hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015There’s an ongoing effort to engage developer communities to participate in creatinghardware, software, and firmware solutions covering network-connected, embedded, anddeeply embedded devices. This of course is not limited only to hardware and firmware. Thesoftware includes developing services, cloud solutions, and Big Data analytical and aggregatingplatforms. The industry, taught by the experiences of companies like Apple and Google,understands that a competitive advantage lies with ease of development and an abundanceof applications. This will drive the development of frameworks and standards even further.On the hardware end of things the same methodology persists. Success lies in targeting abroad community of makers, including those who are not entirely skilled in electronic design orengineering. This implies modular hardware design with most of the functionality embeddedinto ICs. It gives rise to a prevalence of system on integrated chip solutions (SoIC), whichsimplifies hardware design and connectivity but unfortunately, due to proprietary firmwaresolutions and a lack of unified interface protocols, increases solution fragmentationeven further.Major chip manufacturers, realizing the need for SoIC that target the lower and middle end ofIoT devices, are bringing comprehensive firmware and integrated development environmentsolutions to market. One popular approach is to separate the logic of the TCP/IP stack andWi-Fi radios from a connected device. There are many manufacturers racing to compete inthe fast growing IoT chipset and Wi-Fi modules field. Manufacturers to note include Microchip,STMicroelectronics, Texas Instruments, Freescale Semiconductor, Broadcom, QualcommAtheros, Nordic Semiconductor, Atmel, and others.The current lineup of developing frameworks shows that possible solutions are likely tocongregate around integrated and self-contained Wi-Fi modules connected to a host processor.Such modules will either offload networking services from a host controller, or will be capableof carrying application software on the network processor itself. These Wi-Fi modules are alsolikely to run a flavor of the Linux OS and its TCP/IP stack or another third-party OS, and to relyon lwIP (lightweight IP) or their own TCP/IP stack (often royalty-free with the use of proprietarychipsets such as Microchip and TI). The Wi-Fi module network processors, as well as host deviceprocessors, will gravitate toward a balance of computational power and the ability to sustainlower power consumption. This is especially important for “always-on” devices with lowerconnectivity bandwidth such as ambient light sensors, temperature and humidity sensors, andso on.With the sector rapidly expanding and so many alternative solutions rushed to the market bydifferent manufacturers, we should expect to experience further market fragmentation anda bigger variety of frameworks and available solutions. The initiative is there to introduce acommon open-source framework, including connectivity layers as well as development toolchains and software (for example, MBed, OpenIoT, or IoTSyS). This shows that popular IoTdevices are most likely to run an open source OS such as AllJoyn, which was initially developedby Qualcomm but is currently sponsored by the AllSeen Alliance. This is the most prominent OSand thus likely to be accepted as an industry standard because it is cross-platform and has APIsfor Android, iOS, OS X, Linux, and Windows. It also includes a framework and a set of servicesthat will allow manufacturers to create compatible devices. Other operating systems worthmentioning are Contiki, RaspbianPi (based on a Debian distribution of Linux), RIOT, and Spark.48
HP Security Research | Cyber Risk Report 2015The availability of open-sourcesolutions might act as a doubleedgedsword for discovering andmitigatingvulnerabilities.ConclusionDespite many efforts to abstract and universalize the IoT framework there remain multipleactors and competing solutions in the market today, and the fragmentation of solutions anddevices discussed in this section is likely to continue. Addressing security concerns such asattack vectors on such devices is likely to require individual solutions for each type and family ofdevice—an extremely difficult situation. The limit on the number of possible “over the air” or “inservice” upgrade-capable devices, especially in the lower-end cheap sensor segment, is likely tomake mitigating such attacks even more difficult.Attacks could involve various layers of the device infrastructure. This could include applicationsrunning on smartphones or tablets, cloud services—including firmware and network servicestacks on Wi-Fi modules—as well as the firmware and application layer on the host processor.Various vectors of propagation could also be used, including compromising update files orexploiting network and host processor communication layer vulnerabilities, as well as possiblevulnerabilities in cloud service infrastructures and smart device applications. The availabilityof open-source solutions might act as a double-edged sword for discovering and mitigatingvulnerabilities. On one hand, common source is likely to be susceptible to the same vulnerabilityacross a span of many devices, but on the other hand it will allow the broader community todiscover, test, and mitigate vulnerabilities earlier, provided the firmware and software can beupdated in a timely manner. Unfortunately in the case of many of the simpler IoT devices, thisjust might not be possible—at least initially. There are still a number of unknowns when itcomes to the security of the IoT in practice.The final section of our report brings us full circle and to one of the most important parts of thispublication—controls. It answers the important question of why vulnerabilities arise and showsa very different view of the threat landscape. Being aware of the specific circumstances that giverise to vulnerabilities lets security practitioners address their root causes and make enterprises,not to mention your coding practices and software selection, considerably more secure.ControlsIn the past year we have seen the manifestation of several vulnerabilities that gathered a stormof media attention. The uproar around Heartbleed, Shellshock, and Poodle brought renewedscrutiny to software dependencies as they relate to software architecture. We noted new trendsin where vulnerabilities are detected, as well as continued shifts in the types of weaknessesleading to them. To gain insight into the current state of software security, we analyzed asample set of security audits performed by HP Fortify on Demand on 378 mobile apps, 6504Web apps, and 138 Sonatype reports from 113 projects. These audits include results fromstatic, dynamic, and manual analysis.In order to have a consistent view of the data analyzed for this Report, we’ve ensured that allidentified issues were classified according to the HP Software Security Taxonomy (originallythe “Seven Pernicious Kingdoms”), which was substantially updated and refined 141 in mid-2014.These updates and refinements are reflected in HP WebInspect, our dynamic analyzer. Our workto extend the taxonomy to other assessment techniques (such as manual analysis) and HPFortify products (such as HP Fortify on Demand) continues in 2015.141http://www.gartner.com/newsroom/id/2636073.49
Page 1 and 2: BrochureHP SecurityResearchCyber Ri
Page 3 and 4: HP Security Research | Cyber Risk R
Page 47: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R

hp-security-research-cyber-risk-report-pdf-2-w-1408

Create successful ePaper yourself

Delete template?

Save as template?