Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Title Page
Copyright and Credits
Practical Internet of Things Security Second Edition
Dedication
About Packt
Why subscribe?
Packt.com
Contributors
About the authors
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
A Brave New World
Defining the IoT
Defining cyber-physical systems
Cybersecurity versus IoT security
The IoT of today
An IoT-enabled energy grid
Modernizing the transportation ecosystem
Smart manufacturing
Smart cities spread across the globe
The importance of cross-industry collaboration
The IoT ecosystem
Physical devices and controllers
The hardware
Real-time operating systems
Gateways
IoT integration platforms and solutions
Connectivity
Transport protocols
Network protocols
Data link and physical protocols
IEEE 802.15.4
ZWave
Bluetooth low energy
Cellular communications
Messaging protocols
MQTT
CoAP
XMPP
DDS
AMQP
Data accumulation
Data abstraction
Applications
Collaboration and processing
The IoT of tomorrow
Autonomous systems
Cognitive systems
Summary
Vulnerabilities, Attacks, and Countermeasures
Primer on threats, vulnerability, and risks 
The classic pillars of information assurance
Threats
Vulnerability
Risks
Primer on attacks and countermeasures
Common IoT attack types
Attack trees
Building an attack tree
Fault (failure) trees and CPS
Fault tree and attack tree differences
Merging fault and attack tree analysis
Example anatomy of a deadly cyber-physical attack
Today's IoT attacks
Attacks
Authentication attacks
Distributed Denial of Service (DDoS)
Application security attacks
Wireless reconnaissance and mapping
Security protocol attacks
Physical security attacks
Lessons learned and systematic approaches
Threat modeling an IoT system
Step 1 – identify the assets
Step 2 – create a system/architecture overview
Step 3 – decompose the IoT system
Step 4 – identify threats
Step 5 – document the threats
Step 6 – rate the threats
Summary
Approaches to Secure Development
The Secure Development Life Cycle (SDLC)
Waterfall
Requirements
Design
Implementation
Verification
Spiral
Agile
Security engineering in Agile
DevOps
Handling non-functional requirements 
Security
Threat modeling
Other sources for security requirements
Safety
Hazard analysis
Hazard and operability studies (HAZOPs)
Fault-tree analysis
Failure modes and effects analysis (FMEA)
Resilience
The need for software transparency
Automated security analysis
Engaging with the research community
Summary
Secure Design of IoT Devices
The challenge of secure IoT development
Speed to market matters
Internet-connected devices face a deluge of attacks
The IoT introduces new threats to user privacy
IoT products and systems can be physically compromised
Skilled security engineers are hard to find (and retain)
Secure design goals
Design IoT systems that mitigate automated attack risks
Design IoT systems with secure points of integration
Designing IoT systems to protect confidentiality and integrity
Applying cryptography to secure data at rest and in motion
Enabling visibility into the data life cycle and protecting data from manipulation 
Implementing secure OTA
Design IoT systems that are safe
Design IoT systems using hardware protection measures
Introduce secure hardware components within your IoT system
Incorporate anti-tamper mechanisms that report and/or react to attempted physical compromise
Design IoT systems that remain available
Cloud availability
Guarding against unplanned equipment failure 
Load balancing 
Design IoT systems that are resilient
Protecting against jamming attacks
Device redundancy 
Gateway caching
Digital configurations
Gateway clustering
Rate limiting
Congestion control
Provide flexible policy and security management features to administrators 
Provide logging mechanisms and feed integrity-protected logs to the cloud for safe storage
Design IoT systems that are compliant 
The US IoT Cybersecurity Improvement Act (draft)
ENISA's baseline security recommendations
DHS guiding principles for secure IoT
FDA guidance on IoT medical devices
Summary
Operational Security Life Cycle
Defining your security policies
Defining system roles 
Configuring gateway and network security
Securing WSN 
Establishing good key management practices for WSNs. 
