Five security considerations for IoT implementations
These five security considerations are ones that I've identified after conducting numerous interviews with professionals who work with customers involved in implementing Internet of Things (IoT) infrastructures. This is the first in a series of posts on the topic of security that covers each of these aspects in detail from those interviews.
ZDNET's top features today
If you're thinking of implementing an IoT type network in your business, you must consider that security is the most important part of the equation. And there isn't one aspect of security that's more important than any other. A failure anywhere along the continuum from remote device to the data collecting server is a failure.
Here's my list of five security points:
- Device security
- Network security
- Server security
- Data security
- Operating system security
Device security
Devices that gather data have multiple security weak points: physical, operating system, data, and network. Physical security is any device's most vulnerable point. Even the least competent security person will tell you that if your physical security is compromised, then there's very little a thief can't acquire. Physical security of your devices is as important as physical security of your servers.
These devices have operating systems, local data, and network connections that, even if secured to the maximum possible level, are vulnerable if a thief gets physical access. At a minimum, your device will be disabled and you'll collect no data from it. This incurs expense and outage for you.
The worst case scenario is that a thief not only takes the device but also recovers the data, network configurations — including usernames and passwords — or is able to temporarily take the device offline, plant malware on it and then replace it. In the case of a malware infection, you might never know that a device has been compromised.
Often the device or its data are not the actual target of the compromise; it's your other assets that can be acquired through malware infection once inside your network or data center.
Network security
Many system administrators see network security as the weakest link in the data transfer and communications chain in IoT implementations. It is true that many hacks, cracks, and compromises are due to some sort of network shortfall but it isn't the only method. To be sure, it's the first one that many hackers try. It's the least risky to the hacker and the method that generally pays the highest dividends in compromised data hacks.
There is a general assumption that virtual private networks (VPNs) are the ultimate network security compromise deterrent. They are good practice but they, in no way, ensure absolute network security. Yes, VPNs are secure because their traffic is encrypted, but the problem with trusting network security to a VPN alone is that it is still susceptible to man-in-the-middle (MITM) attacks.
Just because network traffic is encrypted doesn't mean that it's 100-percent safe or secure. There is a way to ensure that it is — data integrity checks. You should check traffic coming from your devices to be sure that it hasn't been tampered with by using integrity checks. Some IoT device providers do this and some do not. You'll need third-party software to perform the checks for you.
You also need to check the data that leaves your network. Don't assume that everything bad that can happen happens from the outside in. Some compromises are from the inside to the outside, directionally speaking. You should monitor those leaks as well. Remember that it's not always a break-in situation. Sometimes the compromise is a slow leak of your valuable data from inside your network.
Server security
Server security isn't the same as operating system (OS) security. The difference is that servers or services run on an operating system. A huge number of hacks and compromises occur when such services are left unpatched or unsecured. The rule of thumb is to have as few services as possible exposed on your systems. Typically, services expose themselves via TCP or UDP (Internet protocol) ports such as SSH (22), HTTPS (443), SMTP (25), POP3 (110), DNS (53), and 3389 (RDP).
On Linux hosts, one of the best methods of securing ports is to only allow connectivity from other specific hosts using the /etc/hosts.deny and /etc/hosts.allow files.
Other methods of securing services include using firewall port address translation rules (holes) for securing which networks or hosts may contact a particular system on a specific port number.
Some protocols have secure equivalents available. When they do, or when they support secure connections between client and server, use them. Examples are SMTP's 587 or 465 and POP3's 995. SSH is already a secured port on 22.
Encrypted communications, as stated earlier, isn't a 100-percent effective deterrent but it is still a deterrent for most over-the-network hacks. The problem with network ports is that many run with elevated (root) status and once compromised they drop the successful hacker to a root prompt so that he has unlimited access to your system.
Data security
Data security is something that I've written about before. There are two types of data: data in flight (data during transmission) and data at rest (stored data). Remember that by "data," I'm referring to anything that's transmitted or stored, including passwords, usernames, certificates, keys, configuration files, as well as, actual collected data from remote sensors. Although raw data typically isn't that valuable to a hacker, it's the pathway that the data takes or what the data reveals that's important to him.
Data should be stored in an encrypted manner. That means that all data at rest should be encrypted at a very high level so that its contents are jumbled to the point of diminishing returns for anyone who could collect it, transfer it, and decrypt it.
Especially sensitive data such as credit card numbers, account numbers, usernames, passwords, should be stored and transferred encrypted. And multi-factor authentication should always be used for such sensitive data transactions and transmissions.
Operating system security
Operating system security has to do with patches, strong passwords, encrypted filesystems, antivirus software, antimalware software, and intrusion protection monitoring. Operating systems are a very weak link in the overall security spectrum. You have to be vigilant, proactive, and paranoid to make the OS secure. The OS is often seen as the weakest security link. OSs are a prime target for hackers. They exploit vulnerabilities in operating system code to own a system. Once a system is owned, it's under the control of the malicious actor. To fix such a compromised system usually means reimaging (a complete wipe and reinstall of the OS and applications).
And don't rely on backups because the compromised system was probably backed up for a long time before you detected the compromise. If you can accurately determine the date of the hack, you can restore from before that point. The problem is that you might not have backups old enough to perform a good restore.
Operating system hacks and compromises are among the most costly of all because of the amount of time required to restore the crippled system to full operation and the data losses that have occurred on it. Microsoft has Patch Tuesday to provide users with a weekly patch bundle to keep systems updated and safe. Linux distributions have their software repositories that should be checked on a daily basis for new security patches. Those checks can be performed automatically in a CRON job that grabs the latest patches, downloads them, and installs them to the system to keep it updated.
Security is all about due diligence. You have to show, in the case of a significant hack or compromise, that you and your staff were diligent in applying patches to your systems. Since patching these days is easy to automate, there's really no excuse for not staying up to date.
These five security considerations in the context of The Internet of Things gives you an idea of the depth and the breadth of the security issues facing you, your devices, and your data. I'm not trying to spread fear, but I am attempting to make you aware of the security issues you're facing and what actions you need to take. A little bit of paranoia never hurt anyone.
Related Stories: