IoT
3/3/2016
10:30 AM
Pritesh Parekh
Pritesh Parekh
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

IoT Security Checklist: Get Ahead Of The Curve

The security industry needs to take a Consumer Reports approach to Internet of Things product safety, including rigorous development practices and both physical and digital testing.

In just two to three years, the Internet of Things will be a major avenue for hackers for the simple reason that everything is going to be connected. What systems and processes do security professionals need to put in place to defend against IoT product risk in the not-too-distant future? Here is a checklist of 9 IoT security strategies that belong in every stage of the product development life cycle

#1. Begin at the beginning to reduce attack points

Every phase of the development process must take digital security into consideration. Security should be a part of product requirements and design consideration, and be embedded at every stage of the development life cycle. The Quality Assurance cycle must account for security in addition to functionality. An important component of this is fail-safe systems. When something fails - and things will fail - it should be built to fail safe and secure so that the failure can be contained and doesn’t lead to a greater systemic failure.

#2. Authentication & authorization

Your car, your garage door opener, your medical device - all of these things have to communicate with other devices and, potentially, a mothership. The IoT will need strong authentication for these communications, using techniques like multi-factor authentication or asymmetric encryption to protect each device by using their own unique key.

You can’t expect a user to enter a password every time they get into their car, so there needs to be another form of security. One of the stronger forms of authentication is certificate-based in which devices have embedded certificates that can authenticate to the mothership. For example, a connected car should have a private certificate that it uses to communicate to the mothership. If a private certificate is compromised, the consumer is issued a new certificate securely. In this way, cars can safely communicate with the mothership to download patches, etc.

Authorization is also important. Strong authorization means role-based access controls that can be enforced to limit exposure: if a specific part of a product is compromised, it can be contained and not escalate into other components.

#3. Encryption

Sensitive personal data that is stored on a device needs to be encrypted at rest. And all communication to and from the device (to another device or to the mothership) must be encrypted in transit using secure protocol. Key management is also an important consideration. If someone has potential access to a device, they shouldn’t be able to extract data. The actual key that protects data needs to be protected.

#4. Privacy

With collected data, there must be transparency into the type of data that is collected, how it is used, and, if feasible, opt-out options. By default, personal data collection should be limited to only that which is necessary. For example, with a connected car, you may need a consumer’s VIN number, but why would you need personal data like their birthday? If you don’t need the info, don’t collect it. Only protect what you need to protect in order to reduce exposure.

#5. Consumer awareness

Some of the responsibility for IoT security falls to the consumer but as professionals, we need to build this consumer awareness. If you look at the credit card market, you see companies sending notifications to consumers with alert warnings and best practices for sharing credit card information. Empowering consumers with this information is a good practice: consumers can assist in an organization’s efforts to prevent fraud.

IoT security professionals also need to take a defensive posture with IoT by thinking about vulnerabilities before breaches occur, especially now, while the advance is still currently low. Communicating directly with consumers about these types of security best practices is an important touch point. For example, if a consumer is driving a connected car, what are the security features he or she needs to know about that car? 

#6. Security testing: digital & physical

Testing is key to IoT security. With IoT devices, this testing has to include digital testing as well as brutal physical product testing. We need to take a Consumer Reports’ approach to ensure that products can hold up to such testing, following best practices such as proactive hunting and continuous security testing. It’s not possible to detect everything during the product life cycle, so continual testing and patching is also a key consideration.

Safety airbags are a good example. When companies test their cars, airbags are always one of the top features tested for safety. There are literally hundreds of tests just to ensure that airbags are turned on at the right time. Security professionals need to invest the same level of rigor to digital testing, so that an unauthorized hacker can’t just remotely turn off your airbag while you’re driving.

#7. Third-party testing

It’s not enough for security professionals to perform internal testing on IoT products. Once products have been built and internally tested, there needs to be an additional check to uncover security flaws by a third party that specializes in IoT security. This will give manufacturers time to address potential issues without impacting consumer security. Likewise, whenever you make any significant changes to your product, you’ll need to recruit third-party testing again.

#8. Internet-enabled security software updates and vulnerability management

Remote patching of IoT devices is a critical requirement. The Chrysler Cherokee flaw resulted in a physical recall of 1.4 million vehicles; a remote patch functionality would have negated the need for a physical recall and contained the risk more quickly. Patching not only leads to lower risk, but also cost savings for the vendor, and an improved customer experience. Vulnerability management is a product discipline that should be embedded as part of the product life cycle.

#9. Security analytics to detect intrusion

The amount of data that is generated by IoT is enormous; we’re talking real big data. The challenge is that traditional intrusion software cannot effectively process so much data. So there needs to be new technology (based on machine learning, data science, security analytics) to help detect intrusion and to detect malicious traffic patterns on IoT devices. Security professionals need to be working on creating technology to support this, to set up trigger alerts when someone is attempting to bypass security.

We’ve seen companies in other sectors fail to perform proper due diligence and invest in security. The result? Massive breaches which lead to loss of consumer confidence, falling stock prices, and major organizational shake-ups. For IoT, the risks are even greater. While we’re still in the early stages, now is the time to build out a proactive and thorough security program to protect against threats that we haven’t yet even begun to imagine.

Related Content

  

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Pritesh Parekh is the VP & CSO of Zuora. He has over 15 years of experience in building and managing enterprise security programs, and a decade of leading security for cloud platforms. Prior to joining Zuora, Parekh was leading worldwide Security and Compliance for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
priteshp
50%
50%
priteshp,
User Rank: Apprentice
3/3/2016 | 5:27:01 PM
Re: Encryption
Agreed. Especially, data at rest encryption is not widely adapted. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/3/2016 | 11:29:01 AM
Encryption
Encryption needs to be standard at this point. Its one of the stronger security safeguards and it seems that still some IoT devices resist implementation.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
8 Key Building Blocks for Enterprise Network Defense
Networks are changing rapidly -- and so are strategies for protecting them. This Tech Digest looks at the fundamentals for the next-gen environment.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In this episode of Dark Reading Radio, veteran CISOs will share their experience and insight into how organizations can get the best bang for their security buck.