Only a few people would contest the assertion that the phenomenon of the Internet of Things (IoT) poses problems related to security, safety, and privacy. Given the remarkable industrial and consumer diversity of the IoT, one of the principal challenges and goals we faced when electing to write this book was determining how to identify and distill the core IoT security principles in the most useful, but industry-agnostic, way possible. It was equally important to balance real-world application with background theory, especially given the unfathomable number of current and forthcoming IoT products, systems, and applications. To this end, we included some basic security (and safety) topics that we must adequately, if minimally, cover, as they are required as a reference point in any meaningful security conversation. Some of the security topics apply to devices (endpoints), some to communication connections between them, and others to the larger enterprise.
Another goal of this book was to lay out security guidance in a way that did not regurgitate the vast amounts of existing cyber security knowledge as it applies to today's networks, hosts, operating systems, software, and so on, although we realized that some is necessary for a meaningful discussion on IoT security. Not wanting to align with a single industry or company selling products, we strove to sufficiently carve out and tailor useful security approaches that encompass the peculiarities and nuances of what we think both distinguishes and aligns IoT with conventional cyber security.
A wide range of both legacy industries (for example, home appliance makers, toy manufacturers, and automotive manufacturers) and start-up technology companies are today creating and selling connected devices and services at a phenomenal and growing rate. Unfortunately, not all are terribly secure—a fact that some security researchers have unrelentingly pointed out, often with a sense of genuine concern. Though much of the criticism is valid and warranted, some of it has, unfortunately, been conveyed with a certain degree of unhelpful hubris.
What is interesting, however, is how advanced some of the legacy industries are with regard to high-assurance safety and fault-tolerant design. These industries make extensive use of the core engineering disciplines—mechanical, electrical, industrial, aerospace, and control engineering—and high-assurance safety design in order to engineer products and complex systems that are, well, pretty safe. Many cyber security engineers are frankly ignorant of these disciplines and their remarkable contributions to safety and fault-tolerant design.
Hence, we arrive at one of the serious obstructions that IoT imposes in terms of achieving its security goals: poor collaboration between the safety, functional, and security engineering disciplines needed to design and deploy what we termCyber-Physical Systems(CPS). CPS put the physical and digital engineering disciplines together in ways that are seldom addressed in academic curricula or corporate engineering offices. It is our hope that engineers, security engineers, and all types of technology managers learn to better collaborate on the required safety and security-assurance goals.
While we benefit from the IoT, we must prevent our current and future IoT from harming us as far as possible; and to do this, we need to secure it properly and safely. We hope you enjoy this book and find the information useful as regards securing your IoT.
This book targets IT security professionals and security engineers (including pentesters, security architects, and ethical hackers) who would like to ensure the security of their organization's data when connected through the IoT. Business analysts and managers will also find this book useful.
Chapter 1, A Brave New World, introduces you to the basics of IoT, its definition, uses, applications, and implementations.
Chapter 2, Vulnerabilities, Attacks, and Countermeasures, takes you on a tour where you will learn about the various threats and the measures that we can take to counter them.
Chapter 3, Approaches to Secure Development, focuses on the different engineering approaches a developer/manufacturer might take to securely design and deploy IoT devices.
Chapter 4, Secure Design of IoT Devices, provides readers with the tools needed to securely develop their own custom additions to an enterprise IoT implementation.
Chapter 5, Operational Security Life Cycle, introduces a system security life cycle for the IoT that focuses on operational aspects related to the planning, deployment, management, monitoring and detection, remediation, and disposal of IoT systems.
Chapter 6, Cryptographic Fundamentals for IoT Security Engineering, provides a background on applied cryptography.
Chapter 7, Identity and Access Management Solutions for the IoT, dives deep into identity and access management for the IoT.
Chapter 8, Mitigating IoT Privacy Concerns, explores IoT privacy concerns. It will also help you to understand how to address and mitigate such concerns.
Chapter 9, Setting Up an IoT Compliance Monitoring Program, helps you to explore how to set up an IoT compliance program.
Chapter 10, Cloud Security for the IoT, explains the concepts of cloud security that are related to the IoT.
Chapter 11, IoT Incident Response and Forensic Analysis, explores incident management and forensics for the IoT.
You will need SecureITree version 4.3, a common desktop or laptop, and a Windows, Mac, or Linux platform running Java 8.
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/9781788625821_ColorImages.pdf.
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Securely store your client credentials: client_id and client_secret."
A block of code is set as follows:
chmod +x start.sh # ./start.sh
Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packtpub.com.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packt.com.
