舉報(bào) 
會(huì)員
Practical Internet of Things Security
WiththeadventoftheInternetofThings(IoT),businesseshavetodefendagainstnewtypesofthreat.Thebusinessecosystemnowincludesthecloudcomputinginfrastructure,mobileandfixedendpointsthatopenupnewattacksurfaces.ItthereforebecomescriticaltoensurethatcybersecuritythreatsarecontainedtoaminimumwhenimplementingnewIoTservicesandsolutions.Thisbookshowsyouhowtoimplementcybersecuritysolutions,IoTdesignbestpractices,andriskmitigationmethodologiestoaddressdeviceandinfrastructurethreatstoIoTsolutions.Inthissecondedition,youwillgothroughsometypicalanduniquevulnerabilitiesseenwithinvariouslayersoftheIoTtechnologystackandalsolearnnewwaysinwhichITandphysicalthreatsinteract.Youwillthenexplorethedifferentengineeringapproachesadeveloper/manufacturermighttaketosecurelydesignanddeployIoTdevices.Furthermore,youwillsecurelydevelopyourowncustomadditionsforanenterpriseIoTimplementation.YouwillalsobeprovidedwithactionableguidancethroughsettingupacryptographicinfrastructureforyourIoTimplementations.YouwillthenbeguidedontheselectionandconfigurationofIdentityandAccessManagementsolutionsforanIoTimplementation.Inconclusion,youwillexplorecloudsecurityarchitecturesandsecuritybestpracticesforoperatingandmanagingcross-organizational,multi-domainIoTdeployments.
最新章節(jié)
- Leave a review - let other readers know what you think
- Other Books You May Enjoy
- Summary
- Home assistants
- Home security cameras
- Wearables
品牌:中圖公司
上架時(shí)間:2021-06-10 18:19:21
出版社:Packt Publishing
本書數(shù)字版權(quán)由中圖公司提供,并由其授權(quán)上海閱文信息技術(shù)有限公司制作發(fā)行
- Leave a review - let other readers know what you think 更新時(shí)間:2021-06-10 18:43:29
- Other Books You May Enjoy
- Summary
- Home assistants
- Home security cameras
- Wearables
- Smart electrical meters and water meters
- New data sources for crime solving
- Post-incident device forensics
- IoT forensics
- Post-incident activities (recovery)
- Containment eradication and recovery
- Escalation and monitoring
- Analyzing the IoT devices involved
- Analyzing the compromised system
- Detection and analysis
- Operationalizing an IRP in your organization
- Communication planning
- IoT incident response team composition
- The cloud provider's role
- IoT incident response procedures
- IoT system categorization
- Incident response planning
- Defining planning and executing an IoT incident response
- Threats to both safety and security
- IoT Incident Response and Forensic Analysis
- Summary
- Security monitoring
- Compliance monitoring
- Device management
- Authentication to the gateway
- Gateway security
- Persistent configuration management
- Permissions
- Group management
- Policy management
- Third-party solutions
- Key and certificate management
- Onboarding a device into AWS IoT
- Naming your devices
- Identity registries
- Hardware-to-cloud security
- Device onboarding
- Cloud-based security services for the IoT
- Threats to cloud IoT services
- The concept of the fog
- Moving back toward the edge
- A notional cloud security approach
- The role of the cloud in IoT systems
- Cloud Security for the IoT
- Summary
- The NIST Risk Management Framework (RMF)
- PCI DSS
- HIPAA/HITECH
- NERC CIP
- Underwriters Laboratory IoT certification
- Examining existing compliance standards support for the IoT
- Challenges associated with IoT compliance
- A complex compliance environment
- Fuzz testing
- White box assessments
- Black box testing
- Periodic risk assessments
- System design updates
- Reporting
- Bug fixes
- Triage
- Collect results
- Automated search for flaws
- Install/update sensors
- Internal compliance monitoring
- Testing
- Certifications
- Threats/attacks
- The IoT networks and the cloud
- Privacy
- Defense in depth
- Data security
- Cybersecurity tools
- Skills assessments
- Training and education
- Policies procedures and documentation
- Executive oversight
