下载:国际云安全联盟CSA发布物联网安全指南 为物联网设备的安全部署提供建议

云安全联盟 (CSA) 公布了一份物联网安全指南,《 Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products》,旨在帮助物联网相关的产品和服务的设计师和开发人员,了解整个开发过程必须纳入的基本安全措施。

报告中提到:

物联网推动了消费、 商业、工业生产过程和实践的转变。在2015 年,市场中出现了许多类型的物联网产品,我们进行了一些真实的研究,结果表明对物联网安全的担忧是真实存在的。基于这些研究,我们了解到物联网产品的安全(并非只是做好自身的安全),而存在更高层次的需求,这些需求包括:

  • 需要保护消费者隐私并限制PII及PHI信息的扩散
  • 需要保护商业数据并限制敏感信息泄露
  • 需要防止物联网产品被用于DDoS攻击
  • 需要提防这些产品的折中安全方案所带来的损失和伤害

CSA物联网安全指南的主要内容

  1. 探讨物联网设备的安全挑战
  2. CSA物联网工作组进行的一份调查报告分析
  3. 探讨物联网部署平台的安全问题
  4. 物联网设备的分类及趋势
  5. 安全设备的建议及部署流程
  6. 给安全工程师一份检查表单,便于遵从于部署流程
  7. 一套物联网产品案例及其所面临的威胁

这里将指南的目录主要内容摘录如下

  1. The Need for IoT Security

    1. IoT Products Can Compromise Privacy
    2. IoT products can lend their computing power to launch DDoS Attacks
    3. Medical Devices and Medical Standard Protocols are Vulnerable to Attack
    4. Drones Are Approaching Mainstream Status and Being Used as a Platform
    5. for Reconnaissance
    6. Critical national infrastructure can rely on the IoT ecosystem
    7. Cars are becoming connected and autonomous
    8. Moving Forward
  2. Why Development Organizations Should Care About Securing IoT Products

    1. IoT Device Security Challenges
    2. IoT products may be deployed in insecure or physically exposed environments
    3. Security is new to many manufacturers and there is limited security
    4. planning in development methodologies
    5. Security is not a business driver and there is limited security sponsorship
    6. and management support in development of IoT products
    7. There is a lack of defined standards and reference architecture for secure IoT development
    8. There are difficulties recruiting and retaining requisite skills for IoT
    9. development teams including architects, secure software engineers, hardware security
    10. engineers, and security testing staff
    11. The low price point increases the potential adversary pool
    12. Resource constraints in embedded systems limit security options
  3. IoT Security Survey

    1. Guidance for Secure IoT Development

      • 1. Start with a Secure Development Methodology
      • Security Requirements
      • Security Processes
      • Perform Safety Impact Assessment
      • Perform Threat Modeling
      • 2. Implement a Secure Development and Integration Environment
      • Evaluate Programming Languages
    2. OWASP Python Security Project Link

      • Integrated Development Environments
      • Continuous Integration Plugins
      • Testing and Code Quality Processes
      • 3. Identify Framework and Platform Security Features

        • Selecting an Integration Framework
        • Evaluate Platform Security Features
      • 4. Establish Privacy Protections

        • Design IoT devices, services and systems to collect only the minimum amount
        • of data necessary
        • Analyze device use cases to support compliance mandates as necessary
        • Design opt-in requirements for IoT device, service and system features
        • Implement Technical Privacy Protections
        • Privacy-enhanced Discovery Features | Rotating Certificates
      • 5. Design in Hardware-based Security Controls

        • The MicroController (MCU)
        • Trusted Platform Modules
        • Use of Memory Protection Units (MPUs)
        • Incorporate Physically Unclonable Functions
        • Use of specialized security chips / coprocessors
        • Use of cryptographic modules
        • Device Physical Protections
        • Tamper Protections
        • Guard the Supply Chain
        • Self-Tests
        • Secure Physical Interfaces
      • 6. Protect Data

        • Security Considerations for Selecting IoT Communication Protocols
      • 7. Secure Associated Applications and Services
      • 8. Protect Logical Interfaces / APIs

        • Implement Certificate Pinning Support
      • 9. Provide a Secure Update Capability
      • 10. Implement Authentication, Authorization and Access Control Features

        • Using Certificates for Authentication
        • Consider Biometrics for Authentication
        • Consider Certificate-Less Authenticated Encryption (CLAE)
        • OAuth 2.0
        • User Managed Access (UMA)
      • 12. Establish a Secure Key Management Capability

        • Design Secure Bootstrap Functions
      • 12. Provide Logging Mechanisms
      • 13. Perform Security Reviews (Internal and External)

CSA物联网安全指南全文下载

点击图片下载

下载:国际云安全联盟CSA发布物联网安全指南的相关文章请参看

物联网恶意软件“Mirai”源代码被黑客公开 绿盟科技分析报告开放下载

浙江大华摄像头被传用于DDoS攻击 杭州雄迈产品又爆root用户名和密码 欧洲委员会起草安全法规 

Level3报告称中国大量摄像头被用于DDoS攻击 据说大华科技监控摄像头有漏洞   

 

智慧城市是否有足够的智慧安全?卡巴斯基安全智慧城市计划

2016网络安全宣传周上卡巴斯基说:攻击智能汽车的很可能是智能电冰箱 

绿盟科技研究员刚实现PLC蠕虫 荷兰研究员就要发布PLC Rootkit 据说这种攻击难以检测 

腾讯科恩实验室吴石攻破特斯拉 不用接触车就可以打开车门刹车 难道越智能的东西越危险?

发表评论