Dealing with IoT Security- Do nothing, Do simple things, or Do it RIGHT Sameer Dixit, Sr.Director Security Consulting
IoT on A Rise
IoT Security Frameworks and Standards • NIST - International Cybersecurity Standardization for the Internet of Things (IoT) • OWASP - IoT Security Guidance • ISA/IEC 62443 - Standards to Secure Your Industrial Automation & Control Systems (IC32) • CTIA - Cybersecurity Certification Program for Cellular-Connected IoT Devices • Etc ….
IoT Security Attack Surface Network – Services, Firewall IoT Security Application – Authentication, Authorization, Input Validation Device Hardware – Physical Security, Local Storage, Encryption Mobile – Client Data Storage, Data Transport, API Cloud – Backend Server, Authorization, Update Security
Security Review of IoT Environment
IoT Security Testing- Do it Right !!! IoT Network IoT Application & Cloud IoT Device Hardware IoT Mobile Interface • • • • Insecure Server Authentication Device Firmware Device End Security • • Configuration Authorization Analysis Sensitive information • • • Default System Encryption usage Binary Code Analysis stored in cache • • • Passwords Lockout Spoofing Unencrypted Data • • • Unpatched systems Brute force Login JTAG/UART Review Storage • • • • Known Vulnerabilities & Injection Attacks Fuzzing Files inspection • • • Exploits XSS Underlying Software & Excess Permissions • • Insecure Firewall SQL application evaluation and Privileges • • • Configuration Weak Password Unencrypted Device Lockout policy • • • Information Leakage Privilege Escalation Communication Dynamic Analysis • • Improper Error Handling Authentication • • Weak cryptographic keys Authorization • • Vulnerable Ciphers and Encryption usage Protocols • Data Exfiltration
You are not alone. We Can Help.
Spirent SecurityLabs Credentials Certified & Experienced Security Consultants CATL CTIA- IoT Cybersecurity Certification CREST Global Certified Ethical Security Testers OSCP Offensive Security Certified Professional CEH Certified Ethical Hacker CISSP Certified Information Systems Security Professional GXPN GIAC Certified Exploit Researcher and Advanced Penetration Tester GPEN GIAC Penetration Tester GICSP Global Industrial Cyber Security Professional NSA ISAM NSA InfoSec Assessment Methodology Certification CCENT Cisco Certified Entry Networking Technician UCP Unix Certified Programmer Security+, Server+
Thank You! SecurityLabs@Spirent.com https://www.spirent.com/Products/SecurityLabs
Recommend
More recommend