DTS Solution
DTS Solution

Assessing IoT Risk and Attack Detection

Organizations should employ a good risk assessment process from the development/design phase and apply the principle of least privilege coupled with firewalls, detection tools, and other security technologies to identify any anomalous behavior that results from their compromise and proactively fix the problem.

Introduction
IoT devices and appliances on IP networks is becoming high on demand in today’s everyday life and organizations. Most of the time these devices do not include any out of the box security features and sometimes, not even patched, hardened, or baselined.

This brings a great number of new vulnerabilities in any organization’s infrastructure and generates a predominant attack surface, which the adversaries can utilize to obtain non authorized access and compromise these devices. IoT devices are purpose-built with a narrow set of functions, allowing organizations to gather and monitor flow data and baseline normal traffic patterns.

Common Threats and Vulnerabilities
There are well-documented sources available all over the internet that identify common threats and vulnerabilities. One of the more assessed and trusted sources is the Open Web Application Security Project (OWASP). The OWASP Internet of Things Project currently maintains a list of what it considers the top IoT vulnerabilities (Figure 2).

This provides awareness into some vulnerabilities and security issues the industry is facing. Organizations can further enumerate this ‘top vulnerabilities’ list into a fuller list of vulnerabilities and threats simply by mapping the attack surface and identifying recent attacks. The ‘Device Network Services’ and ‘Network Traffic’ categories of the OWASP IoT Attack Surface Areas list brings to light other types of attacks, specifically on IoT networking, that include routing attacks, Denial of Service (DoS) attacks, and Sybil attacks, among others.

Threat Modeling
Threat modeling is an important process to identify threats from a more strategic standpoint. This typically includes several steps to systematically understand the system being modeled which subsequently identifies potential threats.
Preferably an IoT application or solution would be broken down based on function and categorized as a device, a field gateway, a cloud gateway or a service. Each is separated by its own trust boundary and has separate requirements around authentication (AuthN) and authorization (AuthZ), data used etc., which will affect the threat model process. Once the system has been modeled, each component can be measured for threats using the STRIDE model. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges.

Attack trees can also be used to create potential threats. Once the threats have been identified, an intrusion analyst can better understand what to implement and where.

Introducing Detection Solution Tools for IoT

IoT introduces additional complexity for security. Organizations are advised to monitor the data traffic to and from IoT devices in their network. Perimeter-based solutions are not adequate in today’s environment because users and apps can no longer be contained inside a company’s network, behind a clearly defined protective wall.

Intrusion detection tools can be one of the first layer of defense. One of the most significant security problems for embedded devices today is lack of know when a system is being attacked or to even know when it has been compromised. Most devices lack the logging and reporting capabilities used by enterprise security solutions (IDS, HIPS, AVs, etc…) to detect when a hacker or adversary is probing/recon or has penetrated a network or device.
To see how a detection solution can help protect IoT devices, look at any typical embedded device supporting an administrative interface available over hypertext transfer protocol (HTTP) using a username and password for access control. An adversary discovering this device could use a script to perform a brute force attack, trying thousands of log-in attempts per hour until the script finds a username and password that are accepted. Most embedded devices would simply process each password attempt as it was received. Each time password validation fails, the device simply drops the request and continues its normal processing. It is not aware that it is under attack and, subsequently, cannot report the attack to a management system.

Most IoT devices will operate in a relatively static environment. The operations they perform, the amount of data they transmit and receive, and the other devices they communicate with, change infrequently. Significant changes in these basic behaviors are anomalies and may denote a cyber-attack.

An embedded IDS system provides detection and reporting of a few critical conditions, along with summary information on device operation. This may include information such as: Number of login attempts (successful and unsuccessful), notification of communication with new IP addresses, bandwidth use reports, and detection of port probing attempts.
These can be added to an IoT device using an embedded firewall with IDS capabilities. An embedded firewall that supports configurable rules provides event reporting for IDS, filters incoming traffic, and provides virtual network segmentation, thereby limiting the ability for the adversary to launch a cyber-attack against the device.
Intrusion detection in IoT environments will generally falls into one of two ranges; traditional IP networks and Low-power Wireless Personal Area Networks (LoWPANs). As with all network intrusion detection, both situations rely on a few things to be effective. This comprises understanding the IoT communication stack, where weaknesses exist, the capacity to capture traffic, and the capacity to detect attacks in action.
There are several network intrusion detection solutions available when it comes to the IoT environment, depending on the scenario. Some common tools include Snort, Bastille, BeeKeeper, and other LoWPAN based detection both open-source and commercial.
Conclusion

