Cloud Hosting

Penetration testing is critical to assessing the overall strength of your companys defense against cyber criminals targeting IoT devices.

IoT devices are ubiquitous in our daily liveswhether its at home with connected home automation devices, or at work with connected factories, hospitals, and even connected cars. According to Gartner, there were over 20 billion IoT devices in 2020. As businesses globally over the past decade have transformed their processes with more embedded IoT-driven intelligence, these billions of connected devices have also become a soft target for cyber criminals. Nokias Threat Intelligence Lab reported in 2020 that IoT devices are now responsible for 32.72% of all infections observed in mobile and Wi-Fi networksup from 16.17% in 2019.

With millions of exposed endpoints, cyber criminals not only leverage compromised devices to launch distributed denial of service (DDoS) attacks, but they also present a sustained national security threat. So its no surprise that even the FBI has taken notice and provided continued guidance on how to practice secure IoT practices to defend against cyber criminals targeting unsecure IoT devices. We have consistently noted that inadequate security capabilities, lack of real-time vulnerability patching, and lack of consumer awareness are key drivers for repeated attacks on IoT devices.

The Center for Internet Security, Inc. (CIS) has recommended best practices for securing IT systems and data. For large organizations it is key to implement organizational CIS controls to focus on people and processesand drive change, executing an integrated plan to improve the organizational risk posture. CIS Control 20: Penetration Testing and Red Team Exercisesis a well-definedmethod to implementorganizationalcontrols.These tests allowcyber securityexperts to detect vulnerabilitiesand assess the overall strength of an organizations defense by simulating the actions of an attacker. Often attackers targetsoftwaredeployment vulnerabilitiessuch as configurations,policy management, and gaps ininteractionsamong multiple threatdetectiontools to exploit securitygaps.

First, IoT devices can have several types of interfacesweb-based interfaces for consumers, or object interfaces for governance as codetype of application such as control systems. Hence input validation, command injection, and code injection should be a primary focus of penetration testing of IoT devices.

Second, the network infrastructure interconnecting IoT objects can often be vulnerable andfor IoT devices on a single network, malicious attacks need only a single exploit to be successful. It is important to use both automated tools and manual penetration testing methods to do complete specialized penetration testing on the network infrastructure, associated cryptographic schemes, and communication protocols.

Finally, it is critical to scan proprietary programs which representthe entire system architecture. Eighty-four percent of proprietary programs contain at least one open source vulnerability according to the sixth Open Source Security and Risk Analysis (OSSRA) report produced bySynopsys. This represents immense heterogeneity and complexity in the codebaseshence it is important for experienced penetration testing professionals to use intelligent gray box testing to have excellent coverage on test types required for a comprehensive penetration test.

It is key to build acomprehensive securitydefense posture with governance by code, policy management, and coaching team members to secure the entiresoftware development life cycle (SDLC).As software releases become more frequent and more complex, penetration testing is an easy process for security professionals to periodically test their defenses, identify gaps, and drive remediation with the product development teams.By conducting sophisticatedpenetration testing that includes diverseattackvectors such as wireless, client-based, and web application attacks, organizations can get deeperinsightsinto the business risks ofthese various vulnerabilities, enabling them to configure an appropriate defense posture that is suitedtotheir ecosystem.

Original post:
Why penetration testing needs to be part of your IoT security - Security Boulevard