第1页 / 共336页
第2页 / 共336页
第3页 / 共336页
第4页 / 共336页
第5页 / 共336页
第6页 / 共336页
第7页 / 共336页
第8页 / 共336页
Practical Internet of Things Security.pdf
Cover
Copyright
Credits
About the Authors
About the Reviewer
www.PacktPub.com
Table of Contents
Preface
A Brave New World
Defining the IoT
Cybersecurity versus IoT security and cyber-physical systems
Why cross-industry collaboration is vital
IoT uses today
Energy industry and smart grid
Connected vehicles and transportation
Manufacturing
Wearables
Implantables and medical devices
The IoT in the enterprise
The things in the IoT
The IoT device lifecycle
The hardware
Operating systems
IoT communications
Messaging protocols
Transport protocols
Network protocols
Data link and physical protocols
IoT data collection, storage and analytics
IoT integration platforms and solutions
The IoT of the future and the need to secure
The future – cognitive systems and the IoT
Summary
Vulnerabilities, Attacks, and Countermeasures
Primer on threats, vulnerability, and risks (TVR)
The classic pillars of information assurance
Threats
Vulnerability
Risk
Primer on attacks and countermeasures
Common IoT attack types
Attack trees
Building an attack tree
Fault (failure) trees and CPS
Fault tree and attack tree differences
Merging fault and attack tree analysis
Example anatomy of a deadly cyber-physical attack
Today's IoT attacks
Attacks
Wireless reconnaissance and mapping
Security protocol attacks
Physical security attacks
Application security attacks
Lessons learned and systematic approaches
Threat modeling an IoT system
Step 1 – identify the assets
Step 2 – create a system/architecture overview
Step 3 – decompose the IoT system
Step 4 – identify threats
Step 5 – document the threats
Step 6 – rate the threats
Summary
Security Engineering for IoT Development
Building security in to design and development
Security in agile developments
Focusing on the IoT device in operation
Secure design
Safety and security design
Threat modeling
Privacy impact assessment
Safety impact assessment
Compliance
Security system integration
Processes and agreements
Secure acquisition process
Secure update process
Establish SLAs
Establish privacy agreements
Consider new liabilities and guard against risk exposure
Establish an IoT physical security plan
Technology selection – security products and services
IoT device hardware
Selecting an MCU
Selecting a real-time operating system (RTOS)
IoT relationship platforms
Cryptographic security APIs
Authentication/authorization
Edge
Security monitoring
Summary
The IoT Security Lifecycle
The secure IoT system implementation lifecycle
Implementation and integration
IoT security CONOPS document
Network and security integration
System security verification and validation (V&V)
Security training
Secure configurations
Operations and maintenance
Managing identities, roles, and attributes
Security monitoring
Penetration testing
Compliance monitoring
Asset and configuration management
Incident management
Forensics
Dispose
Secure device disposal and zeroization
Data purging
Inventory control
Data archiving and records management
Summary
Cryptographic Fundamentals for IoT Security Engineering
Cryptography and its role in securing the IoT
Types and uses of cryptographic primitives in the IoT
Encryption and decryption
Symmetric encryption
Asymmetric encryption
Hashes
Digital signatures
Symmetric (MACs)
Random number generation
Ciphersuites
Cryptographic module principles
Cryptographic key management fundamentals
Key generation
Key establishment
Key derivation
Key storage
Key escrow
Key lifetime
Key zeroization
Accounting and management
Summary of key management recommendations
Examining cryptographic controls for IoT protocols
Cryptographic controls built into IoT communication protocols
ZigBee
Bluetooth-LE
Near field communication (NFC)
Cryptographic controls built into IoT messaging protocols
MQTT
CoAP
DDS
REST
Future directions of the IoT and cryptography
Summary
Identity and Access Management Solutions
for the IoT
An introduction to identity and access management for the IoT
The identity lifecycle
Establish naming conventions and uniqueness requirements
Naming a device
Secure bootstrap
Credential and attribute provisioning
Local access
Account monitoring and control
Account updates
Account suspension
Account/credential deactivation/deletion
Authentication credentials
Passwords
Symmetric keys
Certificates
X.509
IEEE 1609.2
Biometrics
New work in authorization for the IoT
IoT IAM infrastructure
802.1x
PKI for the IoT
PKI primer
Trust stores
PKI architecture for privacy
Revocation support
Authorization and access control
OAuth 2.0
Authorization and access controls within publish/subscribe protocols
Access controls within communication protocols
Summary
Mitigating IoT Privacy Concerns
Privacy challenges introduced by the IoT
A complex sharing environment
Wearables
Smart homes
Metadata can leak private information also
New privacy approaches for credentials
Privacy impacts on IoT security systems
New methods of surveillance
Guide to performing an IoT PIA
Overview
Authorities
Characterizing collected information
Uses of collected information
Security
Notice
Data retention