- An IoT compliance program
- Implementing IoT systems in a compliant manner
- IoT compliance
- Setting Up an IoT Compliance Monitoring Program
- Summary
- Understanding the privacy landscape
- Privacy-engineering activities
- Privacy-engineering professionals
- Privacy throughout the organization
- Privacy engineering recommendations
- Privacy by design
- Auditing and accountability
- Redress
- Information sharing
- Data retention
- Notice
- Security
- Uses of collected information
- Characterizing collected information
- Authorities
- Overview
- Guide to performing an IoT PIA
- New methods of surveillance
- Privacy impacting on IoT security systems
- New privacy approaches for credentials
- Metadata can leak private information
- Smart homes
- Wearables
- A complex sharing environment
- Privacy challenges introduced by the IoT
- Mitigating IoT Privacy Concerns
- Summary
- Decentralized trust via blockchain ledgers
- Access controls within communication protocols
- Authorization and access controls within publish/subscribe protocols
- OAuth 2.0
- Authorization and access control
- SSL pinning
- OCSP stapling
- OCSP
- Revocation support
- PKI architecture for privacy
- Trust stores
- PKI primer
- PKI for the IoT
- 802.1x
- IoT IAM infrastructure
- Authorization for the IoT
- Biometrics
- IEEE 1609.2
- X.509
- Certificates
- Symmetric keys
- Passwords
- Authentication credentials
- Account/credential deactivation/deletion
- Account suspension
- Account updates
- Account monitoring and control
- Local access
- Credential and attribute provisioning
- Secure bootstrap
- Naming a device
- Establish naming conventions and uniqueness requirements
- The identity life cycle
- An introduction to IAM for the IoT
- Identity and Access Management Solutions for the IoT
- Summary
- Post quantum cryptography
- Crypto agility
- Future-proofing IoT cryptography
- REST
- DDS
- CoAP
- MQTT
- Cryptographic controls built into IoT messaging protocols
- Near Field Communication (NFC)
- Bluetooth-LE
- ZigBee
- Cryptographic controls built into IoT communication protocols
- Examining cryptographic controls for IoT protocols
- Summary of key management recommendations
- Accounting and management
- Key zeroization
- Key lifetime
- Key escrow
- Key storage
- Key derivation
- Key establishment
- Key generation
- Cryptographic key management fundamentals
- Cryptographic module principles
- Ciphersuites
- Random number generation
- Symmetric (MACs)
- Digital signatures
- Hashes
- Asymmetric encryption
- Counter modes
- Block chaining modes
- Symmetric encryption
- Encryption and decryption
- Types and uses of cryptographic primitives in the IoT
- Cryptography and its role in securing the IoT
- Cryptographic Fundamentals for IoT Security Engineering
- Summary
- Data archiving and managing records
- Inventory control
- Data purging
- Secure device disposal and zeroization
- Performing end-of-life maintenance
- Performing forensics
- Managing incidents
- Monitoring for compliance
- GDPR
- HIPAA
- Managing compliance
- IoT penetration test tools
- The airwaves
- Evaluating hardware security
- Red and blue teams
- Performing penetration testing
- Security administration training for the IoT
- Security awareness training for employees
- Training system stakeholders
- RF monitoring
- Monitoring your system
- Managing firmware and patching updates
- Managing accounts passwords and authorizations
- Handling misbehavior
- Managing keys and certificates
- Managing assets
- Honeypots
- Threat intelligence
- Vulnerability tracking
- Setting up threat intelligence and vulnerability tracking
- Configuring device security
- Bootstrapping and securely configuring devices
- Network segmentation and network access controls
- Network services
- Gateways
- Ports protocols and services
- Establishing physical protections
- Establishing good key management practices for WSNs.