Organizations must stop deploying IoT devices and appliances as trusted end systems. In the other hand, they should employ a good risk assessment process from the development/design phase and apply the principle of least privilege couple with firewalls, detection tools, and other security technologies to identify any anomalous behavior that results from their compromise and proactively fix the problem. During the operational phase, collecting and analysis of flow data is the most efficient and effective mechanism to reduce the security risks associated with deploying IoT devices.

Organizations should employ a good risk assessment process from the development/design phase and apply the principle of least privilege coupled with firewalls, detection tools, and other security technologies to identify any anomalous behavior that results from their compromise and proactively fix the problem.
Introduction
IoT devices and appliances on IP networks is becoming high on demand in today’s everyday life and organizations. Most of the time these devices do not include any out of the box security features and sometimes, not even patched, hardened, or baselined.

This brings a great number of new vulnerabilities in any organization’s infrastructure and generates a predominant attack surface, which the adversaries can utilize to obtain non authorized access and compromise these devices. IoT devices are purpose-built with a narrow set of functions, allowing organizations to gather and monitor flow data and baseline normal traffic patterns.

Common Threats and Vulnerabilities
There are well-documented sources available all over the internet that identify common threats and vulnerabilities. One of the more assessed and trusted sources is the Open Web Application Security Project (OWASP). The OWASP Internet of Things Project currently maintains a list of what it considers the top IoT vulnerabilities (Figure 2).

This provides awareness into some vulnerabilities and security issues the industry is facing. Organizations can further enumerate this ‘top vulnerabilities’ list into a fuller list of vulnerabilities and threats simply by mapping the attack surface and identifying recent attacks. The ‘Device Network Services’ and ‘Network Traffic’ categories of the OWASP IoT Attack Surface Areas list brings to light other types of attacks, specifically on IoT networking, that include routing attacks, Denial of Service (DoS) attacks, and Sybil attacks, among others.

Threat Modeling
Threat modeling is an important process to identify threats from a more strategic standpoint. This typically includes several steps to systematically understand the system being modeled which subsequently identifies potential threats.
Preferably an IoT application or solution would be broken down based on function and categorized as a device, a field gateway, a cloud gateway or a service. Each is separated by its own trust boundary and has separate requirements around authentication (AuthN) and authorization (AuthZ), data used etc., which will affect the threat model process. Once the system has been modeled, each component can be measured for threats using the STRIDE model. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges.

Attack trees can also be used to create potential threats. Once the threats have been identified, an intrusion analyst can better understand what to implement and where.

Introducing Detection Solution Tools for IoT
IoT introduces additional complexity for security. Organizations are advised to monitor the data traffic to and from IoT devices in their network. Perimeter-based solutions are not adequate in today’s environment because users and apps can no longer be contained inside a company’s network, behind a clearly defined protective wall.
Intrusion detection tools can be one of the first layer of defense. One of the most significant security problems for embedded devices today is lack of know when a system is being attacked or to even know when it has been compromised. Most devices lack the logging and reporting capabilities used by enterprise security solutions (IDS, HIPS, AVs, etc…) to detect when a hacker or adversary is probing/recon or has penetrated a network or device.
To see how a detection solution can help protect IoT devices, look at any typical embedded device supporting an administrative interface available over hypertext transfer protocol (HTTP) using a username and password for access control. An adversary discovering this device could use a script to perform a brute force attack, trying thousands of log-in attempts per hour until the script finds a username and password that are accepted. Most embedded devices would simply process each password attempt as it was received. Each time password validation fails, the device simply drops the request and continues its normal processing. It is not aware that it is under attack and, subsequently, cannot report the attack to a management system.
Most IoT devices will operate in a relatively static environment. The operations they perform, the amount of data they transmit and receive, and the other devices they communicate with, change infrequently. Significant changes in these basic behaviors are anomalies and may denote a cyber-attack.
An embedded IDS system provides detection and reporting of a few critical conditions, along with summary information on device operation. This may include information such as: Number of login attempts (successful and unsuccessful), notification of communication with new IP addresses, bandwidth use reports, and detection of port probing attempts.
These can be added to an IoT device using an embedded firewall with IDS capabilities. An embedded firewall that supports configurable rules provides event reporting for IDS, filters incoming traffic, and provides virtual network segmentation, thereby limiting the ability for the adversary to launch a cyber-attack against the device.
Intrusion detection in IoT environments will generally falls into one of two ranges; traditional IP networks and Low-power Wireless Personal Area Networks (LoWPANs). As with all network intrusion detection, both situations rely on a few things to be effective. This comprises understanding the IoT communication stack, where weaknesses exist, the capacity to capture traffic, and the capacity to detect attacks in action.
There are several network intrusion detection solutions available when it comes to the IoT environment, depending on the scenario. Some common tools include Snort, Bastille, BeeKeeper, and other LoWPAN based detection both open-source and commercial.
Conclusion