Information sharing
Redress
Auditing and accountability
PbD principles
Privacy embedded into design
Positive-sum, not zero-sum
End-to-end security
Visibility and transparency
Respect for user privacy
Privacy engineering recommendations
Privacy throughout the organization
Privacy engineering professionals
Privacy engineering activities
Summary
Setting Up a Compliance Monitoring Program
for the IoT
IoT compliance
Implementing IoT systems in a compliant manner
An IoT compliance program
Executive oversight
Policies, procedures, and documentation
Training and education
Testing
Internal compliance monitoring
Periodic risk assessments
A complex compliance environment
Challenges associated with IoT compliance
Examining existing compliance standards support for the IoT
Underwriters Laboratory IoT certification
NIST CPS efforts
NERC CIP
HIPAA/HITECH
PCI DSS
NIST Risk Management Framework (RMF)
Summary
Cloud Security for the IoT
Cloud services and the IoT
Asset/inventory management
Service provisioning, billing, and entitlement management
Real-time monitoring
Sensor coordination
Customer intelligence and marketing
Information sharing
Message transport/broadcast
Examining IoT threats from a cloud perspective
Exploring cloud service provider IoT offerings
AWS IoT
Microsoft Azure IoT suite
Cisco Fog Computing
IBM Watson IoT platform
MQTT and REST interfaces
Cloud IoT security controls
Authentication (and authorization)
Amazon AWS IAM
Azure authentication
Software/firmware updates
End-to-end security recommendations
Maintain data integrity
Secure bootstrap and enrollment of IoT devices
Security monitoring
Tailoring an enterprise IoT cloud security architecture
New directions in cloud-enabled IOT computing
IoT-enablers of the cloud
Software defined networking (SDN)
Data services
Container support for secure development environments
Containers for deployment support
Microservices
The move to 5G connectivity
Cloud-enabled directions
On-demand computing and the IoT (dynamic compute resources)
New distributed trust models for the cloud
Cognitive IoT
Summary
IoT Incident Response
Threats both to safety and security
Planning and executing an IoT incident response
Incident response planning
IoT system categorization
IoT incident response procedures
The cloud provider's role
IoT incident response team composition
Communication planning
Exercises and operationalizing an IRP in your organization
Detection and analysis
Analyzing the compromised system
Analyzing the IoT devices involved
Escalate and monitor
Containment, eradication, and recovery
Post-incident activities
Summary
Index
www.allitebooks.com
Practical Internet of Things
Security
A practical, indispensable security guide that
will navigate you through the complex realm of
securely building and deploying systems in our
IoT-connected world
Brian Russell
Drew Van Duren
BIRMINGHAM - MUMBAI
Practical Internet of Things Security
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, without the prior written
permission of the publisher, except in the case of brief quotations embedded in
critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy
of the information presented. However, the information contained in this book is
sold without warranty, either express or implied. Neither the authors, nor Packt
Publishing, and its dealers and distributors will be held liable for any damages
caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the
companies and products mentioned in this book by the appropriate use of capitals.
However, Packt Publishing cannot guarantee the accuracy of this information.
First published: June 2016
Production reference: 1230616
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78588-963-9
www.packtpub.com
www.allitebooks.com
Credits
Project Coordinator
Kinjal Bari
Proofreader
Safis Editing
Indexer
Hemangini Bari
Graphics
Kirk D'Penha
Production Coordinator
Shantanu N. Zagade
Cover Work
Shantanu N. Zagade
Authors
Brian Russell
Drew Van Duren
Reviewer
Aaron Guzman
Commissioning Editor
Kartikey Pandey
Acquisition Editor
Prachi Bisht
Content Development Editor
Arshiya Ayaz Umer
Technical Editor
Siddhi Rane
Copy Editor
Safis Editing
www.allitebooks.com
About the Authors
Brian Russell is a chief engineer focused on cyber security solutions for Leidos
(https://www.leidos.com/). He oversees the design and development of security
solutions and the implementation of privacy and trust controls for customers,
with a focus on securing Internet of Things (IoT). Brian leads efforts that include
security engineering for Unmanned Aircraft Systems (UAS) and connected vehicles
and development security systems, including high assurance cryptographic key
management systems. He has 16 years of information security experience. He serves
as chair of the Cloud Security Alliance (CSA) Internet of Things (IoT) Working
Group, and as a member of the Federal Communications Commission (FCC)
Technological Advisory Council (TAC) Cybersecurity Working Group. Brian
also volunteers in support of the Center for Internet Security (CIS) 20 Critical
Security Controls Editorial Panel and the Securing Smart Cities (SSC) Initiative
(http://securingsmartcities.org/).
