Securing Your Future With IoT Security Testing
Securing Your Future With IoT Security Testing
With IoT security still a sore spot for investors and potential clients, here is some advice to ensuring your devices and IoT apps are secure.
Join the DZone community and get the full member experience.Join For Free
The concept of the Internet of Things aims at connecting physical objects to the internet and allows them to provide different services to communicate among various objects. IoT aims at connecting each device to provide a universal connectivity. The Internet of Things has gained a significant attention in past 2 years. It includes multiple domains and applications such as smart home, smart healthcare, transportation etc. The highly dynamic nature of the IoT environment brings new challenges and diverse service requirements offered to clients.
Gartner, Inc. forecasts that connected things “… will reach 20.8 billion by 2020.”
IoT is an era of “smart”, connected products that communicate and transfer a tremendous amount of data and upload it to cloud. With an increasing pressure to deliver better services and ensure fast growth and competition, there is a need to access, create, use, and share data from any device anywhere in the world to provide greater insight and control over elements in our increasingly connected lives.
As these devices become more vital to our lives, the need to secure them is rising at a growing pace. Many are susceptible to vulnerabilities and may prove to be a threat on our own data and systems both in number and complexity. Despite this, devices without proper security checks are emerging in the market.
IoT is not just software, but an entire system of hardware, software, web, and mobile interfaces. This ecosystem is not very mature, and there are still major concerns waiting around IoT adoption — primarily due to security threats. Security requirements in the IoT environment are not different from any other system. Mobile and laptops have dozens of software security solutions to protect them from attacks, but similar security solutions are rarely present to protect the rest of the internet of things — due to which, security breaches are bound to happen.
The struggle is that most customers pay for products or services that have an explicit value and reason to purchase, and complementary features like security and privacy are not in the top priority list of their wants. As a result, business don’t put much effort into these aspects of their products. Customers don’t perceive any value in carrying out the extra burden of cost on security features in lieu of primary functionality.
Vulnerabilities in IoT
Vulnerabilities have already been identified in multiple types of industries, like automotive and healthcare, with specific instances where data manipulation or theft can occur. Examples include attacks on home automation systems and taking control of heating systems, air conditioning, lighting, and physical security systems.
Most hackers can access public and private webcams around the world by hacking into remote web cameras using advanced tools. Malicious hackers can also gain access to medical equipment to speed patients’ heart rates up or down, or alter the amount of antibiotics provided to the patients by modifying drug infusion pumps.
Security experts Chris Valasek and Charlie Miller grabbed headlines with their research on the vulnerability of connected cars when they hacked into a Toyota Prius and a Ford Escape using a laptop plugged into the vehicle’s diagnostic port.
Once a vulnerability is discovered, all the connected devices can be hijacked and potentially open their entire network to view and attack. Good examples are botnets like Mirai, Reaper, IoTroop, etc.
Botnets have become one of the biggest threats to security systems today. Their growing popularity among cybercriminals comes from their ability to penetrate almost any internet-connected device. PCs, laptops, mobile, smartwatches, and smart kitchen appliances can all fall within the web of a botnet. Botnets are typically created to infect millions of devices and systems at a time. Unsecured devices make it easy for autonomous bots to find and exploit systems through the internet.
Hence, with the growing challenges of IoT devices, organizations should view security as a critical business consideration and work to improve their security attitudes at every possible level. By incrementally improving security, organizations can effectively curb their risk of falling victim to cyber disasters. In fact, an organization should understand the risks and security requirements and decide how much security they want and how much they want to spend to build a robust system.
End-to-end testing of IoT applications will ensure higher consistency, integrity, and scalability, and provide a rich experience.
Security must be addressed throughout the device lifecycle, from the initial design to the operational level:
When power is supplied to a device, the integrity of the software on that device is verified through a digital signature along with the software authorization to run on that device and signed by the entity that authorized it.
Secure Access Control
Device-based access control mechanisms are similar to network-based access control systems such as Microsoft Active Directory. In case someone hacks into a network using corporate credentials, the compromised information would be limited to the areas authorized by those credentials.
The principle of least privilege dictates that only the minimal access required to perform a function should be authorized to minimize the effectiveness of any breach of security.
It is a must to authenticate a device whenever it is plugged into a network — before receiving or transmitting data.
The device needs a firewall inspection capability to control traffic and filter specific data that is destined to terminate the device in a way that makes optimal use of its limited computational resources available.
Updates and Patches
Security patches and software updates must be delivered keeping in mind the conservation of network bandwidth and the connectivity of embedded devices.
For a seamless operation of IoT devices, it is critical to have robust security at both the device and network levels. This does not require a revolutionary approach, but rather a progression of measures that have proven successful in IT networks, adapted to the challenges of IoT and to the constraints of connected devices.
To optimize IT security controls in today’s interconnected world and deliver complex applications driving IoT, Security testing is the only discipline that helps an organization to identify where they are vulnerable and take corrective measures to prevent (as well rectify) gaps.
The following are two common approaches of security testing.
Static Application Security Testing (SAST)
SAST, or White-Box Testing, is used to analyze the source code of applications to check for any security vulnerabilities. SAST solutions look at the application ‘from the inside out’, without code compilation. Gartner states that “SAST should be a mandatory requirement for all organizations developing applications,” and with 80% of attacks aimed at the application layer, according to Gartner, SAST is one of the top ways to ensure your application security is sound.
When security testing isn’t run throughout the SDLC, there’s a higher risk of allowing vulnerabilities to get through to the released application, increasing the chance of allowing hackers through the application.
Dynamic Application Security Testing (DAST)
DAST refers to testing the applications from the outside in. It involves checking the applications in their running state and trying to break them to discover security vulnerabilities.
An approach that utilizes both SAST and DAST yields the most comprehensive testing.
Published at DZone with permission of Hiren Tanna , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.