- Securing WSN
- Configuring gateway and network security
- Defining system roles
- Defining your security policies
- Operational Security Life Cycle
- Summary
- FDA guidance on IoT medical devices
- DHS guiding principles for secure IoT
- ENISA's baseline security recommendations
- The US IoT Cybersecurity Improvement Act (draft)
- Design IoT systems that are compliant
- Provide logging mechanisms and feed integrity-protected logs to the cloud for safe storage
- Provide flexible policy and security management features to administrators
- Congestion control
- Rate limiting
- Gateway clustering
- Digital configurations
- Gateway caching
- Device redundancy
- Protecting against jamming attacks
- Design IoT systems that are resilient
- Load balancing
- Guarding against unplanned equipment failure
- Cloud availability
- Design IoT systems that remain available
- Incorporate anti-tamper mechanisms that report and/or react to attempted physical compromise
- Introduce secure hardware components within your IoT system
- Design IoT systems using hardware protection measures
- Design IoT systems that are safe
- Implementing secure OTA
- Enabling visibility into the data life cycle and protecting data from manipulation
- Applying cryptography to secure data at rest and in motion
- Designing IoT systems to protect confidentiality and integrity
- Design IoT systems with secure points of integration
- Design IoT systems that mitigate automated attack risks
- Secure design goals
- Skilled security engineers are hard to find (and retain)
- IoT products and systems can be physically compromised
- The IoT introduces new threats to user privacy
- Internet-connected devices face a deluge of attacks
- Speed to market matters
- The challenge of secure IoT development
- Secure Design of IoT Devices
- Summary
- Engaging with the research community
- Automated security analysis
- The need for software transparency
- Resilience
- Failure modes and effects analysis (FMEA)
- Fault-tree analysis
- Hazard and operability studies (HAZOPs)
- Hazard analysis
- Safety
- Other sources for security requirements
- Threat modeling
- Security
- Handling non-functional requirements
- DevOps
- Security engineering in Agile
- Agile
- Spiral
- Verification
- Implementation
- Design
- Requirements
- Waterfall
- The Secure Development Life Cycle (SDLC)
- Approaches to Secure Development
- Summary
- Step 6 – rate the threats
- Step 5 – document the threats
- Step 4 – identify threats
- Step 3 – decompose the IoT system
- Step 2 – create a system/architecture overview
- Step 1 – identify the assets
- Threat modeling an IoT system
- Lessons learned and systematic approaches
- Physical security attacks
- Security protocol attacks
- Wireless reconnaissance and mapping
- Application security attacks
- Distributed Denial of Service (DDoS)
- Authentication attacks
- Attacks
- Today's IoT attacks
- Example anatomy of a deadly cyber-physical attack
- Merging fault and attack tree analysis
- Fault tree and attack tree differences
- Fault (failure) trees and CPS
- Building an attack tree
- Attack trees
- Common IoT attack types
- Primer on attacks and countermeasures
- Risks
- Vulnerability
- Threats
- The classic pillars of information assurance
- Primer on threats vulnerability and risks
- Vulnerabilities Attacks and Countermeasures
- Summary
- Cognitive systems
- Autonomous systems
- The IoT of tomorrow
- Collaboration and processing
- Applications
- Data abstraction
- Data accumulation
- AMQP
- DDS
- XMPP
- CoAP
- MQTT
- Messaging protocols
- Cellular communications
- Bluetooth low energy
- ZWave
- IEEE 802.15.4
- Data link and physical protocols
- Network protocols
- Transport protocols
- Connectivity
- IoT integration platforms and solutions
- Gateways
- Real-time operating systems
- The hardware
- Physical devices and controllers
- The IoT ecosystem
- The importance of cross-industry collaboration
- Smart cities spread across the globe
- Smart manufacturing
- Modernizing the transportation ecosystem
- An IoT-enabled energy grid
- The IoT of today
- Cybersecurity versus IoT security
- Defining cyber-physical systems
- Defining the IoT
- A Brave New World
- Reviews
- Get in touch
- Conventions used
- Download the color images
- To get the most out of this book
- What this book covers
- Who this book is for
- Preface
- Packt is searching for authors like you
- About the reviewer
- About the authors
- Contributors
- Packt.com
- Why subscribe?
- About Packt
- Dedication
- Title Page
- coverpage
- coverpage
- Title Page
- Dedication
- About Packt
- Why subscribe?
