• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Wearable technologies
      • Use of survey software
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Incident Response Webservice
      • SSL/TLS certificates
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures
    • Reporting Suspected HIPAA Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
    • File sharing & copyright
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • “Smart” Device Security Best Practices

IoT, Peripheral, and “Smart” Device Security Best Practices

Tuesday, December 05, 2023

Introduction

We are all responsible for device security on the IU network, such as peripherals, IoT devices, and other “smart” appliances connected to the university’s networks. Publicly accessible devices (i.e., if they have public IP addresses) can add to our cyber risk footprint. Robust precautions should be made when adding these devices to the IU network.

Recently, threat actors identified several devices on the university network that were poorly configured and publicly accessible. These compromises did not rise to a serious level; however, it serves as a good reminder for all of us to remember best practices for these types of devices:

Best Practices

Here are some of the best practices that you should follow to ensure the security of your devices on the IU network:

  • Restrict IP Access:Per University Policy IT-12, there must be a justified and documented business reason for devices to have a public IP. Most devices do not need a public IP address, including printers and IOT type devices; request a private IP address for those, and when appropriate, see About IU PublicNet. Also, when a device does need a public IP address, make sure you restrict access to it to prevent abuse. A networked printer, for example, should not need to be open to the entire internet. It should be restricted only to necessary network segments. Other devices, such as connected door locks, thermostats, complex controllers (i.e., astronomical instruments or medical radiological devices), etc. should already be on the Building Management Systems network or the Legacy VLAN or added there when they are installed.
  • Disable unnecessary ports/services: If a port, protocol, or service/daemon isn’t needed, disable it.
  • Update firmware: Keep device firmware up to date. Connected devices often need individual care. For example: Printers, scanners, or other types of IoT/Smart devices may require individual updates. If it connects to a network, see what it takes to keep it up to date.
  • Require admin authentication: Many networked “smart” devices have administration panels. When they can be configured to require authentication, make sure that those administrative interfaces are not available on public IP addresses. If authentication cannot be enabled, try to disable the interface altogether. And do not forget to change the default credentials too.
  • Have a recovery plan: If your device(s) become compromised, immediately report it to it-incident@iu.edu, and also have a plan to wipe them and restore their configuration so that they’re free of compromise. Some devices can be remotely handled; others need physical access.

Questions

Contact UISO@iu.edu (or preferred support unit, e.g., TechSelect / HTS / EITS) if you have any questions.

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | College Scorecard | Privacy Notice | Copyright © 2025 The Trustees of Indiana University