Securing Your Bank’s Internet of Things

Securing Your Bank’s Internet of Things

I recently heard about a number of stories circulating in regard to malicious actors using everyday devices you have installed and connected in your businesses and homes to hack you. This article provides some further expertise and knowledge on the subject matter.

The Internet of Things (IoT) consists of almost anything electronic, nowadays. What determines if a device is an IoT device? Possibly the most obvious determining factor is that they can connect to the Internet with or without your permission and knowledge. Another aspect is they contain a small computer (CPU), accessible via the previously mentioned Internet connection.

The IoT consists of many devices that businesses install: printers, scanners, fax machines, WiFi security cameras, WiFi routers, WiFi extenders, WiFi access points, WiFi door locks/access pads/doorbells and many more devices. You may even have smart speakers or smart light bulbs in some areas of your business or office.

The reason these are a concern is because you plug them into power and connect them directly to your network. You may need to tweak the basic configuration, so you can access them or get them to work quickly. Herein lies the problem.

As you are managing your business, you purchase and install new devices that allow your company to work smarter and more efficiently. Over time, you connect more new devices to expand the business or replace older equipment. In some cases, you may have bought similar devices for many years without a thought.  More and more devices do not even need to be plugged into your business network, they can be accessed wirelessly. Sometimes, they ask for the wireless password and other times they act like a WiFi access point (AP) and you connect to them. They make connectivity much easier, but there is a cost of which you may not be aware.

What you may or may not realize is that this same connectivity that make things easier, also makes you less secure and introduces risk into your business. How is that possible? Remember, the IoT (Internet of Things) devices not only have an internet connection (able to connect to your wireless network or be a wireless AP), they also have some type of computer in them. What happens when you connect a new computer into your business? Typically, you must first run required updates. These updates can install security patches, bug fixes and enhancement/feature additions. Then, you might run some software or follow some guidance to configure the device properly for your business network. This generally involves installing an anti-virus program, setting up a local firewall, and maybe even enabling encryption. These are some of the ways you (or your IT techs or service providers) “harden” computers (desktops/laptops) before you connect them to your business.

Do you go through the same process for other “computers” on your business network? Let’s pick on printers. Almost every business installs at least one printer. Do you run updates for your printer regularly? Have you “hardened” your printer to ensure it only uses the services you need? Does this printer have firmware you can update? Are you logging or monitoring the printer to see what logs or traffic it sends or receives? Are you aware that modern day business printers can be hacked? I am seeing more and more risk assessments or pen-test reports showcasing that businesses are NOT patching, configuring or monitoring their printers. Hackers can leverage an internet or business-connected printer that is not patched, has a default/factory password in use, or has unused services left on to access documents in order to scan the internal network, access user credentials, and view internal network traffic. In other words, they can leverage that printer as a way into your internal network. You would be correct to state they introduce risk. The amount of risk they present is based on how you manage them.

Possibly the worst aspect of IoT devices is that they typically “talk” on your network, advertising they are present or sending data (ink level, usage, errors, service parts, etc.) back to the manufacturer who can use that data however they want.

The same is true for camera systems, door access systems, or any other device connecting to your internal business network via a wireless signal. All of these systems need to become tracked and recorded assets that are part of your inventory system, patch management, configuration management, and vulnerability scanning process.

There is an even bigger problem with a large class of IoT. They cannot be patched, there are no firmware upgrades, and you cannot change the password – they are and will always be insecure. These might include the “smart” refrigerator, microwave, TV, vending machine, or coffee pot you put in your employee break room or customer area. It is highly recommended that you separate all of these devices using firewalls and routers to keep them on different networks, putting strong monitoring on the network(s).

IoT are all around us and they are an integral part of business today. Researching devices before you buy them is a good business practice. Learn what devices and manufacturers do not address security or privacy and avoid these. Make sure whatever assets you do buy and add to your network meet your risk and security standards. Businesses need to be aware of these devices, manage them properly and record any risks they introduce. In this way, IoT can provide the technology, efficiency, and ease they are good at while also properly managing your privacy and risk.

About Automated Systems, Inc.
Since 1981, Automated Systems, Inc. has been a leader in providing innovative core banking, digital banking, and data processing solutions to community banks nationwide.  An array of integrated applications provide partnered banks with tailored, cost-effective, competitive choices.  ASI delivers industry-leading technology backed by unparalleled in-house conversion, training and support teams; paving the way for progressive, top-notch customer service.  ASI corporate headquarters are located at 1201 Libra Drive, Lincoln, NE 68512, 1.800.279.7312.  For more information about banking solutions from ASI, visit www.asiweb.com.

About Insite Data Services
IDS data application hosting services combines secure and cost-effective core banking applications, enterprise-class servers and storage, and proven virtualization technology.  IDS hosts all of the bank’s servers in secure data centers that use state of the art security systems including identity verification and biometric scanning.  Insite Data Services also offers IDS On-Time, a full-service solution dedicated to back-office bank processing.  These operations experts allow partnered banks to focus on their most important asset, their customers.  For more information visit www.insitedataservices.com.

About The Author

Don Pecha
Don Pecha
Don Pecha is the Information Security Officer at Insite Data Services, our solution that offers service hosting and back office processing. He is involved with our Security and Information teams.

No Comments

Leave a Reply