The potential of the Internet of Things (IoT) is becoming
increasingly exiting for the IT industry, but this excitement carries a hidden
danger, according to a report from HP.
HP is not the only one voicing concerns: FTC in the US is
taking a closer look at the IoT and Ofcom in UK is investigating a framework
for the technology, so that it develops in ways that is benefiting for
consumers.
HP's concern is that, as soon as one security issue is solved
by the IT industry, it moves on to create another one.
In a recent article, HP's Daniel Miessler states 'It seems
that every time we introduce a new space in IT we lose 10 years from our
collective security knowledge,'. Daniel Miessler heads the research team at HP
Fortify on Demand and is a leader in OWASP Internet of Things Top 10 Project.
He further says, 'Around 10 years ago we started talking about applications
being the horizon technology, and we proceeded to build a global application
portfolio ignoring the security lessons learned from the network world'.
'Then, five years ago, we decided that mobile was the real
place to be. So everyone started building mobile apps while ignoring everything
we've learned from securing web and thick-client applications', he said.
The issue concerning him now is that if they continue with
this trend, they will have a new space that ignores web application security
as well as mobile security lessons, but it can get much worse than that.
IoT is not just considered a new insecure space, he said,
'It's a Frankenbeast of technology that links network, application, mobile and
cloud technologies together into a single ecosystem, and it unfortunately seems
to be taking on the worst security characteristics of each'.
In a recent IoT security report, HP Fortify on Demand
surveyed 10 devices through multiple product types and found that on an average
there are 20 vulnerabilities present in every system. These products spanned
TV's, home automation hubs, thermostats and alarm systems.
In terms of dealing with these issues practically, Miessler
points at the work of Open Web Application Security Project (OWASP), which has
come up with 10 key issues. They are:
- Insecure web interfaces
- Insecure mobile interfaces
- Insufficient authentication and authorization
- Insecure cloud interfaces
- Insecure network services
- Privacy concerns
- Lack of transport encryption
- Insufficient allowance for security systems configuration
- Poor physical security
- Insecure firmware and software
After considering the possible external threats, the next
step is to look at internal weaknesses. For example, when weak passwords are
used, an organization's authentication will not be sufficient.
For more Website application security visit @ http://www.avyaan.com/blog/security-practice-guidelines-owasp-wordpress-part-2/
No comments:
Post a Comment