Small Business Cybersecurity and The Internet of Things
There are about 30 million small businesses in the United States, which accounts for over 99 percent of all the U.S businesses (SBA, 2019). Small business companies create approximately 1.5 million jobs annually, about 64% of new jobs created in the U.S.
Digital transformation is changing the way those businesses can interact with their customers. Whether you want it or not, if you a Small business owner you will have to, at some point embrace it. Across the landscape, companies are making considerable investments in Robotic Process Automation (RPA), Mobile Interaction Technologies, Cloud Services, and Internet of Things technologies (IoT).
RPA reduces the number of human interactions required for completing tasks such as data entry, data extraction, payroll, and order processing. By automating redundant tasks, a business can do more with less. People already open most of their emails on handheld devices, a substantial amount of e-commerce, and interactions with vendors are conducted through mobile apps. Here is an interesting stat, 60% of companies think that they are providing a good mobile experience, but only 22% of customers feel that they are getting a good mobile experience. Opportunities are out there. Other digital transformation trends include automated employee performance monitoring systems, automated device diagnostics and maintenance systems, and human to a device using voice interaction technologies.
With this transformation to a more connected workspace, comes an increase in the necessity for Cybersecurity in the workplace. Connected SMB organizations have come under the microscope in recent years as potential soft targets for attackers looking to harvest credentials and other personal and payment information.
What is an IoT?
In the broadest sense, the term IoT encompasses everything connected to the internet, but more specifically it is used to define objects that “talk” to each other. “Simply, the Internet of Things is made up of devices — from simple sensors to smartphones and wearables. Smart machinery, connected thermometers, fitness devices, Alexa, and point of sales devices are all examples of IoT devices. By 2025, there will be about 75 billion connected IoT devices, there are approximately 7.5 billion people in the world, you do the math.
So, what is the problem?
There is a lot of noise being made about IoT security or the lack of. To start, there is not much in the way of standards of security, or regulations to govern these kinds of devices. Many of these devices do not have robust management that will allow users to manage security features and look at connection data. In other words, you plug it, in turn, it on, and as far as you can tell it’s working. Other than that, there is not much more that you can do, but these devices are connecting to the internet, and the internet is like the wild, wild, west.
If I was a nation state that wanted to start WW3, the first thing I would do it try to cripple my opponents communications by trying to take over as many devices as possible in order to flood networks with requests and overwhelm communications services and telecoms. IoT devices would be at the top of my list as prime targets.
In this video, the would-be attacker does have to do a little magic to get the passwords in cleartext. However, some devices out there store passwords in cleartext. So, what are we talking about here? Someone able to steal all credentials used by devices to connect to Wi-Fi networks.
You might think, well that is never going to happen to me, I don’t use other people’s charging cables. Well, guess what the cable is just one way of doing it. That same attack or a variation of it can be performed with a wireless scanner device where the attacker will bate devices into connecting to another network that is acting as your Wi-Fi. Don’t think so? Just go to YouTube and search for Wi-Fi cracking, or WPA/WPA2 hacking, sit back and enjoy. So easy a caveman can do it, almost.
Once Wi-Fi credentials have been obtained, there is no telling what they can be used to. Most people tend to use the same passwords for many accounts. If your company has a presence on any major social media platform, the attacker can figure out who the employees are and with a little bit of luck their email addresses. Now the bad guy has passwords and emails.
If an attacker has your Wi-Fi credentials, now that person can connect to your network and snoop around for other devices to connect to and try to steal sensitive information or infect company machines with Ransomware. Here is a question, do you have a way to see all the devices that are currently connected to your network? Do you understand what you are looking at?
Let’s look at another scenario. Let’s say you purchased a set of smart light plugs because your employees always forget to turn off the lamps at the end of the workday and you want to minimize your electricity consumption by not leaving the lights on over might. One morning, you walk into the shop and notice that all the lamps are OFF, except for one. When you go to check you see that the smart plug is missing. Someone could have taken it. Does that mean I have to change all the Wi-Fi passwords? You better.
How about the employees working from home? Are they secured? Remote work has become very popular in recent times. If you thought that the SMB network landscape was not safe, the average network is like a minefield. Most home networks are characterized by routers with no network security features and default admin passwords, unsecured Wi-Fi, and a plethora of smart devices.
This paper isn’t written to scare anyone, but it is written to open eyes to a problem many seem to either be unaware of, or reluctant to tackle. Network security can seem like a daunting task, and many small businesses simply lack the knowledge to design and implement security solutions on their own. The first step is to understand what that would look like.
