Craig Smith at 19:37, 14 May 2016

2016-05-14T19:37:25Z

Craig Smith at 03:10, 30 November 2015

2015-11-30T03:10:17Z

Craig Smith: Created page with "== Tester IoT Security Guidance == (DRAFT) The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below i..."

2015-11-30T02:47:06Z

Created page with "== Tester IoT Security Guidance == (DRAFT) The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below i..."

New page

== Tester IoT Security Guidance ==

(DRAFT)

The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

{| border="1" class="wikitable" style="text-align: left"
! Category
! IoT Security Consideration
|-
| '''I1: Insecure Web Interface'''
|
* Assess any web interface to determine if weak passwords are allowed
* Assess the account lockout mechanism
* Assess the web interface for XSS, SQLi and CSRF vulnerabilities and other web application vulnerabilities
* Assess the use of HTTPS to protect transmitted information
* Assess the ability to change the username and password
* Determine if web application firewalls are used to protect web interfaces
|-
| '''I2: Insufficient Authentication/Authorization'''
|
* Assess the solution for the use of strong passwords where authentication is needed
* Assess the solution for multi-user environments and ensure it includes functionality for role separation
* Assess the solution for Implementation two-factor authentication where possible
* Assess password recovery mechanisms
* Assess the solution for the option to require strong passwords
* Assess the solution for the option to force password expiration after a specific period
* Assess the solution for the option to change the default username and password
|-
| '''I3: Insecure Network Services'''
|
* Assess the solution to ensure network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks
* Assess the solution to ensure test ports are are not present
|-
| '''I4: Lack of Transport Encryption'''
|
* Assess the solution to determine the use of encrypted communication between devices and between devices and the internet
* Assess the solution to determine if accepted encryption practices are used and if proprietary protocols are avoided
* Assess the solution to determine if a firewall option available is available
|-
| '''I5: Privacy Concerns'''
|
* Assess the solution to determine the amount of personal information collected
* Assess the solution to determine if collected personal data is properly protected using encryption at rest and in transit
* Assess the solution to determine if Ensuring data is de-identified or anonymized
* Assess the solution to ensure end-users are given a choice for data collected beyond what is needed for proper operation of the device
|-
| '''I6: Insecure Cloud Interface'''
|
* Assess the cloud interfaces for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
* Assess the cloud-based web interface to ensure it disallows weak passwords
* Assess the cloud-based web interface to ensure it includes an account lockout mechanism
* Assess the cloud-based web interface to determine if two-factor authentication is used
* Assess any cloud interfaces for XSS, SQLi and CSRF vulnerabilities and other vulnerabilities
* Assess all cloud interfaces to ensure transport encryption is used
* Assess the cloud interfaces to determine if the option to require strong passwords is available
* Assess the cloud interfaces to determine if the option to force password expiration after a specific period is available
* Assess the cloud interfaces to determine if the option to change the default username and password is available
|-
| '''I7: Insecure Mobile Interface'''
|
* Assess the mobile interface to ensure it disallows weak passwords
* Assess the mobile interface to ensure it includes an account lockout mechanism
* Assess the mobile interface to determine if it Implements two-factor authentication (e.g Apple's Touch ID)
* Assess the mobile interface to determine if it uses transport encryption
* Assess the mobile interface to determine if the option to require strong passwords is available
* Assess the mobile interface to determine if the option to force password expiration after a specific period is available
* Assess the mobile interface to determine if the option to change the default username and password is available
* Assess the mobile interface to determine the amount of personal information collected
|-
| '''I8: Insufficient Security Configurability'''
|
* Assess the solution to determine if password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication) are available
* Assess the solution to determine if encryption options (e.g. Enabling AES-256 where AES-128 is the default setting) are available
* Assess the solution to determine if logging for security events is available
* Assess the solution to determine if alerts and notifications to the user for security events are available
|-
| '''I9: Insecure Software/Firmware'''
|
* Assess the device to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered
* Assess the device to ensure it uses encrypted update files and that the files are transmitted using encryption
* Assess the device to ensure is uses signed files and then validates that file before installation

|-
| '''I10: Poor Physical Security'''
|
* Assess the device to ensure it utilizes a minimal number of physical external ports (e.g. USB ports) on the device
* Assess the device to determine if it can be accessed via unintended methods such as through an unnecessary USB port
* Assess the device to determine if it allows for disabling of unused physical ports such as USB
* Assess the device to determine if it includes the ability to limit administrative capabilities to a local interface only
|}

===General Recommendations===

Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):
* Avoid potential Account Harvesting issues by:
** Ensuring valid user accounts can't be identified by interface error messages
** Ensuring strong passwords are required by users
** Implementing account lockout after 3 - 5 failed login attempts

← Older revision		Revision as of 19:37, 14 May 2016
Line 1:		Line 1:
−	<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project~~#tab=IoT_Attack_Surface_Areas~~ Back To The ~~IoT Attack Surface Areas~~ Project]</center>	+	<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project Back To The Internet of Things Project]</center>

	== Tester IoT Security Guidance ==		== Tester IoT Security Guidance ==

← Older revision		Revision as of 03:10, 30 November 2015
Line 1:		Line 1:
		+	<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas Back To The IoT Attack Surface Areas Project]</center>
		+
	== Tester IoT Security Guidance ==		== Tester IoT Security Guidance ==

IoT Testing Guides - Revision history

Craig Smith at 19:37, 14 May 2016

Craig Smith at 03:10, 30 November 2015

Craig Smith: Created page with "== Tester IoT Security Guidance == (DRAFT) The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below i..."