Tackle IoT application security threats and vulnerabilities – TechTarget

olly – stock.adobe.com
IoT devices might seem too small or specialized to pose a risk to enterprises, but that couldn’t be further from the truth.
IoT devices are network-connected, general-purpose computers that can be hacked and hijacked by criminals, leading to problems beyond IoT security.
Even if an organization has locked down the physical devices and enacted basic IoT security measures, systems remain vulnerable. Many cybersecurity experts forget IoT application security when designing a security strategy.
Gartner estimates there will be approximately 25 billion IoT connections by 2025, making each IoT sensor, endpoint, connection, network layer and UI a vulnerability for enterprises using them. The IoT application security presents a massive area of vulnerability and one in which organizations should consider making equal investments from now on.
IoT applications suffer from various vulnerabilities that put them at risk of being compromised, including:
Threats to IoT applications fall into several general categories: spoofing, information disclosure, distributed denial of service (DDoS), tampering and elevation of service. Attackers typically use these threats as an entry point to a network and then move on to other areas to cause problems, such as stealing data, blocking connections or releasing ransomware.
Spoofing threats. Attackers intercept or partially override the data stream of an IoT device and spoof the originating device or system, which is also known as a man-in-the-middle attack. They intercept shared key information, control devices or observe sent data.
Information disclosure threats. Attackers eavesdrop on broadcasts to obtain information without authorization, jam the signal to deny information distribution or partially override the broadcast and replace it with false information. They then threaten to release or sell the data.
Tampering threats. Attackers can gain access to the firmware or OSes of the devices running an IoT app and then partially or completely replace it on the device. They then use the genuine device and application identities to access the network and other connected services. For example, SQL or XML injection attacks and DDoS attacks are tampering threats for IoT apps.
Elevation of privilege threats. Attackers use unsecured IoT apps to change the access control rules of the application to cause damage. For example, in an industrial or manufacturing environment, an attacker could force a valve to open all the way that should only open halfway in a production system and cause damage to the system or employees.
Protecting IoT applications isn’t a one-and-done activity. It requires planning, action and regular monitoring. Get started with these nine ways.
Threat modeling can identify, assess and prioritize the potential IoT app vulnerabilities. A model can suggest security activities that will ensure IT admins include IoT apps in overall security strategies. The model should continue to evolve and grow to reflect the state of the IoT app accurately.
Not all risks are the same when it comes to IoT apps and an organization. Prioritize risks in order of concern and act accordingly. Many tech teams forget to align the risk with business scenarios and outcomes. A failure or breach in one IoT app may seem innocuous to IT but have serious financial implications for the company.
IT admins must deploy updates to IoT apps as quickly as possible to ensure the safety of the entire network. Use only approved and authenticated updates and, if updating apps over the air, use a VPN to encrypt all update data streams. Secure public key infrastructures (PKIs) can also authenticate devices and systems.
Firewalls, encryption and secure communication protocols protect IoT apps from unauthorized access. Regularly review the various standards, devices and communication protocols used on the network to ensure adequate security. Add IoT apps to any application security testing.
Strong password protection is essential for IoT applications and that includes developing a secure password process for those creating passwords. Change the default passwords on IoT devices and apps and ensure they’re changed regularly. Deploying a two- or three-way authentication model with TLS communication protocols reduces the chances that authentication data can be compromised at any point.
Encrypting data between IoT devices, apps and back-end systems keeps data safe from attackers. That includes encrypting data at rest and in transit and adopting PKI security models to ensure both senders and receivers get authenticated on the system before transmitting.
Applications and systems that have access to IoT apps should also be secured. When they are secure, it stops the client IoT system from being compromised by outside attacks and prevents it from propagating attacks downstream.
APIs are often used to push and pull data between applications and systems. They are another way for attackers to connect to IoT apps and cause problems. Only authorized devices and applications must communicate with APIs, making it easier to detect threats and attacks immediately. IT admins must also use API version management with old or redundant versions identified and removed regularly.
Monitoring IoT apps is the final step in protecting them. Ensure they’re tested and scanned like the rest of the network to get alerts and address IoT security issues quickly.
IoT devices and applications pose a significant risk to organizations today. With hundreds or even thousands of devices connected to an enterprise network, not applying the same level of security measures to each component of IoT deployments can lead to problems beyond the individual device or application.
To businesses plotting a digital transformation course, ServiceNow’s Yoav Boaz says hyperautomation is instrumental in …
Federal contractors and IT vendors should brush up on plans to navigate a government shutdown as a Dec. 3 funding deadline …
The move to edge computing will increase over the next few years. Here, we list the areas where it’s proving to deliver high …
This comprehensive secure remote access guide outlines the strategies, tools and best practices to provide anywhere access while …
Apple sued the Israeli technology vendor, whose Pegasus spyware has been implicated in several malicious attacks on journalists, …
A newly-disclosed zero-day vulnerability in Windows could potentially allow local users to elevate their permissions to …
Even in hyperscalers like Facebook, one errant finger can take down a network. The takeaway, experts said, is to expect and plan …
Security teams want to analyze network traffic data to identify anomalies and threats. As a result, network and security teams …
Citizens Broadband Radio Service enables private LTE networks and supports enterprise WAN deployments. But that doesn’t mean …
Data centers contain risks such as height, environmental and electrical hazards. Keep your staff safe by assessing the level of …
Running a sustainable data center requires organizations to consider factors such as facility sustainability, efficient storage …
Partnering with the DMTCP Project, MemVerge supports the open source distributed multithreaded checkpointing technology, which …
The pandemic hit American Airlines hard, but its management took an optimistic view, seeing at as an opportunity to use data more…
The data observability platform vendor’s new platform enables enterprises to use AIOps and automation to find anomalies with …
A new Starburst Enterprise release brings in new capabilities to help organizations use the Trino SQL query engine to analyze …
All Rights Reserved, Copyright 2005 – 2021, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source