- Packt.com
- Contributors
- About the authors
- About the reviewer
- Packt is searching for authors like you
- Preface
- Who this book is for
- What this book covers
- To get the most out of this book
- Download the color images
- Conventions used
- Get in touch
- Reviews
- A Brave New World
- Defining the IoT
- Defining cyber-physical systems
- Cybersecurity versus IoT security
- The IoT of today
- An IoT-enabled energy grid
- Modernizing the transportation ecosystem
- Smart manufacturing
- Smart cities spread across the globe
- The importance of cross-industry collaboration
- The IoT ecosystem
- Physical devices and controllers
- The hardware
- Real-time operating systems
- Gateways
- IoT integration platforms and solutions
- Connectivity
- Transport protocols
- Network protocols
- Data link and physical protocols
- IEEE 802.15.4
- ZWave
- Bluetooth low energy
- Cellular communications
- Messaging protocols
- MQTT
- CoAP
- XMPP
- DDS
- AMQP
- Data accumulation
- Data abstraction
- Applications
- Collaboration and processing
- The IoT of tomorrow
- Autonomous systems
- Cognitive systems
- Summary
- Vulnerabilities Attacks and Countermeasures
- Primer on threats vulnerability and risks
- The classic pillars of information assurance
- Threats
- Vulnerability
- Risks
- Primer on attacks and countermeasures
- Common IoT attack types
- Attack trees
- Building an attack tree
- Fault (failure) trees and CPS
- Fault tree and attack tree differences
- Merging fault and attack tree analysis
- Example anatomy of a deadly cyber-physical attack
- Today's IoT attacks
- Attacks
- Authentication attacks
- Distributed Denial of Service (DDoS)
- Application security attacks
- Wireless reconnaissance and mapping
- Security protocol attacks
- Physical security attacks
- Lessons learned and systematic approaches
- Threat modeling an IoT system
- Step 1 – identify the assets
- Step 2 – create a system/architecture overview
- Step 3 – decompose the IoT system
- Step 4 – identify threats
- Step 5 – document the threats
- Step 6 – rate the threats
- Summary
- Approaches to Secure Development
- The Secure Development Life Cycle (SDLC)
- Waterfall
- Requirements
- Design
- Implementation
- Verification
- Spiral
- Agile
- Security engineering in Agile
- DevOps
- Handling non-functional requirements
- Security
- Threat modeling
- Other sources for security requirements
- Safety
- Hazard analysis
- Hazard and operability studies (HAZOPs)
- Fault-tree analysis
- Failure modes and effects analysis (FMEA)
- Resilience
- The need for software transparency
- Automated security analysis
- Engaging with the research community
- Summary
- Secure Design of IoT Devices
- The challenge of secure IoT development
- Speed to market matters
- Internet-connected devices face a deluge of attacks
- The IoT introduces new threats to user privacy
- IoT products and systems can be physically compromised
- Skilled security engineers are hard to find (and retain)
- Secure design goals
- Design IoT systems that mitigate automated attack risks
- Design IoT systems with secure points of integration
- Designing IoT systems to protect confidentiality and integrity
- Applying cryptography to secure data at rest and in motion
- Enabling visibility into the data life cycle and protecting data from manipulation
- Implementing secure OTA
- Design IoT systems that are safe
- Design IoT systems using hardware protection measures
- Introduce secure hardware components within your IoT system
- Incorporate anti-tamper mechanisms that report and/or react to attempted physical compromise
- Design IoT systems that remain available
- Cloud availability
- Guarding against unplanned equipment failure
- Load balancing
- Design IoT systems that are resilient
- Protecting against jamming attacks
- Device redundancy
- Gateway caching
- Digital configurations
- Gateway clustering
- Rate limiting
- Congestion control
- Provide flexible policy and security management features to administrators
- Provide logging mechanisms and feed integrity-protected logs to the cloud for safe storage
- Design IoT systems that are compliant
- The US IoT Cybersecurity Improvement Act (draft)
- ENISA's baseline security recommendations
- DHS guiding principles for secure IoT
- FDA guidance on IoT medical devices
- Summary
- Operational Security Life Cycle
- Defining your security policies
- Defining system roles
- Configuring gateway and network security
- Securing WSN
- Establishing good key management practices for WSNs.
- Establishing physical protections
- Ports protocols and services
- Gateways
- Network services
- Network segmentation and network access controls
- Bootstrapping and securely configuring devices
- Configuring device security
- Setting up threat intelligence and vulnerability tracking
- Vulnerability tracking
- Threat intelligence
- Honeypots
- Managing assets
- Managing keys and certificates
- Handling misbehavior
- Managing accounts passwords and authorizations
- Managing firmware and patching updates
- Monitoring your system
- RF monitoring
- Training system stakeholders
- Security awareness training for employees
- Security administration training for the IoT
- Performing penetration testing
- Red and blue teams
- Evaluating hardware security
- The airwaves
- IoT penetration test tools
- Managing compliance
