eBook - ePub
Practical Internet of Things Security
Design a security framework for an Internet connected ecosystem, 2nd Edition
Brian Russell, Drew Van Duren
This is a test
Share book
- 382 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Practical Internet of Things Security
Design a security framework for an Internet connected ecosystem, 2nd Edition
Brian Russell, Drew Van Duren
Book details
Book preview
Table of contents
Citations
About This Book
A practical, indispensable security guide that will navigate you through the complex realm of securely building and deploying systems in our IoT-connected world
Key Features
- Learn best practices to secure your data from the device to the cloud
- Use systems security engineering and privacy-by-design principles to design a secure IoT ecosystem
- A practical guide that will help you design and implement cyber security strategies for your organization
Book Description
With the advent of the Internet of Things (IoT), businesses have to defend against new types of threat. The business ecosystem now includes the cloud computing infrastructure, mobile and fixed endpoints that open up new attack surfaces. It therefore becomes critical to ensure that cybersecurity threats are contained to a minimum when implementing new IoT services and solutions.
This book shows you how to implement cybersecurity solutions, IoT design best practices, and risk mitigation methodologies to address device and infrastructure threats to IoT solutions.
In this second edition, you will go through some typical and unique vulnerabilities seen within various layers of the IoT technology stack and also learn new ways in which IT and physical threats interact. You will then explore the different engineering approaches a developer/manufacturer might take to securely design and deploy IoT devices. Furthermore, you will securely develop your own custom additions for an enterprise IoT implementation. You will also be provided with actionable guidance through setting up a cryptographic infrastructure for your IoT implementations. You will then be guided on the selection and configuration of Identity and Access Management solutions for an IoT implementation. In conclusion, you will explore cloud security architectures and security best practices for operating and managing cross-organizational, multi-domain IoT deployments.
What you will learn
- Discuss the need for separate security requirements and apply security engineering principles on IoT devices
- Master the operational aspects of planning, deploying, managing, monitoring, and detecting the remediation and disposal of IoT systems
- Use Blockchain solutions for IoT authenticity and integrity
- Explore additional privacy features emerging in the IoT industry, such as anonymity, tracking issues, and countermeasures
- Design a fog computing architecture to support IoT edge analytics
- Detect and respond to IoT security incidents and compromises
Who this book is for
This book targets IT Security Professionals and Security Engineers (including pentesters, security architects and ethical hackers) who would like to ensure the security of their organization's data when connected through the IoT. Business analysts and managers will also find this book useful.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Practical Internet of Things Security an online PDF/ePUB?
Yes, you can access Practical Internet of Things Security by Brian Russell, Drew Van Duren in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Science General. We have over one million books available in our catalogue for you to explore.
Information
Cryptographic Fundamentals for IoT Security Engineering
This chapter is directed squarely at IoT implementers, those developing IoT devices (consumer or industrial) or integrating IoT communications into their enterprises. It provides you with an A to Z for their IoT implementations and deployments. While most of this book is devoted to practical application and guidance, this section diverges a bit to delve into deeper background topics associated with applied cryptography and cryptographic implementations. Many security practitioners will find this information common sense, but given the myriad cryptographic implementation errors and deployment insecurities even security-aware tech companies continue to deploy, we decided this background was needed. The risks are growing worse, evidenced by the fact that many industries historically unfamiliar with security (for example, home appliance vendors) continue to network-connect and IoT-enable their products. In the process, they make many avoidable errors that can harm their customers.
A detailed review of the use of cryptography to protect IoT communication and messaging protocols is provided, along with guidance on how the use of certain protocols drives the need for additional cryptographic protections at different layers of the technology stack.
This chapter is a critical prerequisite to the chapter on Public Key Infrastructures (PKIs) and their use in IoT identity and trust management. It explains the underlying security facets and cryptographic primitives on which PKIs depend.
This chapter is broken up into the following topical sections:
- Cryptography and its role in securing the IoT
- Types and uses of cryptographic primitives in the IoT
- Cryptographic module principles
- Cryptographic key management fundamentals
- Future-proofing your organization's rollout of cryptography
Cryptography and its role in securing the IoT
Our world is witnessing unprecedented growth in machine connectivity over the internet and private networks. Unfortunately, on any given day, the benefits of that connectivity are soured by yet more news reports of personal, government, and corporate cyber security breaches. Hacktivists, nation states, and organized crime syndicates play a never-ending game of cat and mouse with the security industry. We are all victims, either as a direct result of a cyber breach or through the costs we incur to improve security technology services, insurance, and mitigate other risks. The demand for more security and privacy is finally gaining traction in corporate boardrooms and high-level government circles alike. A significant part of that demand is for wider adoption of cryptography to protect user and machine data. Secure by default principles suggest the need for near ubiquitous use of cryptography, thus it will play an ever growing role in securing the IoT. It is and will continue to be used for encrypting wireless edge networks (network and point-to-point), gateway traffic, backend cloud databases, software/firmware images, and exabytes of your data at rest.
