Microsoft has a blog post about Russian hackers who accessed corporate networks via IoT devices. The reason they infiltrated the network via the IoT devices was because their default passwords were not changed. The devices in question were a video decoder, a VoIP phone, and an office printer.
The blog goes on to list some great advice on how to protect a network with IoT devices
Require approval and cataloging of any IoT devices running in your corporate environment.
Microsoft Security Response Center
Develop a custom security policy for each IoT device.
Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
Use a separate network for IoT devices if feasible.
Conduct routine configuration/patch audits against deployed IoT devices.
Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).
Audit any identities and credentials that have authorized access to IoT devices, users and processes.
Centralize asset/configuration/patch management if feasible.
If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.
cybersqueeze 