Practical Internet of Things Security电子书

Practical Internet of Things Security

Table of Contents

Practical Internet of Things Security

Credits

About the Authors

About the Reviewer

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. A Brave New World

Defining the IoT

Cybersecurity versus IoT security and cyber-physical systems

Why cross-industry collaboration is vital

IoT uses today

Energy industry and smart grid

Connected vehicles and transportation

Manufacturing

Wearables

Implantables and medical devices

The IoT in the enterprise

The things in the IoT

The IoT device lifecycle

IoT device implementation

IoT service implementation

IoT device and service deployment

The hardware

Operating systems

IoT communications

Messaging protocols

MQTT

CoAP

XMPP

DDS

AMQP

Gateways

Transport protocols

Network protocols

Data link and physical protocols

IEEE 802.15.4

ZWave

Power Line Communications

Cellular communications

IoT data collection, storage, and analytics

IoT integration platforms and solutions

The IoT of the future and the need to secure

The future – cognitive systems and the IoT

Summary

2. Vulnerabilities, Attacks, and Countermeasures

Primer on threats, vulnerability, and risks (TVR)

The classic pillars of information assurance

Threats

Vulnerability

Risks

Primer on attacks and countermeasures

Common IoT attack types

Attack trees

Building an attack tree

Fault (failure) trees and CPS

Fault tree and attack tree differences

Merging fault and attack tree analysis

Example anatomy of a deadly cyber-physical attack

Today's IoT attacks

Attacks

Wireless reconnaissance and mapping

Security protocol attacks

Physical security attacks

Application security attacks

Lessons learned and systematic approaches

Threat modeling an IoT system

Step 1 – identify the assets

Step 2 – create a system/architecture overview

Step 3 – decompose the IoT system

Step 4 – identify threats

Step 5 – document the threats

Step 6 – rate the threats

Summary

3. Security Engineering for IoT Development

Building security in to design and development

Security in agile developments

Focusing on the IoT device in operation

Secure design

Safety and security design

Threat modeling

Privacy impact assessment

Safety impact assessment

Compliance

Monitoring for compliance

Security system integration

Accounts and credentials

Patching and updates

Audit and monitoring

Processes and agreements

Secure acquisition process

Secure update process

Establish SLAs

Establish privacy agreements

Consider new liabilities and guard against risk exposure

Establish an IoT physical security plan

Technology selection – security products and services

IoT device hardware

Selecting an MCU

Selecting a real-time operating system (RTOS)

IoT relationship platforms

Xively

ThingWorx

Cryptographic security APIs

Authentication/authorization

Edge

Security monitoring

Summary

4. The IoT Security Lifecycle

The secure IoT system implementation lifecycle

Implementation and integration

IoT security CONOPS document

Network and security integration

Examining network and security integration for WSNs

Examining network and security integration for connected cars

Planning for updates to existing network and security infrastructures

Planning for provisioning mechanisms

Integrating with security systems

IoT and data buses

System security verification and validation (V&V)

Security training

Security awareness training for users

Security administration training for the IoT

Secure configurations

IoT device configurations

Secure gateway and network configurations

Operations and maintenance

Managing identities, roles, and attributes

Identity relationship management and context

Attribute-based access control

Role-based access control

Consider third-party data requirements

Manage keys and certificates

Security monitoring

Penetration testing

Red and blue teams

Evaluating hardware security

The airwaves

IoT penetration test tools

Compliance monitoring

Asset and configuration management

Incident management

Forensics

Dispose

Secure device disposal and zeroization

Data purging

Inventory control

Data archiving and records management

Summary

5. Cryptographic Fundamentals for IoT Security Engineering

Cryptography and its role in securing the IoT

Types and uses of cryptographic primitives in the IoT

Encryption and decryption

Symmetric encryption

Block chaining modes

Counter modes

Asymmetric encryption

Hashes

Digital signatures

Symmetric (MACs)

Random number generation

Ciphersuites

Cryptographic module principles

Cryptographic key management fundamentals

Key generation

Key establishment

Key derivation

Key storage

Key escrow

Key lifetime

Key zeroization

Accounting and management

Summary of key management recommendations

Examining cryptographic controls for IoT protocols

Cryptographic controls built into IoT communication protocols

ZigBee

Bluetooth-LE

Near field communication (NFC)