Establishing physical protections 
Ports, protocols, and services
Gateways 
Network services
Network segmentation and network access controls
Bootstrapping and securely configuring devices
Configuring device security 
Setting up threat intelligence and vulnerability tracking
Vulnerability tracking
Threat intelligence
Honeypots
Managing assets 
Managing keys and certificates
Handling misbehavior
Managing accounts, passwords, and authorizations
Managing firmware and patching updates
Monitoring your system
RF monitoring
Training system stakeholders
Security awareness training for employees
Security administration training for the IoT
Performing penetration testing
Red and blue teams
Evaluating hardware security
The airwaves
IoT penetration test tools
Managing compliance
HIPAA
GDPR
Monitoring for compliance
Managing incidents
Performing forensics
Performing end-of-life maintenance
Secure device disposal and zeroization
Data purging
Inventory control
Data archiving and managing records
Summary
Cryptographic Fundamentals for IoT Security Engineering
Cryptography and its role in securing the IoT
Types and uses of cryptographic primitives in the IoT
Encryption and decryption
Symmetric encryption
Block chaining modes
Counter modes
Asymmetric encryption
Hashes
Digital signatures
Symmetric (MACs)
Random number generation
Ciphersuites
Cryptographic module principles
Cryptographic key management fundamentals
Key generation
Key establishment
Key derivation
Key storage
Key escrow
Key lifetime
Key zeroization
Accounting and management
Summary of key management recommendations
Examining cryptographic controls for IoT protocols
Cryptographic controls built into IoT communication protocols
ZigBee
Bluetooth-LE
Near Field Communication (NFC)
Cryptographic controls built into IoT messaging protocols
MQTT
CoAP
DDS
REST
Future-proofing IoT cryptography
Crypto agility
Post quantum cryptography
Summary
Identity and Access Management Solutions for the IoT
An introduction to IAM for the IoT
The identity life cycle
Establish naming conventions and uniqueness requirements
Naming a device
Secure bootstrap
Credential and attribute provisioning
Local access
Account monitoring and control
Account updates
Account suspension
Account/credential deactivation/deletion
Authentication credentials
Passwords
Symmetric keys
Certificates
X.509
IEEE 1609.2
Biometrics
Authorization for the IoT
IoT IAM infrastructure
802.1x
PKI for the IoT
PKI primer
Trust stores
PKI architecture for privacy
Revocation support
OCSP
OCSP stapling
SSL pinning
Authorization and access control
OAuth 2.0
Authorization and access controls within publish/subscribe protocols
Access controls within communication protocols
Decentralized trust via blockchain ledgers
Summary
Mitigating IoT Privacy Concerns
Privacy challenges introduced by the IoT
A complex sharing environment
Wearables
Smart homes
Metadata can leak private information
New privacy approaches for credentials
Privacy impacting on IoT security systems
New methods of surveillance
Guide to performing an IoT PIA
Overview
Authorities
Characterizing collected information
Uses of collected information
Security
Notice
Data retention
Information sharing
Redress
Auditing and accountability
Privacy by design
Privacy engineering recommendations
Privacy throughout the organization
Privacy-engineering professionals
Privacy-engineering activities
Understanding the privacy landscape
Summary
Setting Up an IoT Compliance Monitoring Program
IoT compliance
Implementing IoT systems in a compliant manner
An IoT compliance program
Executive oversight
Policies, procedures, and documentation
Training and education
Skills assessments
Cybersecurity tools
Data security
Defense in depth
Privacy
The IoT, networks, and the cloud
Threats/attacks
Certifications
Testing
Internal compliance monitoring
Install/update sensors
Automated search for flaws
Collect results
Triage
Bug fixes
Reporting
System design updates
Periodic risk assessments
Black box testing
White box assessments
Fuzz testing
A complex compliance environment
Challenges associated with IoT compliance
Examining existing compliance standards, support for the IoT
Underwriters Laboratory IoT certification
NERC CIP
HIPAA/HITECH
PCI DSS
The NIST Risk Management Framework (RMF)
Summary
Cloud Security for the IoT
The role of the cloud in IoT systems 
A notional cloud security approach 
Moving back toward the edge
The concept of the fog
Threats to cloud IoT services
Cloud-based security services for the IoT
Device onboarding
Hardware-to-cloud security
Identity registries
Naming your devices
Onboarding a device into AWS IoT
Key and certificate management
Third-party solutions
Policy management 
Group management
Permissions
Persistent configuration management
Gateway security 
Authentication to the gateway
Device management
Compliance monitoring
Security monitoring
Summary
IoT Incident Response and Forensic Analysis
Threats to both safety and security
Defining, planning, and executing an IoT incident response
Incident response planning
IoT system categorization
IoT incident response procedures
The cloud provider's role
IoT incident response team composition
Communication planning
Operationalizing an IRP in your organization
Detection and analysis
Analyzing the compromised system
Analyzing the IoT devices involved
Escalation and monitoring
Containment, eradication, and recovery
Post-incident activities (recovery)
IoT forensics
Post-incident device forensics
New data sources for crime solving
Smart electrical meters and water meters
Wearables
Home security cameras
Home assistants
Summary
Other Books You May Enjoy
Leave a review - let other readers know what you think
← Prev
Back
Next →
← Prev
Back
Next →