Why Rotating Passwords on your Physical Security Devices is Essential
Passwords. Understood to be a necessary nuisance, the average individual inputs multiple passwords each day – or even each hour – to unlock our phones, access our medical records and bank accounts, or login to our work server, and so much more.
Rotating these passwords is rarely a welcome occurrence. It takes time and effort, and password update prompts usually come at inconvenient or inopportune times. If that is true on the personal level, imagine the pain point of password rotations on the enterprise level. Perhaps that explains why the use of enterprise IoT devices with default or weak passwords is growing and is still a significant problem across every industry.
This blog explores the importance of regular password rotations in the lifecycle management of physical security devices, looks at the impact of not rotating device passwords correctly, and discusses how automating password rotations can have a huge impact on the organization’s security.
Why Physical Security Devices are at Risk
According to the Unit 42 IoT Threat Report, 57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT devices easy targets for hackers. 41% of attacks exploit device vulnerabilities, such as default, weak, and unchanged passwords. Unfortunately, the risk has not translated into action for many organizations. Forrester Research reports that 69% of companies estimate that at least half of all devices on their enterprise network are unmanaged or IoT, and 26% estimate that unmanaged devices outnumber managed devices on their network by three to one. It should come as no surprise then that 67% of enterprises have experienced an IoT security incident.
The Fuss about Passwords
Passwords are a fundamental first line of defense for physical security IoT devices, such as security cameras, access control systems, alarm systems, and more. Research shows that password-related attacks are commonly carried out on IoT devices due to unchanged manufacturer-set passwords and poor password security practices. This is because many IoT devices come with default credentials that are simply never changed, or are changed to weak passwords, opening the door for hackers to compromise the organization’s network. One study concluded that trying just these five default credentials: support/support, admin/admin, admin/0000, user/user, and root/12345 – gives you or any hacker access to at least 10% of all IoT devices. That translates into millions of vulnerable targets.
Why IoT Device Passwords are Not Rotated
There are many reasons why organizations are not adequately maintaining their IoT physical security device passwords.
High manual effort: The work required to regularly update or rotate passwords across IoT devices has not been widely adopted as standard. Typically, rotating device passwords has to be done manually on each device, which is cumbersome and prone to error. This is a daunting task for any IoT operations team managing a fleet of IoT devices. Therefore, in practice, most organizations simply skip the tedious, manual device password changes.
Complex maintenance: An enterprise fleet often includes different brands and types of IoT physical security devices. The various devices may require passwords to be updated differently or have limitations. For example, a device may allow only a single Admin user, forcing the organization to share credentials with multiple people.
Remote deployment: Physical security IoT devices may be deployed across multiple buildings and geographies. The fleet of devices may not be easily accessible to a central physical security team, making regular updates and password maintenance on each device an impossibility.
Lack of compliance: IT assets are traditionally tightly managed as the organization must meet a range of compliance standards. However, IoT devices do not have the same strict compliance standards in place, deeming their maintenance less of an organizational priority.
Impact of Not Rotating IoT Device Passwords Correctly
In the world of physical security, infrequent password rotation increases the risk that cyberattacks on vulnerable IoT devices will endanger people or property. For example, compromised video surveillance or access control in an airport can impact the security of passengers and aircraft operations. At a casino, theft, fraud, and other security incidents abound. The risks are no less severe when physical security devices are compromised in university campuses, hospitals, prisons, or manufacturing facilities.
The case for regular password rotations and how to achieve them
Once devices are deployed, regular password rotations are small tasks that play a critical role in overall device management, particularly when multiple people share login credentials. The good news is that rotating passwords can be a high-ROI security measure that can easily be implemented for a quick win. How? Through automation.
Automated password rotations on devices are a tactical and practical way to achieve security compliance, enabling security teams to focus on higher-value tasks. Automation enables organizations to efficiently update passwords for any number of devices or device groups, regardless of their physical location. Ultimately, a platform that allows for automated password rotations will be vastly more time-efficient and accurate than staff can possibly be, especially when rotating passwords on different models of devices from a range of manufacturers and management systems.
Solution: IoTOps for Automated Password Rotations
IoTOps is a practice that allows for the operational management of IoT devices to take place in a
consolidated, automated, and secure manner. The goal of IoTOps is to maintain a fully functioning fleet of IoT devices – no matter how large or geographically dispersed – and to ensure uncompromised compliance, constant availability, and high levels of security. When done right, IoTOps ensures that these devices stay up and running efficiently and securely, in compliance with standard IT security policies.
SecuriThings Horizon is a software-only solution that introduces the concept of IoTOps to operationally manage physical security IoT devices at scale in a consolidated and automated manner, while providing real-time visibility and control. Horizon standardizes the operational management of devices, empowering Operational teams to ensure compliance and improve the cyber security posture of their IoT environments. Once deployed, the solution provides automated operations such as password rotations, risk detection with alerts, and predictive maintenance.
For more information about how your organization can benefit from automated operations for IoT devices, click here.