The global network of connected devices, the Internet of Things (IoT), is everywhere. As technology evolves, so do the number of devices linked to the cloud. The FOW Community predicts that there will be between 26 and 212 billion devices connected to the Internet by 2020. From car navigation to your new refrigerator, retail POS to your building's climate control, these embedded systems, while sophisticated, are frequently under attack from hackers, to do you harm, to steal your data, to use your devices as a gateway into your network, or other misdeeds. As the technologies evolve, so too do the methods for breaching these embedded systems.
The ability to transfer data over a cloud-based network has changed how we do business. While the IoT may be scalable and flexible, using the cloud to share data is increasingly risky as hackers seek opportunities to wreak havoc. The increasing vulnerabilities of transmitting data over cloud-based infrastructures is causing designers, programmers, and security experts real concern as they struggle to keep these interconnected systems safe.
Threat Modeling: Step One In Breach Prevention
You've likely encountered a fictional FBI agent who is challenged to "think like" the serial killer they're tracking. The same holds true for IT infrastructure and security experts. To figure out where the next data vulnerability might occur, you need to think like your adversary, conduct threat-modeling exercises where you try to imagine and simulate how an external opportunist might exploit your devices. Consider these common hacker goals:
- Assume control - Chrysler famously had to plug a security hole that hackers could use to take control of their vehicles, while they were in motion.
- Destroy the device, or its data - Whether data or property, this is a serious breach.
- Denial of service (DOS) - Floods your system, creating a functionality logjam.
- Falsify or steal data - A major role of IoT devices is to capture data from smart sensors; adversaries may want that data, or may want to falsify the sensor reports to cover up other things that they are doing.
- Indirect attack - Hackers leverage one type of device to worm their way into another part of your network.
These are all typical threats to consider as you plan strategies to improve network security.
Increasing and Developing Security for Embedded Networks
The concept of networking things is a relatively new idea, but many of the things themselves have been around a while and may be based on outdated embedded operating software. Just adding connectivity to those things without making them more robust and secure is courting trouble. Allowing engineers the resources they need to develop secure code will add security to your new product. To learn more about the tools and techniques that help that process, we recommend that you start with the Department of Homeland Security's Build Security In website. You'll learn how programmers can use tools to identify vulnerabilities as the code is written - instead of correcting problems after the fact.
Security testing protocols that you should apply to the IoT include:
- Application Defense -- The best defense is also a great offense; make sure you have security protocols at all steps in the development phase, including your use of third-party embedded code.
- Device Defense -- Basics include password protection, protocols, and patching. When practical, including two-factor authorization for the end user is a very strong defense.
- Dynamic Application Security Testing (DAST) -- DAST tests for weaknesses when the application is live, attempting a "friendly hack" via automation during development.
- Network Defense -- Monitors external threats via intrusion detection system (IDS) software.
- Shared Threat Intelligence -- Sharing threats as they arise via the Information Technology Information Sharing and Analysis Center (IT-ISAC) helps IT professionals stay informed.
- User Issues -- Educating end users on their responsibilities related to cyber security is crucial to the success of your network.
Designing for the IoT is a new frontier for the typical application developer. Preventing malicious attacks on the network is one of our biggest challenges. Following these protocols will create a culture of security from design to implementation and reduce risks significantly.