IoT Agenda

Oct 25 2018   2:31PM GMT

Navigating the IoT security minefield: The cloud portal

Andrew Useckas Profile: Andrew Useckas

Tags:
Application security
cloud
Cloud portal
Cloud Security
Internet of Things
iot
IoT devices
iot security
OWASP
Penetration Testing
security in IOT

Since I started this series, it seems that not a week goes by without another IoT-related security story in the news, with most of the coverage still focusing only on the hardware. However, unlike Wi-Fi routers, phones and other standalone things, IoT devices like a Nest thermostat that regularly communicate back to the cloud and allow the user to entirely manage his individual thermostats via a convenient web cloud portal have complicated the security landscape.

Needless to say, this approach introduces its own set of security challenges. Instead of running a phishing campaign to discover and compromise individual devices, a hacker now has a single target — once the management portal is compromised he can gain access to thousands or even millions of devices, and in the case of video camera software, access to actual video footage.

Unless secure coding practices are followed and strict security controls are implemented and audited on the application and network level, it is highly likely that such an application will be hacked, as is what happened to a one smart start IoT device in this article.

So, what are the best practices that need to be followed when building a centralized IoT management portal?

First of all, in order to avoid the typical OWASP Top 10 vulnerabilities, secure coding practices must be followed. A good summary of these practices can be found in this quick reference guide.

In addition to building an application, one must ensure that it stays secure by implementing regular vulnerability scans, penetration tests and security code audits. And it is paramount not to overlook other potential attack vectors, such as adjacent applications, servers and more. After all, you are as secure as your weakest link, as I outlined in one of my previous blog posts.

In order to track all the security tasks, it is also highly recommended to implement a full Information Security Management System. Standards such as ISO 27001 can be used as the basis for one.

Next month, I will dive into the challenges of securing IoT devices to cloud communications.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: