https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-architecture
Fundamental of Security Properties
qConfidentiality
ØThreat sources
—Network Monitoring
—Shoulder Surfing- monitoring key strokes or screen
—Stealing password files
—Social Engineering- one person posing as the actual
ØCountermeasures
—Encrypting data as it is stored and transmitted.
—By using network padding
—Implementing strict access control mechanisms and data classification
—Training personnel on proper procedures.
qIntegrity
ØThreat sources
—Viruses
—Logic Bombs
—Backdoors
ØCountermeasures
—Strict Access Control
—Intrusion Detection
—Hashing
qAvailability
ØThreat sources
—Device or software failure.
—Environmental issues like heat, cold, humidity, static electricity, and contaminants can also affect system availability.
—Denial-of-service (DoS) attacks
ØCountermeasures
—Maintaining backups to replace the failed system
—IDS to monitor the network traffic and host system activities
—Use of certain firewall and router configurations
—Authenticity
Security Terminologies and basics
—Asset is anything of value that should be protected from harm. An asset can require protection because it is the potential target of attack. Assets can be people, properties (e.g., data, hardware, software, and facilities), and services.
—Attack (security breach) is an attacker’s unauthorized attempt to cause harm to an asset (i.e., violate the security of the system, bypass security mechanisms). An attack may be either successful or unsuccessful.
—Attacker is an agent (e.g., humans, programs, processes, devices, or other systems) that causes an attack due to the desire to cause harm to an asset.
—Harm is a negative impact associated with an asset due to an attack.
—Threat is a general condition, situation, or state (typically corresponding to the motivation of potential attackers) that may result in one or more related attacks.
—Security is the degree to which malicious harm to a valuable asset is prevented, reduced, and properly responded to. Security is thus the quality factor that signifies the degree to which valuable assets are protected from significant threats posed by malicious attackers.
—Security Vulnerability is any weakness in the system that increases the likelihood of a successful attack (i.e., cause harm).
—Security Mechanism is an architecture which defines fulfillment of Security requirement in both Hw and Software to reduce security vulnerability.
qAccess Control is the degree to which the system limits access to its resources only to its authorized externals (e.g., human users, programs, processes, devices, or other systems). The following are quality sub factors of the access control quality sub factor:
—Identification is the degree to which the system identifies (i.e., recognizes) its externals before interacting with them.
—Authentication is the degree to which the system verifies the identities of its externals before interacting with them.
—Authorization is the degree to which access and usage privileges of authenticated externals are properly granted and enforced
qAttack/Harm Detection is the degree to which attempted or successful attacks (or their resulting harm) are detected, recorded, and notified.
q —Non-Repudiation is the degree to which a party to an interaction (e.g., message, transaction, transmission of data) is prevented from successfully repudiating (i.e., denying) any aspect of the interaction8 .
—Privacy is the degree to which unauthorized parties are prevented from obtaining sensitive information.
—Anonymity is the degree to which the identity of users is prevented from unauthorized storage or disclosure.
—Confidentiality is the degree to which sensitive information is not disclosed to unauthorized parties (e.g., individuals, programs, processes, devices, or other systems)
qIntegrity is the degree to which components are protected from intentional and unauthorized corruption:
—Data Integrity is the degree to which data components (including communications) are protected from intentional corruption (e.g., via unauthorized creation, modification, deletion, or replay).
—Hardware Integrity is the degree to which hardware components are protected from intentional corruption (e.g., via unauthorized addition, modification, or theft).
—Personnel Integrity is the degree to which human components are protected from intentional corruption (e.g., via bribery or extortion).
—Software Integrity is the degree to which software components are protected from intentional corruption (e.g., via unauthorized addition, modification, deletion, or theft).
—Immunity is the degree to which the system protects its software components from infection by unauthorized malicious programs (i.e., malware such as computer viruses, worms, Trojan horses, time bombs, malicious scripts, and spyware).
—Security Auditing is the degree to which security personnel are enabled to audit the status and use of security mechanisms by analyzing security-related events.
—Physical Protection is the degree to which the system protects itself and its components from physical attack
Device Attack
qHack attack
—This type of Hack includes Software attack Eg: Virus or malware.
qShack attack
—This include low-budget hardware attack using debug port or attaching some Hw to Device. The attackers can attempt to connect to the device using JTAG debug, boundary scan I/O, and built-in self test facilities.
qLab attack
—If the attacker has access to laboratory equipment, such as electron microscopes, they can perform unlimited reverse engineering of the device. It must be assumed that the attacker can reverse engineer transistor-level detail for any sensitive part of the design - including logic and memories
Embedded Product Security
—Hardware Security
—Software Security
—Network Security
Security Implementation in Hardware
—Secure booting procedure
—Secure Storage
—Secure bus (Encrypted Transaction ~ untraceable Scrambled Signal)
—Secure Debug Port
—Hardware Port Secure Monitor
—Core Instruction unpredictable Timing design
—Secure Design of Encryption Processor
—HSM integration with SOC components
Security Implementation in Software
—Secure booting implementation
—Secure Storage implementation
—Secure Input Implementation
—Secure UI implementation
—Secure Application/Library/file system/driver run time execution environment.
—Secure Firmware upgrade
—Firmware integrity assurance
—Secure field updates
—Secure access controls
—Secure identification and authentication
—Secure storage for the rest of the chip
—Secure debug and test access control
—Developing Software by adapting Secure Coding mythology
Security Implementation in Communication
—Secure Communication with Server /Intermediate device E.g. gateway
—Implementing Security Parameter based on Spec of Communication type E.g. Internet Secure Connection using OpenSSL, WolfSSL, MbedSSL.. Etc.
Hardware Security Internals(HSM-Hardware Secure Module)
—Secure monitoring during power-up and operation of the SoC
—Secure validation and authentication
—Storage protection
—Secure communication
—Key management
0 Comments