It often helps to look at cybersecurity from the attacker’s point of view.
This approach, in fact, is the foundation of common techniques for penetration testing. That’s when “white hat” hackers will put a company’s IT systems through a range of attacks, looking for security vulnerability issues and defense gaps.
So when we consider Internet of Things device security and the defenses that protect an enterprise’s IoT deployments, it’s important to adopt the mindset of an attacker.
What’s an attacker looking for when they are prepping IoT attacks?
Assessing the Attack Surface
First off, attackers are looking for low-hanging fruit. That means lots of deployed systems, potentially containing many openings for exploits because of misconfiguration, out-of-date software, and similar problems.
The attacker might look for devices deployed with certain ports open for access. Or an enterprise might have deployed systems with default administrative passwords still in place. Or perhaps a host of deployed systems are not up-to-date with the latest firmware or patches. But the key from the attacker’s viewpoint is that they want to find systems deployed at scale in which each individual system may have lots of opportunity for exploit.
Security practitioners often call this the enterprise’s “attack surface.” One way to assess the attack surface is to consider the potential points of unauthorized entry into an individual system, then multiply that by the number of those systems in deployment. From the attacker’s view, the bigger that attack surface, the greater the chance to get past defenses and exploit vulnerabilities in the enterprise’s systems.
The Problem of Scale
So bigger deployments can equate to bigger risk. Since IoT deployments can often number 50,000 devices and up, IoT security can become much more challenging than traditional IT security. Scale is a chief reason that traditional IT security processes and procedures are often inadequate to protect IoT devices and applications.
There are many ways that deployments at scale can make IoT security challenging:
- Vulnerability management: Thousands of vulnerability notifications are issued each month, complicating how a device developer or a customer deploying those devices can identity which systems are affected and how the vulnerabilities can be mitigated until a patch is available.
- Patch management: Understanding which systems or software components need to be updated with a security patch and then applying those patches can become very complex and time-consuming as device deployments escalate.
- Device hardening: If an attacker is successful at gaining access to a device, what are they able to do? This type of vulnerability assessment should provide an indicator of how devices can be hardened by configuring them to minimize the damage if an exploit is successful. The next question then is how the hardened configuration can be applied at scale across all the devices if they are already in production deployment.
IoT Security at Scale
Making IoT deployments secure means being able to counteract the security risks caused by deploying devices at IoT scale.
At Timesys, we have been working with IoT device manufacturers to make available the industry’s best practices for embedded system IoT security at the scale of IoT deployments.
A chief lesson in securing devices at IoT scale is that devices should be designed with security in mind from the outset. So, for example, our Secure by Design services enable a device developer to conduct embedded Linux hardening early in product design.
Similarly, we can assist device makers with IoT device security auditing, which can serve as a precursor to a broader security risk assessment that customers may employ. When devices are in production deployment, monitoring, assessing and responding to Common Vulnerabilities and Exposures notifications becomes critical.
Our CVE monitoring and notification service enables device developers to quickly understand which of the flood of CVE notifications will demand an update or patch in their systems.
Similarly, our Security Vulnerability and Patch Notification Service can inform a device developer when a patch is available for the embedded open source software components used in that developer’s devices. That accelerates mitigation of vulnerabilities and reduces the risk of a customer’s IoT deployment suffering a breach.
Our Threat Resistance Security Technology (TRST) Product Protection Solutions will help you ensure your embedded products are secure by design, and will stay secure throughout their lifecycles. Our embedded system security offerings will simplify IoT device security for your products and customers. Contact us to learn more.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.