Cryptography provides an indispensable tool set for securing data, transactions, and personal privacy in our information age. Fundamentally, when properly implemented, cryptography can provide the following security features to any data whether in transit or at rest:
| Security feature | Cryptographic service(s) |
| Confidentiality | Encryption |
| Authentication | Digital signature or Message Authentication Code (MAC) |
| Integrity | Digital signature or MAC |
| Non-repudiation | Digital signature |
Revisiting definitions from Chapter 1, A Brave New World, the previous controls represent four out of five pillars of Information Assurance (IA). While the remaining one, availability, is not provided by cryptography, poorly implemented cryptographic instances can certainly deny availability (for example, communication stacks with crypto-synchronization problems).
The security benefits provided by cryptographyâconfidentiality, authentication, integrity, and non-repudiationâprovide direct, one-to-one mitigations against many host, data, and communication security risks.
In the not-too-distant past, the author (Van Duren) spent considerable time supporting the FAA in addressing the security needed in pilot-to-drone communications (a prerequisite to safe and secure integration of unmanned aircraft into the national airspace system). Before we could recommend the controls needed, we first needed to understand the different communication risks that could impact unmanned aircraft. This involved detailed characterization of common information types and flows between the pilot and the aircraft.
The point is that it is vital to understand the tenets of applied cryptography because many security practitionersâwhile they may not end up designing protocol-level controlsâwill at least end up making high-level cryptographic selections in the development of security embedded devices and system-level security architectures. These selections should always be based on identified risks.
Types and uses of cryptographic primitives in the IoT
When most people think about cryptography, encryption invariably comes to mind. They understand that data is scrambled, so to speak, so that unauthorized parties cannot decrypt and interpret it. Real-world cryptography is composed of a number of other primitives, however, each partially or fully satisfying one of the previous IA objectives. Securely implementing and combining cryptographic primitives together to achieve a larger, more complex security objective should only be performed or overseen by security professionals well versed in applied cryptography and protocol design. Even the most minor error can prevent the security objective(s) from being fulfilled and result in costly vulnerabilities. There are far more ways to mess up a cryptographic implementation than to get it right.
Cryptographic primitive types fall into the following categories:
- Encryption (and decryption): Provides confidentiality:
- Symmetric
- Asymmetric
- Hashing
- Digital signatures: Signatures provide integrity, identity, and data-origin authentication as well as non-repudiation:
- Symmetric: MAC used for integrity and data-origin authentication
- Asymmetric: Elliptic Curve (EC) and Integer Factorization Cryptography (IFC)
- Random number generation: The basis of most cryptography requires very large numbers originating from high entropy sources. These are needed to generate or establish cryptographic keying material.
Cryptography is seldom used in isolation, however. Instead, it provides the underlying security functions used in upper-layer communication and other protocols. For example, Bluetooth, ZigBee, SSL/TLS, and a variety of other protocols specify how to use standard cryptographic primitives and integrate them into message protocols, message encodings, and relevant protocol behaviors (for example, how to handle a failed message integrity check).
Encryption and decryption
Encryption is the cryptographic service most people are familiar with as it is used to so-called scramble or mask information so that unintended parties cannot read or interpret it. In other words, it is used to protect the confidentiality of the information from eavesdroppers (whether observing your communications or attempting to read your stored data), and to only allow it to be deciphered by intended parties. Encryption algorithms can be symmetric or asymmetric (explained shortly). In both cases, a cryptographic key and the unprotected data are input to the encryption algorithm, which encrypts the confidential data. Once in this state, it is protected from eavesdroppers. The receiving party uses a key to decrypt the data when it is needed. The unprotected data is called plaintext and the protected data is called ciphertext. The basic encryption process is depicted in the following diagram:
Encrypt-decrypt.graffle
It should be clear from the preceding diagram that if the data is ever decrypted prior to reaching IOT Device B, it is vulnerable to the Eavesdropper. This brings into question where in a communication stack and in what protocol the encryption is performed, that is, what the capabilities of the endpoints are. When encrypting for communication purposes, system security engineers need to decide between point-to-point encryption and end-to-end encryption as evidenced in their threat modeling. This is an area ripe for error, as many encrypted protocols operate only on a point-to-point basis and must traverse a variety of gateways and other intermediate devices, the paths to which may be highly insecure. For example, an OSI Layer 2 (link) encryptor may encrypt the routable network-layer traffic above it, and the protection terminates at the end of the link, whereas a network encryptor will encrypt payloads within a network-routable packet, and get it safely to a particular network destination. When network encryption doesn't fully satisfy end-to-end cryptographic protection, application-layer machine-to-machine encryption may be used.
In today's internet threat environment, end-to-end encryption at the session and application layers is most prominent due to severe data losses that can occur when decrypting within an intermediary. The electrical industry and the insecure SCADA protocols commonly employed in it provide a case in point. The security fixes often include building secure communication gateways (where newly added encryption is performed). In others, it is to tunnel the insecure protocols through end-to-end protected ones. System security architectures should clearly account for every encryption security protocol in use and highlight where plaintext data is located (in storage or transit) and where it needs to be encrypted. In general, whenever possible, end-to-end data encryption should be promoted as a secure-by-default policy.
2323__...