You are previewing Practical Internet of Things Security.
O'Reilly logo
Practical Internet of Things Security

Book Description

A practical, indispensable security guide that will navigate you through the complex realm of securely building and deploying systems in our IoT-connected world

About This Book

  • Learn to design and implement cyber security strategies for your organization

  • Learn to protect cyber-physical systems and utilize forensic data analysis to beat vulnerabilities in your IoT ecosystem

  • Learn best practices to secure your data from device to the cloud

  • Gain insight into privacy-enhancing techniques and technologies

  • Who This Book Is For

    This book targets IT Security Professionals and Security Engineers (including pentesters, security architects and ethical hackers) who would like to ensure security of their organization's data when connected through the IoT. Business analysts and managers will also find it useful.

    What You Will Learn

  • Learn how to break down cross-industry barriers by adopting the best practices for IoT deployments

  • Build a rock-solid security program for IoT that is cost-effective and easy to maintain

  • Demystify complex topics such as cryptography, privacy, and penetration testing to improve your security posture

  • See how the selection of individual components can affect the security posture of the entire system

  • Use Systems Security Engineering and Privacy-by-design principles to design a secure IoT ecosystem

  • Get to know how to leverage the burdgening cloud-based systems that will support the IoT into the future.

  • In Detail

    With the advent of Intenret of Things (IoT), businesses will be faced with defending against new types of threats. The business ecosystem now includes cloud computing infrastructure, mobile and fixed endpoints that open up new attack surfaces, a desire to share information with many stakeholders and a need to take action quickly based on large quantities of collected data. . It therefore becomes critical to ensure that cyber security threats are contained to a minimum when implementing new IoT services and solutions. . The interconnectivity of people, devices, and companies raises stakes to a new level as computing and action become even more mobile, everything becomes connected to the cloud, and infrastructure is strained to securely manage the billions of devices that will connect us all to the IoT. This book shows you how to implement cyber-security solutions, IoT design best practices and risk mitigation methodologies to address device and infrastructure threats to IoT solutions.

    This book will take readers on a journey that begins with understanding the IoT and how it can be applied in various industries, goes on to describe the security challenges associated with the IoT, and then provides a set of guidelines to architect and deploy a secure IoT in your Enterprise. The book will showcase how the IoT is implemented in early-adopting industries and describe how lessons can be learned and shared across diverse industries to support a secure IoT.

    Style and approach

    This book aims to educate readers on key areas in IoT security. It walks readers through engaging with security challenges and then provides answers on how to successfully manage IoT security and build a safe infrastructure for smart devices. After reading this book, you will understand the true potential of tools and solutions in order to build real-time security intelligence on IoT networks.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

