Securing The Internet of Things

by Süleyman Petek 28. September 2015 20:30
Internet of things aka "IoT" is a very popular word recently. Many large companies are investing abo

Internet of things aka "IoT" is a very popular word recently. Many large companies are investing about this issue. We can also say that another popular word "Big Data" is overlapping with IoT. The architecture of the original Internet was created long before communicating with billions of simple devices such as sensors and appliances was ever envisioned. The upcoming explosion of these simple devices creates gorgeous challenges for the current networking paradigm. The scope and range of the devices to be connected are huge and the connections to the edges of the network where these devices will be setup will be low-speed, lossy and by snatches. Within a few years, devices on the IoT will overdose human beings on the planet and the number of devices will continue to grow.

Here are some basic design guidelines;

  • It should specify as little as possible and leave much open for others to innovate.
  • Systems must be designed to fail gracefully seeking not to eliminate errors, but to accommodate them.
  • Graduated degrees of networking functionality and complexity are applied only where and when needed.
  • The architecture is created from simple concepts that build into complex systems using the analog provided by natural phenomena.

There are many products on the market today under the label of IoT with the lack of  basic security architectures. It is very easy for a knowledgeable person to take control of devices for malicious purposes. The management knows how to manage known risks but they don't know how to measure them in the field of IoT and computer communication. We can list the attack types as:

  • Denial of Service
  • Breaking the Stored Credentials / Guessing the Credentials
  • Man in the Middle
  • Network Sniffing
  • Port Scanning / Web Crawling
  • Search Features & Wildcards
And how can we protect ourselves ?
  • Virtual Private Networks
  • Certificates & Encryption
  • Authentication of things

According to the HP Fortify 2014 IoT Security report
  • Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS and weak credentials
  • 70 % of devices used unencrypted network service
  • 90 % of devices collected at least one piece of personal information via the device, the cloud, or its mobile application
  • 60 % raised security concerns with their user interfaces

You can also check the OWASP for IoT as they list the top 10 for 2014 as below

  • I1 Insecure Web Interface
  • I2 Insufficient Authentication/Authorization
  • I3 Insecure Network Services
  • I4 Lack of Transport Encryption
  • I5 Privacy Concerns
  • I6 Insecure Cloud Interface
  • I7 Insecure Mobile Interface
  • I8 Insufficient Security Configurability
  • I9 Insecure Software/Firmware
  • I10 Poor Physical Security

Tags: , ,

IT Security | Awareness | Tech | Internet Of Things

Web Application Security 101

by Süleyman Petek 11. July 2015 14:25
Since the proliferation of internet nearly for 20 years, the usage of internet in our daily basis ha

Since the proliferation of internet nearly for 20 years, the usage of internet in our daily basis has been increasing day by day. At first we adopted to read newspapers from web, then we started to make our basic financial operations over web from our banks' web sites. The shopping a.k.a "e-commerce" madness followed these. Buying your plane tickets, betting, dating etc. there has been a huge cyber world over there. This is nice until here however you should be aware of your security and privacy in this cyber world. Nowadays mobile applications are very popular, we can not say they will replace web applications but we should notice the power of mobile also. 

Web applications have brought with them a new range of security vulnerabilities. There is a rising awareness that security is an important issue for web applications. Most of web sites say that they are secure because they use SSL. Increasingly, organizations also cite their compliance with Payment Card Industry (PCI) standards to reassure users that they are secure.  In real life, unfortunately the majority of web applications are insecure, despite the widespread usage of SSL technology and the adoption of regular PCI scanning. Here is an example saying that "Half of firms hit by web application security breaches".

There is a non-profit world wide organization called OWASP (Open Web Application Security Project). There are many materials there to learn about application security. Especially OWASP Top 10 may be a very meaningful start for the newbies. It is about the most critical web application security flaws. The latest one was released in 2013.

Web applications face a fundamental problem in order to be secure. The client is outside the application’s control, users can submit arbitrary input to the server side application. The application owners/coders must assume that all input is potentially malicious. The majority of attacks against web applications involve sending crafted input to the server to cause some unexpected event.

Unfortunately SSL can not stop an attacker from submitting crafted input to the server. If the application uses SSL, this simply means that other users on the network cannot view or modify the attacker’s data in transit. 

Some key factors to the problems are

The developers are not aware of the issue, they should be educated for secure coding.

  • The executive management generally care on the dead-lines, not the security of the application. So the developer just try to be as fast as he can do, bypassing the security issues.
  • The resources and the time is limited, the market is too aggressive, executives are somehow right. But security is not an issue  to underestimate. The company can lose money and prestige because of insecure applications.
  • The threats are evolving rapidly.
  • To sum up;

    World Wide Web has evolved from basic static information repositories into highly functional applications that process sensitive data and perform powerful actions with real-world consequences. Most web applications face the core security problem that users can submit arbitrary input. Every aspect of the user’s interaction with the application may be malicious and should be regarded as such unless proven otherwise. All the signs about the current state of web application security shows that although some aspects of security have indeed improved, entirely new threats have evolved to replace them. The overall problem has not been resolved on any significant scale. Attacks against web applications still present a serious threat to both the organizations that deploy them and the users who access them. 

    Tags: , ,

    IT Security | Awareness | Secure Coding | Web Security | Web Attack | Web Defense


    <<  May 2021  >>

    View posts in large calendar