a default username and password

226
00:08:16,200 --> 00:08:18,480
that allows you to connect to it and configure it.

227
00:08:18,480 --> 00:08:21,480
These default credentials present a huge vulnerability,

228
00:08:21,480 --> 00:08:24,120
so they have to be changed before you allow the IoT device

229
00:08:24,120 --> 00:08:26,430
to go into production on your network.

230
00:08:26,430 --> 00:08:28,950
Six, use encryption protocols.

231
00:08:28,950 --> 00:08:31,380
IoT devices are inherently insecure,

232
00:08:31,380 --> 00:08:34,200
so it's important that you utilize encryption protocols

233
00:08:34,200 --> 00:08:36,990
to the maximum extent possible to better secure the data

234
00:08:36,990 --> 00:08:40,260
being sent and received by these IoT devices.

235
00:08:40,260 --> 00:08:42,929
Seven, segment IoT devices.

236
00:08:42,929 --> 00:08:45,030
The Internet of Things devices should be placed

237
00:08:45,030 --> 00:08:47,250
in their own VLAN and their own subnet

238
00:08:47,250 --> 00:08:48,300
to ensure they don't interfere

239
00:08:48,300 --> 00:08:50,130
with the rest of your production network.

240
00:08:50,130 --> 00:08:52,140
If you can afford it, you may even want to have

241
00:08:52,140 --> 00:08:53,970
a separate IoT-only network

242
00:08:53,970 --> 00:08:56,340
to provide physical isolation as well.

243
00:08:56,340 --> 00:08:58,860
As you can see, there are lots of different considerations

244
00:08:58,860 --> 00:09:01,110
that you need to think about when it comes to connecting

245
00:09:01,110 --> 00:09:03,260
Internet of Things devices to your network.