Organizations must stop deploying IoT devices and appliances as trusted end systems. In the other hand, they should employ a good risk assessment process from the development/design phase and apply the principle of least privilege couple with firewalls, detection tools, and other security technologies to identify any anomalous behavior that results from their compromise and proactively fix the problem. During the operational phase, collecting and analysis of flow data is the most efficient and effective mechanism to reduce the security risks associated with deploying IoT devices.

See also:

DTS wins “Cyber Security Integrator of the Year” award at The ICT Champion Awards 2019

October 8, 2019

What is SOC beyond a Monitoring Center?

September 25, 2019

Shah Sheikh delivers Keynote Speech at ISACA Amman Chapter Annual Conference 2019

October 2, 2019

Linkedin X-twitter Facebook Youtube

© Copyrights 2024.
All rights reserved by DTS Solution 
– Cyber Security Redefined

Solutions

Network and Infrastructure Security
Zero Trust and Private Access
Endpoint and Server Protection
Vulnerability and Patch Management
Data Protection
Application Security
Secure Software and DevSecOps
Cloud Security
Identity Access Governance
Governance, Risk and Compliance
Security Intelligence Operations
Incident Response

Industry

Critical Infrastructure
Education
Energy and Utilities
Enterprise and Service Providers
Financial Services and FinTech
Government
Healthcare and BioTech
Legal
Manufacturing
Media and Entertainment
Retail and Ecommerce
Technology and Digital

Services
Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber Resilience
Products

COMPLYAN
FYNSEC
HAWKEYE CSOC WIKI
Firewall Policy Builder

Other

About Us
Awards
Board of Directors
Leadership
Careers
Support
Contact
Vendors
Resources
Press Center
Privacy Policy

Accreditations
ISO27001
ISO45001
CREST
Accreditations
ISO27001
ISO45001
CREST

  Dubai

Office 4, Oasis Center
Sheikh Zayed Road
PO Box 128698
Dubai, UAE

+971 4 3383365
[email protected]
   Abu Dhabi

Office 7, Floor 14
Makeen Tower, Al Mawkib St.
Al Zahiya Area
Abu Dhabi, UAE

+971 2 6573566
[email protected]

   Kuwait

Mezzanine Floor, Tower 3
Mohammad Thunayyan Al-Ghanem Street, Jibla
Kuwait City, Kuwait


+971 4 3383365
[email protected]

   London

160 Kemp House, City Road
London, EC1V 2NX
United Kingdom
Company Number: 10276574

+44 20 3287 3942
[email protected]

The website is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, icons and graphics on the website (collectively, the “Content”) are owned or controlled by us or licensed to us, and are protected by copyright laws and various other intellectual property rights. The content and graphics may not be copied, in part or full, without the express permission of DTS Solution LLC (owner) who reserves all rights.

DTS Solution, DTS-Solution.com, the DTS Solution logo, HAWKEYE, FYNSEC, FRONTAL, HAWKEYE CSOC WIKI and Firewall Policy Builder are registered trademarks of DTS Solution, LLC.