    Table of Contents

    1. Practical Internet of Things Security
      1. Table of Contents
      2. Practical Internet of Things Security
      3. Credits
      4. About the Authors
      5. About the Reviewer
      6. www.PacktPub.com
        1. eBooks, discount offers, and more
          1. Why subscribe?
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Errata
          2. Piracy
          3. Questions
      8. 1. A Brave New World
        1. Defining the IoT
          1. Cybersecurity versus IoT security and cyber-physical systems
        2. Why cross-industry collaboration is vital
        3. IoT uses today
          1. Energy industry and smart grid
          2. Connected vehicles and transportation
          3. Manufacturing
          4. Wearables
          5. Implantables and medical devices
        4. The IoT in the enterprise
          1. The things in the IoT
            1. The IoT device lifecycle
              1. IoT device implementation
              2. IoT service implementation
              3. IoT device and service deployment
            2. The hardware
            3. Operating systems
            4. IoT communications
            5. Messaging protocols
              1. MQTT
              2. CoAP
              3. XMPP
              4. DDS
              5. AMQP
              6. Gateways
            6. Transport protocols
            7. Network protocols
            8. Data link and physical protocols
              1. IEEE 802.15.4
              2. ZWave
              3. Power Line Communications
              4. Cellular communications
            9. IoT data collection, storage, and analytics
          2. IoT integration platforms and solutions
        5. The IoT of the future and the need to secure
          1. The future – cognitive systems and the IoT
        6. Summary
      9. 2. Vulnerabilities, Attacks, and Countermeasures
        1. Primer on threats, vulnerability, and risks (TVR)
          1. The classic pillars of information assurance
          2. Threats
          3. Vulnerability
          4. Risks
        2. Primer on attacks and countermeasures
          1. Common IoT attack types
          2. Attack trees
            1. Building an attack tree
          3. Fault (failure) trees and CPS
            1. Fault tree and attack tree differences
            2. Merging fault and attack tree analysis
          4. Example anatomy of a deadly cyber-physical attack
        3. Today's IoT attacks
          1. Attacks
            1. Wireless reconnaissance and mapping
            2. Security protocol attacks
            3. Physical security attacks
            4. Application security attacks
        4. Lessons learned and systematic approaches
          1. Threat modeling an IoT system
            1. Step 1 – identify the assets
            2. Step 2 – create a system/architecture overview
            3. Step 3 – decompose the IoT system
            4. Step 4 – identify threats
            5. Step 5 – document the threats
            6. Step 6 – rate the threats
        5. Summary
      10. 3. Security Engineering for IoT Development
        1. Building security in to design and development
          1. Security in agile developments
          2. Focusing on the IoT device in operation
        2. Secure design
          1. Safety and security design
            1. Threat modeling
            2. Privacy impact assessment
            3. Safety impact assessment
            4. Compliance
              1. Monitoring for compliance
            5. Security system integration
              1. Accounts and credentials
              2. Patching and updates
              3. Audit and monitoring
          2. Processes and agreements
            1. Secure acquisition process
            2. Secure update process
            3. Establish SLAs
            4. Establish privacy agreements
            5. Consider new liabilities and guard against risk exposure
            6. Establish an IoT physical security plan
          3. Technology selection – security products and services
            1. IoT device hardware
            2. Selecting an MCU
            3. Selecting a real-time operating system (RTOS)
            4. IoT relationship platforms
              1. Xively
              2. ThingWorx
            5. Cryptographic security APIs
            6. Authentication/authorization
            7. Edge
            8. Security monitoring
        3. Summary
      11. 4. The IoT Security Lifecycle
        1. The secure IoT system implementation lifecycle
          1. Implementation and integration
            1. IoT security CONOPS document
            2. Network and security integration
              1. Examining network and security integration for WSNs
              2. Examining network and security integration for connected cars
              3. Planning for updates to existing network and security infrastructures
              4. Planning for provisioning mechanisms
              5. Integrating with security systems
              6. IoT and data buses
            3. System security verification and validation (V&V)
            4. Security training
              1. Security awareness training for users
              2. Security administration training for the IoT
            5. Secure configurations
              1. IoT device configurations
              2. Secure gateway and network configurations
          2. Operations and maintenance
            1. Managing identities, roles, and attributes
              1. Identity relationship management and context
                1. Attribute-based access control
                2. Role-based access control
                3. Consider third-party data requirements
                4. Manage keys and certificates
            2. Security monitoring
            3. Penetration testing
              1. Red and blue teams
                1. Evaluating hardware security
                2. The airwaves
                3. IoT penetration test tools
            4. Compliance monitoring
            5. Asset and configuration management
            6. Incident management
            7. Forensics
          3. Dispose
            1. Secure device disposal and zeroization
            2. Data purging
            3. Inventory control
            4. Data archiving and records management
        2. Summary
      12. 5. Cryptographic Fundamentals for IoT Security Engineering
        1. Cryptography and its role in securing the IoT
          1. Types and uses of cryptographic primitives in the IoT
          2. Encryption and decryption
            1. Symmetric encryption
              1. Block chaining modes
              2. Counter modes
            2. Asymmetric encryption
          3. Hashes
          4. Digital signatures
            1. Symmetric (MACs)
          5. Random number generation
          6. Ciphersuites
        2. Cryptographic module principles
        3. Cryptographic key management fundamentals
          1. Key generation
          2. Key establishment
