IOT Security

By -
With emergence of new device everyday from smart TV to smart refrigerator, microwave oven, fit bands, internet connected device is everywhere and is becoming part of our day  to day lives.

While it is making lives easy for all of us and be more social, still it poses serious security risks and challenges.

Apart from intruding our privacy, security challenges pose a major threat if the devices are not tested completely.

In order to secure IOT, below are some of the areas that can be focused on..

  1. Secure Design of IOT
    •  This is the most critical part of IOT as every aspect of design should be thought keeping security in mind. If this first part fails, many components will be at risk. It should be designed keeping fail safe in mind which means a component failure does not risk the entire system.
  2. IOT Network Security
    • This is very important as the traffic flows at all levels and network security forms a component to prevent any sort of attacks or breaches. Firewalls and IPS solutions along with SIEM solutions should be an integral part of Security of  IOT.
  3. Authentication and Authorization
    • In connected world, this is the most common and user driven part where a user is connected to devices all the time. The cars are connected, refrigerators are connected, homes are connected, lights are connected, personal devices are connected and so much more. This is also the most challenging part. One cannot expect users to type in authentication mechanism as passwords or thumb impression all the time. Their has to be easy mechanisms and secure one to ensure users have seamless experience. Private certificates should be embedded on device that connects to master systems, so in in case a certificate is compromised, new certificate can be easily issued to systems.
    • Like all other secure areas, role based access should be ensured for proper authorizations.
  4. Encryption of data end to end, from device to data in transit
    •  Since the user data is stored and transmitted, it is very important to perform encryption at both levels, data at rest on devices as well as data in transit. This will minimize the data breach challenges.
  5. Security Testing
    • Doing all the hard work above can only be verified with Security testing. This phase is the most critical part and it should involve both internal security testing as well as independent third party testing. 
    • The testing should involve both static as well as dynamic testing.
    • On the fly testing is very important as hacker can take control of device and disable it when you need the most.
  6. Vulnerability Management and Patch Management
    • All the embedded systems and devices should be performed for vulnerabilities testing and if possible regular scanning though passive can be done. Since these devices are with consumers, their regular security updates and patches are the most important part.
  7. Security Analytics - less false positives, actionable and fast reporting
    • With the number of connected devices increasing day by day, amount of data being collected is huge and it requires huge potential to form the basis of decisions. Big data and security analytics forms a major components of IOT ecosystems. The number of false positives going up will likely fail the IOT ecosystems. So it is very critical that false positives should be going down gradually, but at the same time easy accurate and reliable reporting is the heart of this analytics engine.
One more critical component of this IOT is Privacy and User Awareness. Their are various acts governing privacy laws as GDPR and recently India also notifying privacy as a critical component and rights of every users, so the device collecting informations should be notifying to users, what data and type of data is being collected.

Comments

Post a Comment

Popular posts from this blog

Payment Gateway Security Testing Checklist

By -
Below given are some of the possible testing scenarios, which may prove to be useful in performing payment gateway testing. Whether all the types of payment options available through the payment gateway are selectable or not.  Whether each payment option is showing its specification and requirements after being selected by the user.What happens, after the failure of the payment process or if the session ends.  To check, if the payment gateway is allowing to enter data in the blank fields of the card number, card name, expiry date and CVV number.  To examine, how the payment gateway system behaves or responds, after leaving one or more fields, blank such as leaving CVV number field, blank, etc.  Whether the user is being redirected to the application page, after the successful completion of the payment process.  Applying language change, during the payment process. Checking successful integration of
Read more

Network Security VAPT Checklist

By -
Network Security VAPT Checklist Lets talk about the scope first. If you are given a 500 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc. Any single FTP software version (for example pureftpd 1.3.3a) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest. Ø   Identify live hosts ·          Ping ·          Hping ·          Nmap Ø   Identify OS type ·
Read more

How to dump Database using Sqlmap

By -
Image
Database Dump using SQLMap Find out the parameter of application that is vulnerable to SQL injection . Vulnerable Parameter  : “User ID” Enter ‘ and then click on Submit button. will get the SQL Error. Now Intercept the Request in burp. Copy the incepted request and save it in sqlmap installed directory. Open CMD and go to the directory where SQL map is installed (C:/sqlmap) and type sqlmap.py –r sqlinjection (filename) –-dbs and then enter. (dbs is used for dump database name). Then type Y and enter. Type N and enter, it display all the database . Now we have to find out the table in database. Type sqlmap.py –r sqlinjection –D dvwa(database name) –tables.     In the above snap we got the table name in dvwa database. Then we have find out the column name. type sqlmap.py –r sqlinjection –d dvwa –T users –column. Now we are going to dump the userid and password from column. Type sqlmap.py –r sqlinje
Read more