The Basic Network Infrastructure.
Most networks are pretty straight forward in their configuration. It starts with a modem device from the Internet Service Provider (ISP). After this, you might have a router device that also provides Wi-Fi access, and some switches if you have enough devices connected using wired ethernet connections.
How do I know if I have a problem?
There is an easy way to find out if you have a flat network. Having a flat network means that all your connected devices are in the same bucket of network addresses and they can all see and possibly communicate with each other. This is not a good thing.
Let’s take a look at how we can do this…
If you have some connected computers with Windows OS, then open the command prompt and type ipconfig /all. What you are looking for is the IPv4 address, which is the address of your device. It should look something like this…
Now try the same thing with other devices, perhaps another computer in a different part of the office, or mobile devices connected to Wi-Fi. To find out your network or IP address on a mobile device you will have to go to the network settings under the Wi-Fi section and look for the options one the Wi-Fi network that you are currently connected to. The address should be there.
If we look at the capture above, you will see that the IP address has 4 numbers, with dots in between. If all of your connected devices share the same 3 numbers, that means they are all in the same network segment, which in term means that they can all see each other and possibly talk to each other. Again, this is not a good thing.
Network Segmentation is the First Line of Defense.
Network segmentation fixes the problem above, it divides the network into smaller buckets or segments and then you can put your devices in different buckets. For example, all computers in one bucket, all IoT devices in another bucket, etc.
To do this, you need network equipment that can support virtual networks (VLANs) and segmentation features. Something that is not found on most consumer-grade products (solutions you can buy at BestBuy).
Additionally, you want to be able to see what is connected to your network at any given time, and what is not. Let’s say you have an inventory of 10 connected IoT devices in your shop, but only 9 are connected. Where is the 10th one? Segmentation can help prevent total business lockdown due to infection from Ransomware. Let’s say one of these connected IoT devices gets compromised and the attacker is using it to try to connect to other systems to spread the infection. If the IoT devices are in their separate bucket, then the spread is contained to that bucket. If you are using separate credentials for the IoT devices’ bucket, then those harvested credentials cannot be used to harm the business further.
A robust security solution should also be able to warn you and if possible take action against attacks on its own, after all, you have a job to do and can’t sit there all day looking for potential threats to your network. Finally, the right security solution should be able to extend beyond the network and protect devices (endpoints) like laptops for example, when they are used outside of the company’s network. This is a very common use case today with many businesses sending the workforce to do most of the work remotely.
The right solution.
Cybersecurity has no shortage of choices, and to tackle the above-stated problems there are many options. Technology vendors, like Ubiquiti, Cisco Meraki, Sophos, SonicWall, and more will offer their versions of cybersecurity stack to protect against some of the problems networks are faced with today. However, in one area or another these solutions cannot holistically approach and solve the problem.
In my opinion, there is only one vendor with the right amount of reach and technology integration to cover both the network and the endpoints, at a cost that will not be cost-prohibitive. That company is Fortinet
Ubiquiti is a great consumer-grade product, and they have recently made strides in the cybersecurity areas in their latest Dream Machine Router offering. However, they pale in comparison with the Granularity and amount of enterprise and compliance-related features available in the options from the other vendors.
Cisco Meraki is very popular and Cisco is a reputable company, the Meraki line though forces the customer into a cloud-only model for management. Remote cloud management is great, however, it should not be forced as the only option. With Meraki, the customer is forced to purchase a cloud license to make changes to the hardware equipment, without it the hardware becomes unmanageable. This means that you are at the mercy of the vendor, without any leverage. If Cisco chooses to raise the cost of the license by 500%, the customer has to pay or hope that they never need to make any changes, or that the network doesn’t change ever.
Sophos and SonicWall also have their shortcomings, they do not offer all the equipment that you need to extend the protection beyond the network perimeters. This means that the customer will have to purchase in some cases, either access points or switches from other vendors. When building a security stack composed of technologies from different vendors, there is always the chance that something might go wrong, or that the technologies do not work well together. Configuration can be hard and data security can get lost in translation. In my opinion, these two just do not offer the amount of features and granularity from a configuration perspective that should be expected from a business grade solution.
Let’s observe the following diagram…
What we have here is a properly architected, very simplified network diagram. Let’s dissect what we see.
The IoT devices have their segment. This means that they will be able to connect to the internet, but not to other devices on other segments in your network unless you explicitly permit them to do so with a network rule.
