IoT security is an important topic since IoT devices are used in multiple application domains: homes, cities, hospitals, critical infrastructures, etc. These devices have been used recently in various attacks causing several damages at the scale of the Internet. Thus, assessing these devices' security regarding their software and hardware components, interaction with other devices and services is of the highest importance.
How To Automate Security Assessment?
Have you thought of a tool suite for the security assessment of IoT devices. It could mainly rely on collected information through passive and active scanning of a running IoT device in its exploitation environment to build its Security Knowledge Base. The IoT device network communications, its running software, and available hardware properties are gathered through the probing techniques.
The collected data could be parsed to extract device-related information using the component Knowledge Extraction. The latter is also used to extract, respectively from CERT/CSIRT, CPE, CVE, CAPEC and CWE databases the related vulnerabilities, weakness, threat patterns, and platform enumerations. The extracted information could be then used to build the knowledge graph associated with the device and its environments.
We could then actively extract information from a device by applying the following steps:
- scanning the device for open ports, performing OS and services fingerprinting, and extracting all available information for the identified services;
- performing Brute Force attacks on the device management or user interfaces to test a set of credentials (SSH and Telnet are supported at the moment);
- perform some grey box tests and information extraction by connecting to the device.
We could also passively collect information from the device network by capturing the exchanged traffic. This relies on a black-box approach to observe device communications to infer its capabilities or behaviors.
The Security Knowledge Base could be based on a graph-based database to store cyber threat intelligence documents and the computing framework for graph processing. More specifically, the following databases could be created:
- cve: Common Vulnerabilities and Exposures. It gathers public information about security vulnerability.
- cwe: Common Weakness Enumeration. It is a community-developed list of common software security weaknesses.
- capec: Common Attack Pattern Enumeration and Classification. It is a dictionary of known attack patterns.
- cpe: Common Platform, Enumeration, URIs to identify hardware platforms, operating systems, applications/software.
When assessing the security of a device, the Security Knowledge Base could contain two graphs:
- a Knowledge Graph
- a Vulnerability Graph.
The graphs can be processed via graph traversals allowing to run requests on a graph to extract information or check for the presence of a capability or feature on the IoT device. This functionality could be used to implement the verification tool. This tool could take as parameters a JSON catalog of individual security properties to be checked in the Knowledge Graph, a JSON file containing a list of security templates organizing these properties for the addressed IoT device, and an XML file describing functional requirements to check and their verification strategy using internal dependencies and the security templates.
Automated Verification of requirements
In order to validate security requirements, we could define security profiles in order to validate those requirements. These profiles list security functionalities or behaviors to check in a device’s Knowledge Graph and could be used to check for proper or improper usages or parameters and even annotate the graph. These profiles are defined via security properties and combined in security templates. For instance, in the context of Common Criteria (CC) which is an an international standard for certifying ICT products, a Security Target or a Profile could be created for the Target of Evaluation (TOE) which is the product itself or a part of the product or a system that is the subject of the evaluation. The automated evaluation serves to validate security claims made by the vendor about that target. Depending on the security assurance level, requirements could be verified more or less in a semi-automated model.