- HIPAA
- GDPR
- Monitoring for compliance
- Managing incidents
- Performing forensics
- Performing end-of-life maintenance
- Secure device disposal and zeroization
- Data purging
- Inventory control
- Data archiving and managing records
- Summary
- Cryptographic Fundamentals for IoT Security Engineering
- Cryptography and its role in securing the IoT
- Types and uses of cryptographic primitives in the IoT
- Encryption and decryption
- Symmetric encryption
- Block chaining modes
- Counter modes
- Asymmetric encryption
- Hashes
- Digital signatures
- Symmetric (MACs)
- Random number generation
- Ciphersuites
- Cryptographic module principles
- Cryptographic key management fundamentals
- Key generation
- Key establishment
- Key derivation
- Key storage
- Key escrow
- Key lifetime
- Key zeroization
- Accounting and management
- Summary of key management recommendations
- Examining cryptographic controls for IoT protocols
- Cryptographic controls built into IoT communication protocols
- ZigBee
- Bluetooth-LE
- Near Field Communication (NFC)
- Cryptographic controls built into IoT messaging protocols
- MQTT
- CoAP
- DDS
- REST
- Future-proofing IoT cryptography
- Crypto agility
- Post quantum cryptography
- Summary
- Identity and Access Management Solutions for the IoT
- An introduction to IAM for the IoT
- The identity life cycle
- Establish naming conventions and uniqueness requirements
- Naming a device
- Secure bootstrap
- Credential and attribute provisioning
- Local access
- Account monitoring and control
- Account updates
- Account suspension
- Account/credential deactivation/deletion
- Authentication credentials
- Passwords
- Symmetric keys
- Certificates
- X.509
- IEEE 1609.2
- Biometrics
- Authorization for the IoT
- IoT IAM infrastructure
- 802.1x
- PKI for the IoT
- PKI primer
- Trust stores
- PKI architecture for privacy
- Revocation support
- OCSP
- OCSP stapling
- SSL pinning
- Authorization and access control
- OAuth 2.0
- Authorization and access controls within publish/subscribe protocols
- Access controls within communication protocols
- Decentralized trust via blockchain ledgers
- Summary
- Mitigating IoT Privacy Concerns
- Privacy challenges introduced by the IoT
- A complex sharing environment
- Wearables
- Smart homes
- Metadata can leak private information
- New privacy approaches for credentials
- Privacy impacting on IoT security systems
- New methods of surveillance
- Guide to performing an IoT PIA
- Overview
- Authorities
- Characterizing collected information
- Uses of collected information
- Security
- Notice
- Data retention
- Information sharing
- Redress
- Auditing and accountability
- Privacy by design
- Privacy engineering recommendations
- Privacy throughout the organization
- Privacy-engineering professionals
- Privacy-engineering activities
- Understanding the privacy landscape
- Summary
- Setting Up an IoT Compliance Monitoring Program
- IoT compliance
- Implementing IoT systems in a compliant manner
- An IoT compliance program
- Executive oversight
- Policies procedures and documentation
- Training and education
- Skills assessments
- Cybersecurity tools
- Data security
- Defense in depth
- Privacy
- The IoT networks and the cloud
- Threats/attacks
- Certifications
- Testing
- Internal compliance monitoring
- Install/update sensors
- Automated search for flaws
- Collect results
- Triage
- Bug fixes
- Reporting
- System design updates
- Periodic risk assessments
- Black box testing
- White box assessments
- Fuzz testing
- A complex compliance environment
- Challenges associated with IoT compliance
- Examining existing compliance standards support for the IoT
- Underwriters Laboratory IoT certification
- NERC CIP
- HIPAA/HITECH
- PCI DSS
- The NIST Risk Management Framework (RMF)
- Summary
- Cloud Security for the IoT
- The role of the cloud in IoT systems
- A notional cloud security approach
- Moving back toward the edge
- The concept of the fog
- Threats to cloud IoT services
- Cloud-based security services for the IoT
- Device onboarding
- Hardware-to-cloud security
- Identity registries
- Naming your devices
- Onboarding a device into AWS IoT
- Key and certificate management
- Third-party solutions
- Policy management
- Group management
- Permissions
- Persistent configuration management
- Gateway security
- Authentication to the gateway
- Device management
- Compliance monitoring
- Security monitoring
- Summary
- IoT Incident Response and Forensic Analysis
- Threats to both safety and security
- Defining planning and executing an IoT incident response
- Incident response planning
- IoT system categorization
- IoT incident response procedures
- The cloud provider's role
- IoT incident response team composition
- Communication planning
- Operationalizing an IRP in your organization
- Detection and analysis
- Analyzing the compromised system
- Analyzing the IoT devices involved
- Escalation and monitoring
- Containment eradication and recovery
- Post-incident activities (recovery)
- IoT forensics
- Post-incident device forensics
- New data sources for crime solving
- Smart electrical meters and water meters
- Wearables
- Home security cameras
- Home assistants
- Summary
- Other Books You May Enjoy
- Leave a review - let other readers know what you think 更新時(shí)間:2021-06-10 18:43:29
