IoT security control questions

1. Name three aspects of information security

Confidentiality, integrity and availability

2. What is the information security risk?

The risk of information security is the possibility that a threat will exploit the vulnerability of an asset or group of assets to cause damage to an organization.

3. What is the information security threat?

The threat is a potential or real-life danger of making of any act (actions or inaction) directed against the subject of protection (information resources), causing damage to the owner or user such as the danger of distortion and losses of information.

4. What is the information vulnerability?

A vulnerability is a shortcoming (error(s)) or weakness in a system’s design, implementation or operation and management that could be exploited to violate the system’s security policy.

5. List the vulnerabilities of web-interfaces in IoT

• Feeble registration data by default - logins and passwords • The registration data displayed in a network traffic • Cross-site scripting (XSS) • SQL injection • Careless control of a session • Feeble settings of lock and deleting accounting entry.

6. List the vulnerabilities of authentication in IoT

  • Absence of an optimum password policy
  • Absence of two-factor authentication
  • Unprotected recovery of the password
  • Absence of monitoring of access on the basis of roles.

7. List the vulnerabilities in network services in IoT

  • Vulnerable services
  • Buffer overflow
  • Open ports through UPnP
  • Operational services of UDP
  • DoS and DDoS of the attack

8. List the methods of countering the vulnerabilities of network interfaces in IoT

  • The initial setup including a mandatory change of the password by default
  • Support of reliable mechanisms of recovery of the password and information 
    security about the valid accounting entries
  • Support of the web interface (Input sanitization against XSS, SQLi or CSRF)
  • The password policy regulating complexity of passwords
  • Support of lock of the accounting entry after a certain number 
    of abortive attempts of login

9. List methods of countering the vulnerabilities of authentication in IoT

  • Configuring of reliable password policies
  • Support of granular monitoring of access if necessary
  • Support of appropriate protection of registration data
  • Implementation of two-factor authentication
  • Safe mechanisms for password recovery.
  • The organization repeated authentication for sensitive functions of devices

10. List methods of countering the vulnerabilities in network services in IoT

  • Organization of access of necessary ports
  • A configuration and use of services, not vulnerable to buffer overflow and the similar attacks
  • A configuration and use of services, not vulnerable to DoS and DDoS - the attacks which can affect the device or other devices and/or users on the local area network or other networks
  • Use of UPnP and similar technologies for ensuring access to network ports or services

11. Name three methods of malware detection

  • Signature-based detection technique, behavior-based 
    detection technique and dynamic analysis technique

12. What is the signature-based detection technique?

Detection, on the basis of signatures, is the traditional method used for detection of malicious software in the environment of the PC. For determination of the signature static and dynamic methods are used at the same time. Signatures, on the basis of technology, monitor the known threats. In the case of computation, all objects have attributes which can be used for the creation of the unique signature. Algorithms can quickly and effectively scan an object to define its sign-code signature. When the solution provider for protection against malicious applications identifies an object as harmful, its signature is added to the database of the known malicious applications.

13. What is the behaviour-based detection technique?

Detection, on the basis of behaviour, is a method of detection of the status of invasion by the comparative analysis of the predetermined templates of the attack and behaviour of the process which occur in the system. It is one of the researches which, in recent times, have been receiving the greatest attention because of limited detection of harmful behaviour on the basis of signature detection. To find the abnormal templates, it generally monitors information on events which arises in such functions of the smartphone as memory use, SMS contents and battery consumption of the battery.

14. What is the WirelessHART?

WirelessHART is a safe protocol and provides several protection levels. All traffic is protected, payload capacity is ciphered, and all messages undergo authentication, as on the single hop basis, and at the end. WirelessHART requires that all devices are supplied with joint secret key and also the network identifier to join a network. WirelessHART, though is limited by a resource, represents a bidirectional network of rather powerful devices and the central manager of a network and the controller has. WirelessHART, now the single WSN standard developed, first of all, for automation of industrial production and control is well developed for other aspects, except safety.

15. What is the 6LoWPAN?

6LoWPAN (IPv6 over Low-Power Wireless Personal Area Networks) is the name of a concluded working group in the Internet area of the IETF. The 6LoWPAN concept originated from the idea that “the Internet Protocol could and should be applied even to the smallest devices, and that low-power devices with limited processing capabilities should be able to participate in the Internet of Things.

16. What general ways of improving IoT privacy do you know?

Full list: https://home.roboticlab.eu/en/iot-open/security_and_privacy_in_iot_ume/iot_privacy

17. What is the inventory attack speaking of IoT threats?

Inventory attacks refer to the unauthorized collection of information about the existence and characteristics of personal things. One evolving feature of the IoT is interconnection. With the realization of the All-IP and end-to-end vision, smart things become query-able over the Internet. While things can then be queried from anywhere by legitimate entities (e.g. the owner and authorized users of the system), non-legitimate parties can query and exploit this to compile an inventory list of things at a specific place, e.g. of a household, office building, or factory.

18. What is the linkage threat speaking of IoT?

This threat consists in linking different previously separated systems such that the combination of data sources reveals (truthful or erroneous) information that the subject did not disclose to the previously isolated sources and also, most importantly, did not want to reveal. Users fear poor judgement and loss of context when data, gathered from different parties under different contexts and permissions is combined.

19. What is the profiling threat speaking of IoT?

Profiling denotes the threat of compiling information dossiers about individuals in order to infer interests by correlation with other profiles and data. Profiling methods are mostly used for personalization in e-commerce (e.g. in recommender systems, newsletters and advertisements) but also for internal optimization based on customer demographics and interests. Examples of profiling leading to a violation of privacy are price discrimination, unsolicited advertisements, social engineering, or erroneous automatic decisions, e.g. Facebook’s automatic detection of sexual offenders.

20. What difficulties arise during authentication in IoT?

First, the majority of acts are concentrated around an indistinct concept of Personally identified information (PII). Nevertheless, efforts on receiving a short determination of what represents PII (for example, by listing of combinations of the identifying attributes) quickly become outdated as new IoT technologies are unblocked and integrate new data sets which can provide identification and make more difficult to distinguish PII from a non-PII, Secondly, the timeliness of the legislation is a constant problem: With the fast development of IoT, the legislation will be inevitable to fall further away. An example is indications of Smart Meter which already allow the collection of exhaustive information on the life of people. Thirdly, many violations of confidentiality remain unnoticed nowadays. In IoT, the realization of violations of confidentiality among users will be even lower as data collection moves to daily things and happens more passively. The legislation, however, often is only the response to public protests and shouts which require the realization of incidents first of all. Finally, the economy of private life still appears for those who ignore the legislation on confidentiality. On the one hand, development of PET, ensuring compliance and audit of protection policies of private life are expensive and can restrict business models. On the other hand, violations of the law about personal privacy either remain unpunished or lead only to rather small penalties while awareness of the public still too low to cause unacceptable damage to public reputation.