Guest Wi-Fi is separate from Corporate Wi-Fi and IoT Wi-Fi. All devices can connect only to the devices in their segments. In the IoT and Guest Wi-Fi segments, we can further restrict communications by blocking intra-network traffic, which means that you cannot see other devices in the same segment. This is very useful for network segments where device management is not possible such as Guest or IoT segments. We cannot install out antivirus on the computers and phones of our guests because we do not have ownership over them, and most IoT devices do not grant us the ability to install any security protection software due to the simplicity of the OS or the lack of computing resources to handle added software or both.
Physically connected devices (ethernet) can also be separated by priority. If we look a the PCs and the Servers, we can see that they have their network segments as well. Access to certain Servers can be provided to users who needed it after they have been properly authenticated.
From a management perspective, the equipment can leverage Network Access Controls to dynamically assign the right network segment or VLAN to the right device. It is truly awesome.
Finally, we can extend the reach of the protection with an endpoint protection agent. If at any time the device leaves the network, it is still protected, and the endpoint protection can send information to the rest of the devices so everyone is on the same page.
The firewall is the heart of the entire stack, and as such requires licensing in order to update all the definitions for inspecting incoming and outgoing traffic. You can see the list of the different filters that you can apply in the capture above. Without security feature licensing you still have a very capable device able to manage switches and access points, segment all the network properly, authenticate users, and provide device inventory. Features like application filtering, antivirus, and web filtering are licensable and thus would not work properly without the licenses. Unlike other vendors that have a million SKUs, Fortinet has an SKU that includes the hardware firewall device and the licenses in what is called a Unified Threat Protection Bundle (UTP) that includes the device and all the needed licensing for a 1, 3, or 5-year term.
Beyond security, you can also see a ton of quality of service metrics for devices, interfaces, segments, etc.
Here are a few captures of a Fortinet Security Fabric stack…
The integrated access point management allows the user to configure their wireless networks as well as monitor the health of the hardware, including something called Rogue Access Point Suppression, which allows for the suppression of other wireless signals in congested spaces to minimize interference and improve signal quality.
Endpoint Protection
The integrated endpoint protection will extend the reach of the security stack to wherever the protected endpoint travels. You can now send employees to work from home and still manage and monitor the workstation, allow only secure remote VPN connections, monitor device vulnerability, user events, and attacks.
The Hardware
A good starting point would that you can build upon for the future would be made up of 1 Firewall, 1 switch, and 1 access point. Here are a couple of recommendations.
FortiGate Firewall (40F model link below, together with the 60F, should cover the majority of SMB use cases) is the perimeter device, and what manages the rest of the security fabric.
Access Layer (Switches)
Access points (Access Points)
Endpoint Protection Software
In order to successfully deploy FortiClient endpoint protection, a windows machine with sufficient resources is needed to deploy the management application.
This are the minimum requirements for hosting the Endpoint Protection Management on a Windows Machine:
- 2.0 Ghz 64-bit processor, dual core (or two virtual CPUs)
- 4 GB RAM (8 GB RAM is recommended)
- 40 GB of free hard disk
- Gigabit Ethernet adapter
- Internet access
There are a ton of ways to procure this solution, if no better option is available, here is what the prices would look like from Amazon.
Firewall → https://amzn.to/3ooxXLb
PoE Switch → https://amzn.to/31KCKwR
PoE stands for Power Over Internet, it means it can provide power to the connected access points as well as cameras, phones, and other devices that can draw power from the network connection.
Access Point → https://amzn.to/31NFv0m
Some networks where the majority of the devices are connected wirelessly might not need a switch in which case the infrastructure could consist of one firewall and a couple of access points. In this case, make sure that the chosen firewall model has enough internal ports for the number of access points procured. Also, please note that the firewall might not have POE ports, thus a POE injector (https://amzn.to/2HFitSh, or https://amzn.to/3ottbfb) will be needed.
Overall the solution should cost around $3000, with a renewal cost of about 40 to 50% after 3 years for the security licenses, over a lifecycle of anywhere between 6 and 9 years. If we do the math, we are looking at approximately $6000 or more over 9 years.
The endpoint protection is licensed by how many devices are to be protected, that would be an extra cost. Usually, it would be a single-digit $ cost per device. That would be additional to the numbers above.
Cost is the only reason why I shy away from recommending something like this for home users. However, when it comes to businesses dealing with sensitive customer information, payment information, and confidential competitive secrets that if stolen could be used to negate whatever niche the business has in its segment; how could you not take this seriously?
