[BreachExchange] IoT Security Checklist: Get Ahead Of The Curve
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Mar 4 15:45:51 EST 2016
http://www.darkreading.com/iot/iot-security-checklist-get-ahead-of-the-curve/a/d-id/1324513
In just two to three years, the Internet of Things will be a major avenue
for hackers for the simple reason that everything is going to be connected.
What systems and processes do security professionals need to put in place
to defend against IoT product risk in the not-too-distant future? Here is a
checklist of 9 IoT security strategies that belong in every stage of the
product development life cycle
#1. Begin at the beginning to reduce attack points
Every phase of the development process must take digital security into
consideration. Security should be a part of product requirements and design
consideration, and be embedded at every stage of the development life
cycle. The Quality Assurance cycle must account for security in addition to
functionality. An important component of this is fail-safe systems. When
something fails - and things will fail - it should be built to fail safe
and secure so that the failure can be contained and doesn’t lead to a
greater systemic failure.
#2. Authentication & authorization
Your car, your garage door opener, your medical device - all of these
things have to communicate with other devices and, potentially, a
mothership. The IoT will need strong authentication for these
communications, using techniques like multi-factor authentication or
asymmetric encryption to protect each device by using their own unique key.
You can’t expect a user to enter a password every time they get into their
car, so there needs to be another form of security. One of the stronger
forms of authentication is certificate-based in which devices have embedded
certificates that can authenticate to the mothership. For example, a
connected car should have a private certificate that it uses to communicate
to the mothership. If a private certificate is compromised, the consumer is
issued a new certificate securely. In this way, cars can safely communicate
with the mothership to download patches, etc.
Authorization is also important. Strong authorization means role-based
access controls that can be enforced to limit exposure: if a specific part
of a product is compromised, it can be contained and not escalate into
other components.
#3. Encryption
Sensitive personal data that is stored on a device needs to be encrypted at
rest. And all communication to and from the device (to another device or to
the mothership) must be encrypted in transit using secure protocol. Key
management is also an important consideration. If someone has potential
access to a device, they shouldn’t be able to extract data. The actual key
that protects data needs to be protected.
#4. Privacy
With collected data, there must be transparency into the type of data that
is collected, how it is used, and, if feasible, opt-out options. By
default, personal data collection should be limited to only that which is
necessary. For example, with a connected car, you may need a consumer’s VIN
number, but why would you need personal data like their birthday? If you
don’t need the info, don’t collect it. Only protect what you need to
protect in order to reduce exposure.
#5. Consumer awareness
Some of the responsibility for IoT security falls to the consumer but as
professionals, we need to build this consumer awareness. If you look at the
credit card market, you see companies sending notifications to consumers
with alert warnings and best practices for sharing credit card information.
Empowering consumers with this information is a good practice: consumers
can assist in an organization’s efforts to prevent fraud.
IoT security professionals also need to take a defensive posture with IoT
by thinking about vulnerabilities before breaches occur, especially now,
while the advance is still currently low. Communicating directly with
consumers about these types of security best practices is an important
touch point. For example, if a consumer is driving a connected car, what
are the security features he or she needs to know about that car?
#6. Security testing: digital & physical
Testing is key to IoT security. With IoT devices, this testing has to
include digital testing as well as brutal physical product testing. We need
to take aConsumer Reports’ approach to ensure that products can hold up to
such testing, following best practices such as proactive hunting and
continuous security testing. It’s not possible to detect everything during
the product life cycle, so continual testing and patching is also a key
consideration.
Safety airbags are a good example. When companies test their cars, airbags
are always one of the top features tested for safety. There are literally
hundreds of tests just to ensure that airbags are turned on at the right
time. Security professionals need to invest the same level of rigor to
digital testing, so that an unauthorized hacker can’t just remotely turn
off your airbag while you’re driving.
#7. Third-party testing
It’s not enough for security professionals to perform internal testing on
IoT products. Once products have been built and internally tested, there
needs to be an additional check to uncover security flaws by a third party
that specializes in IoT security. This will give manufacturers time to
address potential issues without impacting consumer security. Likewise,
whenever you make any significant changes to your product, you’ll need to
recruit third-party testing again.
#8. Internet-enabled security software updates and vulnerability management
Remote patching of IoT devices is a critical requirement. The Chrysler
Cherokee flaw resulted in a physical recall of 1.4 million vehicles; a
remote patch functionality would have negated the need for a physical
recall and contained the risk more quickly. Patching not only leads to
lower risk, but also cost savings for the vendor, and an improved customer
experience. Vulnerability management is a product discipline that should be
embedded as part of the product life cycle.
#9. Security analytics to detect intrusion
The amount of data that is generated by IoT is enormous; we’re talking
realbig data. The challenge is that traditional intrusion software cannot
effectively process so much data. So there needs to be new technology
(based on machine learning, data science, security analytics) to help
detect intrusion and to detect malicious traffic patterns on IoT devices.
Security professionals need to be working on creating technology to support
this, to set up trigger alerts when someone is attempting to bypass
security.
We’ve seen companies in other sectors fail to perform proper due diligence
and invest in security. The result? Massive breaches which lead to loss of
consumer confidence, falling stock prices, and major organizational
shake-ups. For IoT, the risks are even greater. While we’re still in the
early stages, now is the time to build out a proactive and thorough
security program to protect against threats that we haven’t yet even begun
to imagine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160304/ed58074e/attachment.html>
More information about the BreachExchange
mailing list