Cryptographic controls built into IoT messaging protocols

MQTT

CoAP

DDS

REST

Future directions of the IoT and cryptography

Summary

6. Identity and Access Management Solutions for the IoT

An introduction to identity and access management for the IoT

The identity lifecycle

Establish naming conventions and uniqueness requirements

Naming a device

Secure bootstrap

Credential and attribute provisioning

Local access

Account monitoring and control

Account updates

Account suspension

Account/credential deactivation/deletion

Authentication credentials

Passwords

Symmetric keys

Certificates

X.509

IEEE 1609.2

Biometrics

New work in authorization for the IoT

IoT IAM infrastructure

802.1x

PKI for the IoT

PKI primer

Trust stores

PKI architecture for privacy

Revocation support

OCSP

OCSP stapling

SSL pinning

Authorization and access control

OAuth 2.0

Authorization and access controls within publish/subscribe protocols

Access controls within communication protocols

Summary

7. Mitigating IoT Privacy Concerns

Privacy challenges introduced by the IoT

A complex sharing environment

Wearables

Smart homes

Metadata can leak private information also

New privacy approaches for credentials

Privacy impacts on IoT security systems

New methods of surveillance

Guide to performing an IoT PIA

Overview

Authorities

Characterizing collected information

Uses of collected information

Security

Notice

Data retention

Information sharing

Redress

Auditing and accountability

PbD principles

Privacy embedded into design

Positive-sum, not zero-sum

End-to-end security

Visibility and transparency

Respect for user privacy

Privacy engineering recommendations

Privacy throughout the organization

Privacy engineering professionals

Privacy engineering activities

Summary

8. Setting Up a Compliance Monitoring Program for the IoT

IoT compliance

Implementing IoT systems in a compliant manner

An IoT compliance program

Executive oversight

Policies, procedures, and documentation

Training and education

Skills assessments

Cyber security tools

Data security

Defense-in-depth

Privacy

The IoT, network, and cloud

Threats/attacks

Certifications

Testing

Internal compliance monitoring

Install/update sensors

Automated search for flaws

Collect results

Triage

Bug fixes

Reporting

System design updates

Periodic risk assessments

Black box

White box assessments

Fuzz testing

A complex compliance environment

Challenges associated with IoT compliance

Examining existing compliance standards support for the IoT

Underwriters Laboratory IoT certification

NIST CPS efforts

NERC CIP

HIPAA/HITECH

PCI DSS

NIST Risk Management Framework (RMF)

Summary

9. Cloud Security for the IoT

Cloud services and the IoT

Asset/inventory management

Service provisioning, billing, and entitlement management

Real-time monitoring

Sensor coordination

Customer intelligence and marketing

Information sharing

Message transport/broadcast

Examining IoT threats from a cloud perspective

Exploring cloud service provider IoT offerings

AWS IoT

Microsoft Azure IoT suite

Cisco Fog Computing

IBM Watson IoT platform

MQTT and REST interfaces

Cloud IoT security controls

Authentication (and authorization)

Amazon AWS IAM

Azure authentication

Software/firmware updates

End-to-end security recommendations

Maintain data integrity

Secure bootstrap and enrollment of IoT devices

Security monitoring

Tailoring an enterprise IoT cloud security architecture

New directions in cloud-enabled IOT computing

IoT-enablers of the cloud

Software defined networking (SDN)

Data services

Container support for secure development environments

Containers for deployment support

Microservices

The move to 5G connectivity

Cloud-enabled directions

On-demand computing and the IoT (dynamic compute resources)

New distributed trust models for the cloud

Cognitive IoT

Summary

10. IoT Incident Response

Threats both to safety and security

Planning and executing an IoT incident response

Incident response planning

IoT system categorization

IoT incident response procedures

The cloud provider's role

IoT incident response team composition

Communication planning

Exercises and operationalizing an IRP in your organization

Detection and analysis

Analyzing the compromised system

Analyzing the IoT devices involved

Escalate and monitor

Containment, eradication, and recovery

Post-incident activities

Summary

Index