IoT and Mobile
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> Welcome back. In this video,
00:01
we're going to focus on Internet of Things Technology,
00:01
some of the specific security considerations
00:01
related to IoT.
00:01
Then we'll touch on something quite related,
00:01
which is mobile and mobile security considerations
00:01
specifically from the Cloud perspective.
00:01
IoT is a term broadly used to describe a variety of
00:01
computing devices that have
00:01
a specific intended use in the real-world,
00:01
these are referred to as the things,
00:01
and those things are connected to a network.
00:01
Smaller powered things like
00:01
equipment sensors, electricity meters,
00:01
and even medical devices may not
00:01
be directly connected to the network.
00:01
However, they will communicate with
00:01
higher power devices that
00:01
act as a gateway to the internet.
00:01
Your mobile phone could be one of these gateways,
00:01
or it could be a customer appliance or device,
00:01
often referred to as an Edge device.
00:01
The amount of streaming data coming
00:01
from these devices can vary.
00:01
Mass consumer devices may
00:01
stream small amounts of information,
00:01
but since the overall number of devices is much greater,
00:01
they can end up streaming an equal
00:01
or greater amount of data,
00:01
than the specialty devices that stream
00:01
high-definition images or heavy information amounts.
00:01
IoT brings its own set of
00:01
security concerns and the CSA outlines quite a few.
00:01
Let's cover those here,
00:01
starting with Secure Data Collection and Sanitization.
00:01
As an example, you may want to scan
00:01
incoming payloads to see if they
00:01
contain malicious data or
00:01
malformed data that could compromise your system.
00:01
Each device is going to establish
00:01
its own identity through a centralized registry.
00:01
The registration process may
00:01
occur during manufacturing with
00:01
the device or through
00:01
an initialization process that takes place in the field.
00:01
Subsequently, whenever the device phones home,
00:01
it will be able to identify itself
00:01
as one of the registered devices.
00:01
At the same time, you can't blindly trust the identity,
00:01
so authentication needs to take place.
00:01
This can be done using a password,
00:01
or publicly and certificate based methods are preferred,
00:01
as it makes it much more
00:01
difficult for somebody who is attempting to
00:01
spoof the device to guess the authentication value.
00:01
Either way, you don't want to have all your devices using
00:01
the same hard-coded password or the same key credentials.
00:01
In that situation, if one device gets compromised,
00:01
your entire fleet can be compromised.
00:01
Once the device is authenticated,
00:01
access controls around what the device can and
00:01
cannot do should be managed through authorization.
00:01
As you'd expect, the chatter between
00:01
the device and the Cloud should be encrypted in transit.
00:01
Somebody can easily sniff unencrypted network traffic.
00:01
But you also want to make sure that a bad actor
00:01
can place themselves in the middle of the communication,
00:01
acting as a proxy to
00:01
decrypt and re-encrypt any communication.
00:01
Certificate pinning can be used to ensure your device
00:01
only trust communication coming from
00:01
select sources like your Cloud-based APIs.
00:01
The goal of all this is to make sure
00:01
nobody can listen or modify
00:01
the communication taking place between
00:01
the device and the trusted parties,
00:01
whether they be other edge devices
00:01
or cloud-based services.
00:01
It's also worth taking a direct look at
00:01
the API security for the device to cloud communication.
00:01
This is a great opportunity to define
00:01
the defense in-depth philosophy.
00:01
Assume that somebody has figured out how
00:01
the communication protocols between
00:01
the device and cloud work.
00:01
If that happens, you can have API security,
00:01
which is an extra layer of your defense.
00:01
This can prevent DDos attacks, enforced device isolation,
00:01
ensure the device itself has
00:01
appropriate authorization so it
00:01
can only perform the activities that are unnecessary.
00:01
The reality is things will never be perfect.
00:01
You may have security vulnerabilities
00:01
and you may need to add new functionality.
00:01
This brings the ability to patch
00:01
device software and firmware onto center stage.
00:01
It's capability you'll want to
00:01
design it as early as possible,
00:01
since it gives you flexibility to make
00:01
changes once your fleet is deployed.
00:01
The CSA doesn't specifically talk about code signing,
00:01
but it's a vital strategy to use
00:01
for implementing device patching.
00:01
This way, you make sure that the device only applies
00:01
software updates that it receives from trusted sources.
00:01
Keep in mind these devices are
00:01
out of your physical control.
00:01
Somebody can open them up and
00:01
do some real low-level hacking
00:01
like flashing firmware updates through J tag interfaces,
00:01
examining memory,
00:01
even physically manipulating the electronic components.
00:01
This leads to the final point of tamper detection.
00:01
Having the ability to identify
00:01
devices that aren't in line with the setup you'd
00:01
expect is a very powerful capability
00:01
in ensuring security of your IoT ecosystem.
00:01
If you're the device manufacturer,
00:01
you don't want somebody to overtake your device
00:01
and use it for things it's not intended for.
00:01
Especially if the device is attacking your cloud service.
00:01
As the person responsible for
00:01
the network that the device is running on,
00:01
you want to make sure that device does not provide
00:01
a weak point or a foothold for an attack
00:01
to get on your network and cause
00:01
damage to other systems that
00:01
can be way more critical to
00:01
your overall enterprise or company.
00:01
We look at devices that provide
00:01
more general computing capabilities,
00:01
such as smartphones and tablets
00:01
very similar to the way we look at the IoT devices.
00:01
These devices often have applications and
00:01
those applications connect to a server based back-end.
00:01
Since the devices themselves can be geographically
00:01
distributed and the workloads
00:01
unpredictable and very dynamic.
00:01
It makes hosting these backends in
00:01
the Cloud a Prime option for you.
00:01
The CSA calls out to specific areas of mobile security,
00:01
device registration, authorization and
00:01
authentication, just like IoT.
00:01
But this can be a little different in
00:01
that your application's ability to
00:01
obtain and store credentials.
00:01
Keep in mind these devices will
00:01
be hosting other applications.
00:01
In the same way, cloud providers
00:01
strive to provide tennar isolation.
00:01
Mobile device manufacturers strive
00:01
to implement application isolation.
00:01
However, there are always clever people out there
00:01
who figure out ways to jailbreak their phones.
00:01
This can allow a devious person to access the credentials
00:01
your application is using to
00:01
authenticate with back-end services.
00:01
This pain point bleeds into
00:01
authorization in API security.
00:01
Cert pinning is the method that you
00:01
can use to have your mobile app ensured,
00:01
it only talks to the cloud services that are trusted.
00:01
This mitigates the potential
00:01
for a man in the middle attack.
00:01
Such attack could either be
00:01
passively listening or it could be actively
00:01
modifying the communication stream between
00:01
your mobile application and
00:01
those Cloud-based applications.
00:01
Now there's a ton in the realm of
00:01
mobile device security and
00:01
it's almost its own discipline.
00:01
But CSA is just focused on
00:01
the Cloud-based aspects of mobile computing.
00:01
For your CCSK exam,
00:01
you don't need to be concerned
00:01
about a lot of those other areas.
00:01
I'm not going to cover them right here either.
00:01
To summarize this video, we reviewed
00:01
the definition of Internet of Things.
00:01
We talked about IoT specific security considerations,
00:01
and then we examined mobile security considerations,
00:01
many of which are quite similar to the IoT security.
Up Next
Similar Content
