Last week I was a guest speaker for Part Two of Zephyr's webinar series on the Internet of Things (IoT). In my last post, I recapped what I shared on the first webinar on Health Care and The Internet of Things. Similarly, I'd like to now post my notes for what I shared on the second webinar on Internet Of Things Testing for risks presented by security.
I'm really excited about these types of webinars because I think that with the Internet of Things era now upon us, there are going to be new security concerns and attacks that we've not previously seen and need to prepare for. I think having this type of conversation is a great place to start in order to get ready for some of the security concerns we are going to be covering today.
Vulnerabilities that exist today
Based on my research, one of the biggest infrastructure vulnerabilities today with IoT and infrastructure security is with Cloud-based solutions. This is important because with the Internet of Things more and more devices will be storing their data in the Cloud.
Back in the day, our applications' entire infrastructure was in house. We knew where everything was, what patch level our machines were at, and who had access to those machines. With the Cloud we have no idea. Since we no longer have the same control we once did, there are many issues that can come up. That's why we need to be vigilant with risk assessment and security auditing.
A recent example of security vulnerability with the Cloud was last year with the Apple iCloud breach, where celebrity accounts where hacked and their intimate photos posted online. It's believed that the iCloud hack was due to a common Brute Force technique where hackers used advanced software and other maneuvers to guess an individual user's ID and password.
Additionally — if you work in the medical field you know how important regulatory compliance and user patient data is. This type of hack can cause major damage to a company's brand and could lead to loss of revenue.
Internet of Things — Medical infrastructures
With the Internet of things, medical infrastructures have also grown more vulnerable to hacks since the federal government has forced such data into the digital realm. So it's essential with the Internet of Things that our Cloud-based solutions have sophisticated authentication and encryption methods implemented.
Once again, it falls to risk and security assessment to ensure that things like better password polices are enforced so those types of issues can be avoided.
A quick way to identify risk with your applications
A good way to quickly identify risk in your IoT application's infrastructure is to use the OWASP Risk Rating Methodology, where:
Risk = Likelihood of attack, multiplied by what the impact would mean to your application and your business if that risk was exploited
I believe that with regard to the Internet of Things, these types of infrastructure concerns will continue to grow, as well as uncover new vulnerabilities.
It's kinds of scary that most of the devices in the Internet of Things will be used in critical infrastructure areas like power production/generation/distribution, manufacturing, and personal “infrastructure” like personal medical devices and home control devices.
Unfortunately these areas are also prime targets for new vulnerabilities due to things like cyber warfare and national and industrial espionage. Also sensitive personal information is a highly sort target for fraud, identity theft and cyber criminals.
I know there have been documented instances of intrusions like this on the US government; I believe that back in November 2014 there was an intrusion into the infrastructure of the State Department that led to the shutdown of their email systems. Supposedly, it was the work of the Russian government. I'm sure you've seen other similar examples in the news.
A good example of Chinese cyber-espionage against US companies appeared in the July 2015 edition of MIT Technology Review. Their favorite exploit seems to have been using malware to take control of a competitor's employee's machine.
I also read a recent article where NSA classified some of these areas as “D” weapons that can be exploited using disruptive attacks. One of those is denial of service, where the hacker aims to disable a server or network by flooding it with messages.
It only gets scarier when you think of exploits to medical devices that can be hacked, like pacemakers that can be stopped remotely, or remote control of insulin pumps that can be made to deliver a lethal dose of insulin.
The US Department of Homeland Security (DHS) is currently investigating more than 20 medical devices that could be tampered with by outside agencies.
Security by Isolation
Even worse, we often don't even know where some of the IoT devices we're using are coming from. They could be from a country that has added a back door in code that will allow an attacker to take control of them at any time.
That's why Security by Isolation on the infrastructure side is going to be important for IoT, since with all these devices interacting with one another, an attack on one piece of critical infrastructure can affect other infrastructures.
I believe that with the advent of the Internet of Things, the potential for manipulation and hacking within the infrastructure piece is going to grow exponentially. That means that if you're a developer or a tester, you need to start thinking of ways that we can secure our applications and protect our customers' data.