Join the Cloud Security Alliance (CSA) IoT WG
@ https://cloudsecurityalliance.org/group/internet-of-things/#_join.
You can contact Brian at https://www.linkedin.com/in/brian-russell-
65a4991.
I would like to thank my wife, Charmae, and children, Trinity and
Ethan. Their encouragement and love during my time collaboration
on this project has been invaluable. I would also like to thank all
the great volunteers and staff of the Cloud Security Alliance (CSA)
Internet of Things (IoT) Working Group, who have worked with
me over the past few years to better understand and recommend
solutions for IoT security. Lastly, I would like to thank my parents,
without whom I would not have the drive to complete this book.
www.allitebooks.com
Drew Van Duren currently works at Leidos as a senior cryptographic and
cybersecurity engineer, highlighting 15 years of support to commercial, US
Department of Defense, and US Department of Transportation (USDOT) customers
in their efforts to secure vital transportation and national security systems. Originally
an aerospace engineer, his experience evolved into cyber-physical (transportation
system) risk management, secure cryptographic communications engineering, and
secure network protocol design for high assurance DoD systems. Drew has provided
extensive security expertise to the Federal Aviation Administration's Unmanned
Aircraft Systems (UAS) integration office and supported RTCA standards body in
the development of cryptographic protections for unmanned aircraft flying in the US
National Airspace System. He has additionally supported USDOT Federal Highway
Administration (FHWA) and the automotive industry in threat modeling and security
analysis of connected vehicle communications design, security systems, surface
transportation systems, and cryptographic credentialing operations via the connected
vehicle security credential management system (SCMS). Prior to his work in the
transportation industry, Drew was a technical director, managing two of the largest
(FIPS 140-2) cryptographic testing laboratories and frequently provided cryptographic
key management and protocol expertise to various national security programs. He
is a licensed pilot and flies drone systems commercially, and is also a co-founder
of Responsible Robotics, LLC, which is dedicated to safe and responsible flight
operations for unmanned aircraft.
You can reach Drew at https://www.linkedin.com/in/drew-van-duren-33a7b54.
I would first like to thank my wife, Robin, and children, Jakob and
Lindsey, for their immense love, humor, and patience that shone
brightly as I collaborated on this book. They were always keen
to provide the diversions when I needed them the most. I would
also like to thank my parents for their unceasing love, discipline,
and encouragement to pursue diverse interests—model making,
engineering, aviation, and music—in my formative years. More than
anything, playing the cello has enriched and centered me amid life's
demands. Lastly, my gratitude goes to my departed grandparents,
especially my maternal grandfather, Arthur Glenn Foster, whose
unquenchable scientific and engineering inquisitiveness provided
just the footsteps I needed in my young life.
www.allitebooks.com
About the Reviewer
Aaron Guzman is a principal penetration tester from the Los Angeles area with
expertise in application security, mobile pentesting, web pentesting, IoT hacking,
and network penetration testing. He has previously worked with established tech
companies such as Belkin, Symantec, and Dell, breaking code and architecting
infrastructures. With Aaron's years of experience, he has given presentations at
various conferences, ranging from Defcon and OWASP AppSecUSA to developer
code camps across America. He has contributed to many IoT security guideline
publications and open source community projects around application security.
Furthermore, Aaron is a chapter leader for the Open Web Application Security
Project (OWASP), Los Angeles, Cloud Security Alliance SoCal (CSA SoCal),
and High Technology Crime Investigation Association of Southern California
(HTCIA SoCal). You can follow Aaron's latest research and updates on Twitter
at @scriptingxss.
www.allitebooks.com
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF
and ePub files available? You can upgrade to the eBook version at www.PacktPub.
com and as a print book customer, you are entitled to a discount on the eBook copy.
Get in touch with us at customercare@packtpub.com for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign
up for a range of free newsletters and receive exclusive discounts and offers on Packt
books and eBooks.
TM
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital
book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
• Fully searchable across every book published by Packt
• Copy and paste, print, and bookmark content
• On demand and accessible via a web browser
www.allitebooks.com
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