          3. Key derivation
          4. Key storage
          5. Key escrow
          6. Key lifetime
          7. Key zeroization
          8. Accounting and management
          9. Summary of key management recommendations
        4. Examining cryptographic controls for IoT protocols
          1. Cryptographic controls built into IoT communication protocols
            1. ZigBee
            2. Bluetooth-LE
            3. Near field communication (NFC)
          2. Cryptographic controls built into IoT messaging protocols
            1. MQTT
            2. CoAP
            3. DDS
            4. REST
        5. Future directions of the IoT and cryptography
        6. Summary
      13. 6. Identity and Access Management Solutions for the IoT
        1. An introduction to identity and access management for the IoT
        2. The identity lifecycle
          1. Establish naming conventions and uniqueness requirements
            1. Naming a device
          2. Secure bootstrap
          3. Credential and attribute provisioning
            1. Local access
          4. Account monitoring and control
          5. Account updates
          6. Account suspension
          7. Account/credential deactivation/deletion
        3. Authentication credentials
          1. Passwords
          2. Symmetric keys
          3. Certificates
            1. X.509
            2. IEEE 1609.2
          4. Biometrics
          5. New work in authorization for the IoT
        4. IoT IAM infrastructure
          1. 802.1x
          2. PKI for the IoT
            1. PKI primer
            2. Trust stores
            3. PKI architecture for privacy
            4. Revocation support
              1. OCSP
              2. OCSP stapling
              3. SSL pinning
        5. Authorization and access control
          1. OAuth 2.0
          2. Authorization and access controls within publish/subscribe protocols
          3. Access controls within communication protocols
        6. Summary
      14. 7. Mitigating IoT Privacy Concerns
        1. Privacy challenges introduced by the IoT
          1. A complex sharing environment
            1. Wearables
            2. Smart homes
          2. Metadata can leak private information also
          3. New privacy approaches for credentials
          4. Privacy impacts on IoT security systems
          5. New methods of surveillance
        2. Guide to performing an IoT PIA
          1. Overview
          2. Authorities
          3. Characterizing collected information
          4. Uses of collected information
          5. Security
          6. Notice
          7. Data retention
          8. Information sharing
          9. Redress
          10. Auditing and accountability
        3. PbD principles
          1. Privacy embedded into design
          2. Positive-sum, not zero-sum
          3. End-to-end security
          4. Visibility and transparency
          5. Respect for user privacy
        4. Privacy engineering recommendations
          1. Privacy throughout the organization
          2. Privacy engineering professionals
          3. Privacy engineering activities
        5. Summary
      15. 8. Setting Up a Compliance Monitoring Program for the IoT
        1. IoT compliance
          1. Implementing IoT systems in a compliant manner
          2. An IoT compliance program
            1. Executive oversight
            2. Policies, procedures, and documentation
            3. Training and education
              1. Skills assessments
              2. Cyber security tools
              3. Data security
              4. Defense-in-depth
              5. Privacy
              6. The IoT, network, and cloud
              7. Threats/attacks
              8. Certifications
            4. Testing
            5. Internal compliance monitoring
              1. Install/update sensors
              2. Automated search for flaws
              3. Collect results
              4. Triage
              5. Bug fixes
              6. Reporting
              7. System design updates
            6. Periodic risk assessments
              1. Black box
              2. White box assessments
              3. Fuzz testing
        2. A complex compliance environment
          1. Challenges associated with IoT compliance
          2. Examining existing compliance standards support for the IoT
            1. Underwriters Laboratory IoT certification
            2. NIST CPS efforts
            3. NERC CIP
            4. HIPAA/HITECH
            5. PCI DSS
            6. NIST Risk Management Framework (RMF)
        3. Summary
      16. 9. Cloud Security for the IoT
        1. Cloud services and the IoT
          1. Asset/inventory management
          2. Service provisioning, billing, and entitlement management
          3. Real-time monitoring
          4. Sensor coordination
          5. Customer intelligence and marketing
          6. Information sharing
          7. Message transport/broadcast
          8. Examining IoT threats from a cloud perspective
        2. Exploring cloud service provider IoT offerings
          1. AWS IoT
          2. Microsoft Azure IoT suite
          3. Cisco Fog Computing
          4. IBM Watson IoT platform
            1. MQTT and REST interfaces
        3. Cloud IoT security controls
          1. Authentication (and authorization)
            1. Amazon AWS IAM
            2. Azure authentication
          2. Software/firmware updates
          3. End-to-end security recommendations
          4. Maintain data integrity
          5. Secure bootstrap and enrollment of IoT devices
          6. Security monitoring
        4. Tailoring an enterprise IoT cloud security architecture
        5. New directions in cloud-enabled IOT computing
          1. IoT-enablers of the cloud
            1. Software defined networking (SDN)
            2. Data services
            3. Container support for secure development environments
            4. Containers for deployment support
            5. Microservices
            6. The move to 5G connectivity
          2. Cloud-enabled directions
            1. On-demand computing and the IoT (dynamic compute resources)
            2. New distributed trust models for the cloud
            3. Cognitive IoT
        6. Summary
      17. 10. IoT Incident Response
        1. Threats both to safety and security
        2. Planning and executing an IoT incident response
          1. Incident response planning
            1. IoT system categorization
            2. IoT incident response procedures
            3. The cloud provider's role
          2. IoT incident response team composition
            1. Communication planning
            2. Exercises and operationalizing an IRP in your organization
          3. Detection and analysis
            1. Analyzing the compromised system
            2. Analyzing the IoT devices involved
            3. Escalate and monitor
          4. Containment, eradication, and recovery
          5. Post-incident activities
        3. Summary
      18. Index