IoT security

Ace your homework & exams now with Quizwiz!

communication layer protocols

Thread TCP UDP RPL IPv6 6LoWPAN

STRIDE

provides a set of categories that are very helpful for identifying potential threats in IoT systems. It is used in the vulnerability identification phase of the threat modeling process

security hardening

- Make sure the new IoT device can be easily updated. - Check for updates regularly. - Buy from a reputable manufacturer. - Default usernames/passwords must be changed - Limit management access devices to trusted sources - Turn off all unnecessary services

steps of threat model analysis

1. Identify security objectives 2. Document the IoT System Architecture 3. Decompose the IoT System 4. Identify and Rate Threats 5. Recommend Mitigation

IoT reference model

7. Collaboration & Processes 6. Application 5. Data Abstraction 4. Data Accumulation 3. Edge (Fog) Computing 2. Connectivity 1. Physical Devices & Controllers

IoT security model

Application Communication Device

CIA triad

Confidentiality, Integrity, Availability

Cross-Site Scripting (XSS)

An attack that injects scripts into a Web application server to direct attacks at clients.

encryption in constrained devices

Due to the nature and size of IoT devices, they usually have a limited amount of resources. A consequence of this is that most IoT devices do not have the processing power or resources necessary for the more robust encryption algorithms. Because encryption is still a necessary component for their functionality, lightweight encryption algorithms could be used.

data an password security

Encryption is the mechanism that is used to ensure data confidentiality. IoT devices are especially vulnerable to threat actors because many older IoT devices currently in production do not support encryption.

device layer protocols

IEEE 802.15.4 BLE (Bluetooth low energy) Wi-fi NFC (near field communication) Cellular LoRaWAN, Sigfox, NB-IoT

operational technology

Includes industrial control systems, supervisory control and data acquisition systems, and all the devices that connect to these systems.

information technology

Includes devices in the data center, in the cloud, bring your own device (BYOD)

encryption methods

Modular arithmetic Kerckhoff's principle RSA Diffie-Hellman key Exchange

OWASP IoT project

Non profit initiative, focused on improving software security.

IoT CPU types

RISC and CISC

risk control strategies

Terminate Transfer Threat Tolerate

threat modeling

The process of analyzing in a structured way the weaknesses of a system from the point of view of a potential attacker. Helps identifying risks, quantifying their probability and severity, and prioritizing. There are several methodologies: STRIDE, Open threat taxonomy, ENISA and OWASP.

threat modelling

The process of analyzing in a structured way the weaknesses of a system from the point of view of a potential attacker. Helps identifying risks, quantifying their probability and severity, and prioritizing. There are several methodologies: STRIDE, Open threat taxonomy, ENISA and OWASP.

device layer attack surface

The vulnerabilities described by OWASP are hardware sensors, device memory, device physical interfaces, device firmware and firmware update mechanism

communication layer attack surface

Vulnerabilities this layer is device network services and network traffic. Data in motion can be intercepted, damaged, or altered. In addition, because the purpose of much of the IoT is data collection, attacks on the systems that carry data can bring down an entire IoT system.

Application layer protocols

Zigbee HTTP/HTTPS MQTT CoAP

risk register

a description of each identified risk, probability or frequency of the risk concurring, steps to mitigate, rank each risk, exposure cost

application layer attack surface

any weakness that a threat actor could use to compromise the security of that application. He can then use specific tools and methods to discover application vulnerabilities such as application penetration testers, port scanners, and code checkers.

Constained devices

device usually has very limited power, memory, and processing cycles. Communication capabilities are also limited. Where communication is available it is unlikely that encryption is implemented due to the limited processing power of these devices. . Lack of encryption is one of the vulnerabilities listed by OWASP

Iot attack surface

devided into device, communication and application layer attack surface.

authentication security issues

eavesdropping DoS Trojan horse Replay

IoT devices identity management

in the world of IoT, it refers to the identification of a wide range of IoT devices and managing their access to data.

operational technology OT

includes industrial control systems, supervisory control and data acquisition systems. and all the devices that connect to these systems.

risk analysis

involves the identification and assessment of the potential risks.

risk management

involves the identification, selection and adoption of security measures to eliminate or reduce risks to acceptable levels.

digital signature

is a mathematical scheme for demonstrating authenticating digital information. cannot be copied because it is always different.

CVSS

is a risk assessment designed to convey the common attributes and severity of vulnerabilities in computer hardware and software systems

risk

is where threat and vulnerability overlap. Threat + asset + vulnerability = ___

access control

must be implemented by an organisation that protects its network resources, information system resources and information.

Threat model analysis

primarily a tool used to conduct tasks for risk management and vulnerability assessments. Threat modeling is a structured approach for analyzing the security and vulnerability of a system, whether that system be a device's hardware, software, or the networks used to communicate with other devices.

Information security is achieved

products people procedures derived from plans and policies

constrained devices

usually has very limited power, memory, and processing cycles. Communication capabilities are also limited. it is unlikely that encryption is implemented due to the limited processing power of these devices. devices are smart sensors, embedded devices and prototyping.

firmware vulnerabilities

vulnerabilities include default login credentials, DDoS attacks, out-of-date firmware, buffer overflow attacks and backdoor installation.

questions thinking about risks

who are the threat actors who want to attack us? what vulnerabilities can threat actors exploit? how would the system be affected by successful attacks? what is the likelihood that different attacks will be successful? how can the organization address the risk?

the public key infrastructure PKI

with its Certificate Authority (CA) is needed to support large-scale distribution and identification of public encryption keys.

Common ip vulnerabilities

· DoS attacks · DDoS attacks · ICMP attacks (for the purpose of reconnaissance) · Addressing spoofing attacks · Man-in-the-middle attacks · Session hijacking

One-time programmable memory OTP

· Permanently programmed memory cells (state-of the-art today) · Hard to reverse engineering · Programmed during IC system manufacturing. · Possible to destroy stored keys in response to tamper attempts. · Security may be maximized if the IC generates its own keys using hardware designed into the device.

vulnerabilities for constrained devices

· Theft of the device. · Physical damage to the device. · Disabling the device, removing power source. Disabling communication, disconnecting cables or other means of disruption


Related study sets

Vacation Listening: Conversations

View Set

Homogeneous vs Heterogeneous Mixtures & Pure Substances vs Mixtures

View Set