Where should companies start when it comes to device security?
Connected device manufacturers are increasing production to meet demand in a fast-growing industry. According to McKinsey, the market value of IoT is expected to be between $5.5-12.6 trillion by 2030. That leaves IoT makers in need of a security strategy that can scale with the growing market. But security for IoT devices isn’t yet as mature as other sectors.
IoT devices are discoverable, easy to access, and more connected to physical systems than ever before. This leaves them vulnerable to opportunistic threat actors as well as more sophisticated nation-state attackers looking to carry out distributed denial-of-service (DDoS) attacks, assemble botnets, and direct cyber-physical attacks on critical environments.
The IoT Security Foundation recently released a report that found only 21.6% of firms have a detectable vulnerability disclosure policy and 78.4% of firms would fail a threshold test.
Many device manufacturers struggle to prioritize product security without sacrificing production or incurring large costs. In Ponemon’s survey, most respondents say they struggle with a lack of resources (62%) and lack of in-house expertise (60%) as top obstacles to expanding product security efforts. This shows that security is not yet an executive priority, and that’s having a negative, real-world impact. While only 27% say their company’s leaders require proof of product security, 94% of respondents see a moderate or high impact from recent supply chain compromises on their security priorities.
Customers, for their part, are paying attention: According to Ponemon’s study, 76% of respondents said their customers rank the importance of device security at least 7 out of 10. Securing your connected and embedded products is critical to staying competitive, so let’s look at strategies to create secure products at scale.
Identify your baseline
You can’t secure what you can’t see. If you’re unaware of all the components in your embedded device firmware – like the 70% of Ponemon’s respondents who can’t create a software bill of materials (SBOM) for their devices – any remaining security efforts will have a significant blind spot.
Finding a baseline will offer insight into which vulnerabilities exist within firmware and give you a starting point as you look to improve the device’s security posture. For many manufacturers, penetration testing represents a baseline security tactic, but this type of testing is difficult to scale and impossible to automate.
According to one recent study, commercial third-party code is now more common than in-house developed code. Attackers are more likely to exploit vulnerabilities in widely used components than to launch a bespoke attack on first-party code. When you need to know what’s in your devices without vendor cooperation, binary analysis provides an excellent baseline security testing strategy. Discovering components and identifying servers pinged by the code running in your devices can give you the visibility you need into where your data is going and what software is operating in your devices.
Without this baseline of visibility into binaries, you could allow major security holes into devices deployed in critical environments. For example, DJI drones were found to transmit information to the Chinese government, leading to pressure from the Pentagon to halt their use.
Continue reading: https://www.helpnetsecurity.com/2022/03/31/devices-security/