Detectability, Exposure, Access
An IoT device that is not exposed to the public internet, even if insecure, may be difficult for an attacker to access. An internet-connected device, especially one indexed by search engines like Shodan, represents a direct security threat, as it represents an attractive target for attackers looking for an initial beachhead into your systems. Such devices rarely have much security and may even simply enable attackers to connect to them via default credentials. In addition to the risk of them acting as an initial foothold into your systems, they also are frequent targets for botnets, from historical examples such as the Mirai botnet to more recent examples like Aisuru and Kimwolf. IoT devices can also act as a vector for direct, physical attacks on your organisation: CCTV cameras hacked to facilitate a break-in, industrial control systems hijacked to directly damage equipment.
Our approach to IoT devices exposed to the public internet consists of three stages. We enumerate which of your devices actually support connections over public internet. We see if the devices in question really need to be accessed remotely, or if they can be locked down to only support an internal network (such as a segregated VLAN); and if not, if we can restrict public exposure through firewalls and other technical means. Finally, we assess access credentials, ensuring that device access can only happen with proper authentication and that factory default access settings have been changed.