Assessing & Mitigating Vulnerabilities of Security Architectures- Part II (IoT)

Cloud-based systems

Cloud Computing eliminates the need for on-premises devices by renting a virtual machine hosted by a trusted third-party. This remote computing enhances the efficiency, performance, scalability, and security.

There are three different models for cloud computing:

  • Iaas (Infrastructure as a service): Instead of buying and purchasing a physical computer and buying and installing an operating system, people are aiming to buy a cloud-based virtual machine from a cloud service provider with the hardware they want, along with the installed operating system. The customer can specify that this VM, what CPU should have, how much RAM, what graphics processor, how much storage space, and what operating system. Then a VM is created and starts working. In the world of virtualization and cloud computing, terms such as spinning up a VM and instantiating a VM are used to refer to the start of a virtual machine. As an example, Amazon now offers Iaas to its customers.
  • Saas ( Software as a service): A service that works like software and may run on one or more virtual machines, but in any case, the above-mentioned virtual machines are hidden from the customer. The service company installs the software on one / more virtual machines. The license also installs it and provides the necessary support. For example, the customer intends to use the Autocad 2019 package and orders it to the provider. The service provider, provides Autocad software as a service to the customer. The customer does not know the number and how of virtual machines and does not need to know it. He doesn’t even know the operating system used and doesn’t need to know it. The customer only sees the Autocad itself running on the appropriate hardware. We can Famous cloud storages such as google drive, apple icloud, drop box, etc. are considered as a kind of Saas.
  • Paas ( Platform as s service): It is a pre-built platform that is provided to software developers like a service. Suppose a software developer wants to test their app in Apple’s IOS environment. So he asks a cloud service provider for a Paas in the IOS environment. The provider quickly creates an Iaas, then installs the IOS version of the customer on it,also installs any software programming and software development tools on the Iaas, and finally delivers it to the customer. In fact, the key difference between Iaas and Paas is, the more software tools available to the customer on the Pass. Suitable tools for software development process. The virtual machines used in Paas often include an integrated development environment (IDE) that includes a set of related tools. Tools for programming and implementing software, updating and developing it, testing software and all the necessary operations in software engineering.

Cloud Deployment Models

  • Public: Cloud services for the general public. It’s owned, managed, and operated by a third party (or parties) and exists on the cloud provider’s premises.
  • Private: Cloud infrastructure that is used exclusively by a single organization. Large companies usually deploy their private clouds because of their security policies.
  • Community: These clouds are accessed by multiple parties having common goals and shared resources.
  • Hybrid: A cloud infrastructure that comprised of both Private and public cloud. Private cloud is for their sensitive and public cloud to scale up capabilities and services.
[rev_slider alias=”Advertisement-1″ /]

Concerns in Cloud Computing

Cloud Computing Threats: These threats include Data loss/breach, privileges escalations, insecure interfaces and APIs, hardware failure, malicious insider, privileges escalations, natural disasters, authentication, and VM level attacks and so on.

Data Loss/Breach: These are the most common threat to every platform. Improper Encryption or losing Encryption keys may result in Data modification, erasing, data steal, and misuse.

Abusing Cloud Services: It includes using service for malicious intents as well as using these services abusively.

Insecure Interface and APIs: Software User Interface (UI) and Application Programming Interface (APIs) are the interfaces used by customers to interact with the service. These interfaces must be secure against malicious attempts.

Responsibilities in Cloud Security

Cloud Service Provider

Responsibilities of a cloud service provider include meeting the following security controls:

  • Web Application Firewall (WAF)
  • Secure Web Gateway (SWG)
  • Trusted Platform Module (TPM)
  • Real Traffic Grabber (RTG)
  • CoS/QoS
  • Intrusion Prevention Systems
  • Firewall
  • Load Balancer
  • Data Loss Prevention (DLP)
  • Application Security (App Sec)
  • Virtual Private Network (VPN)
  • Trusted Platform Module
  • Netflow

Cloud Service Consumer

Responsibilities of a cloud service consumer include meeting the following security controls: –

  • Web Application Firewall (WAF)
  • Public Key Infrastructure (PKI)
  • Security Development Life Cycle (SDLC)
  • Firewall
  • Virtual Private Network (VPN) and others
  • Intrusion Prevention Systems
  • Encryption
  • Secure Web Gateway
  • Application Security

Distributed Systems

A distributed system is an environment where multiple computers are working together to perform tasks. Distributed systems are systems with components scattered throughout physical and logical space. Usually, these components are owned and/or managed by different organizations, sometimes in different countries. Some common examples from daily life of distributed systems are:

  • Cellular Network
  • Peer-to-Peer Network
  • Distributed Database Management Systems
  • Aircraft Control System
  • Google Maps
  • Multiplayer Online Games

Of course, these systems also have security challenges. For example, Client side, Server side, and network devices in between a communication link must be secured.

Vulnerabilities in distributed systems include these:

  • Unprotected or weakly protected communications: Data transmitted between the server and other systems (including clients) may be using either weak encryption or no encryption at all.
  • Loose access permissions: In each of Individual components in a distributed system, there are many opportunities for access permissions to be too loose.
  • Weak security inheritance: In a distributed system, one component having weak security may compromise the security of the entire system. For example, a publicly accessible component may have direct open access to other components. So, this is a critical point.
  • Lack of centralized security and control: A distributed system is usually managed simultaneously by more than one organization. Conflicts and contradictions in the policies and procedures of these various organizations are a security and dangerous challenge.
  • Critical paths. A critical path weakness is one where a system’s continued operation depends on the availability of a single component.

Internet of things

This discussion focuses on Internet automation. The term “Things” refers to the machines, appliances, vehicles, sensors and many other devices. An example of automation process through the Internet of Things is it we can connect devices to the internet to communicate with other devices.

IoT technology requires a unique identity. Unique identity refers to the IP address, especially IPv6 addresses to provide each device with a unique identity.

The security of IoT devices and systems is a rapidly evolving scope of information security. This includes not only securing the data stored on the systems, but also how the data is collected, transmitted, processed, and used. There are many networking and communications protocols commonly used in IoT devices, including the following:

  • IPv6 over Low power Wireless Personal Area Networks (6LoWPAN)
  • 5G
  • Wi-Fi
  • Near Field Communications (NFC)
  • Radio Frequency Identification (RFID)
  • Bluetooth Mesh and Bluetooth Low-Energy (BLE)

The OWASP Top 10 IoT Vulnerabilities from 2018 are as follows:

IoT Attack Areas

The following are the most common attack areas for IoT network:

  • Access Control
  • Firmware Extraction
  • Privileges Escalation
  • Resetting to an insecure state
  • Web Attacks
  • Firmware Attacks
  • Network Services Attacks
  • Unencrypted Local Data Storage
  • Confidentiality and Integrity issues
  • Cloud Computing Attacks
  • Malicious updates
  • Insecure APIs
  • Mobile Application threats

Mitigating IoT Threats & Vulnerabilities

Countermeasure for IoT devices includes the following measures, which are:

  • Firmware update
  • Disable UPnP
  • Block unnecessary ports
  • Use encryption of drives
  • Use encrypted communication such as SSL/TLS
  • Use strong password
  • User account lockout
  • Two-Factor Authentication
  • Periodic assessment of devices
  • Secure password recovery
  • Disable Telnet