Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

12/10/2019
09:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

FBI's Portland Office Spies IoT Education Opportunity

The Federal Bureau of Investigation's office in Portland, Ore., uses 'Tech Tuesday' to offer IoT security advice.

The Federal Bureau of Investigation’s office in Portland, Oregon has started an effort that it calls "Tech Tuesday" to disseminate actionable security advice to users. Last weekit got around to the Internet of Things (IoT).

The FBI concentrated its advice on limiting an IoT device's access to the Internet router that it uses, since an attacker can leverage the unimpeded path to the enterprise network that can be provided by a WiFi router for malicious activity. As far as the router itself goes, they strongly -- and wisely -- advise changing the router's factory administrative settings from the default passwords. The new passwords should be strong enough to protect the router as well.

However, the network itself needs to be secured. As Portland put it, "Keep your most private, sensitive data on a separate system from your other IoT devices."

Many unsophisticated users will think that this means two separate routers will be needed to establish the two differing networks. That approach will indeed work, but there is a better one.

"Micro-segmentation" has been around in WiFi routers for a while. It enables a router's admin to create a virtual network (VLAN) which will act as different network than the primary one; even if they are resident on the same physical router. The enterprise could isolate other network-using devices with this technique such as printers, which have been hijacked in much the same way as a router can be.

Router maker Ubiquiti has blogged about the specific steps needed to create such a VLAN. First, the VLAN is created and ID'd. A Gateway/Subnet tag is then selected for it. Establishing a DHCP service map between the ports on the router and the IP of connected clients is the next task.

Activate the VLAN with all the choices that have made by assigning it a port on the router.

The last major step is to block traffic from the new VLAN to other networks. This is done by changing the firewall of the router. It is necessary to create a new rule for the firewall that includes the identity of the network that you wish blocked from communication with the other. If done right, all traffic from all other networks to the new network is allowed, but no traffic is allowed to be initiated from the new IoT VLAN to the sensitive network that is connected.

The FBI's Oregon office is trying to bring security to users, and for that it should be commended. But the simple format that it uses in this effort may need more detail about things that can be done, and where users should go to get them done.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...