The IoT Architect's Guide to Attainable Security and Privacy.

Format:

Book

Author/Creator:

Fagbemi, Damilare D.

Contributor:

Wheeler, David M.

Wheeler, J. C.

Language:

English

Subjects (All):

Internet of things--Security measures.

Internet of things.

Physical Description:

1 online resource (330 pages)

Edition:

1st ed.

Place of Publication:

Milton : Auerbach Publishers, Incorporated, 2019.

Biography/History:

David M. Wheeler, CISSP, CSSLP, GSLC, GREM, is a Senior Principal Engineer in the Platform Security Division of the Architecture Graphics and Software group at Intel Corporation and has thirty years' experience in software, security, and networking for both commercial and government systems. In his current role, Dave is responsible for the research and development of new cryptographic algorithms and protocols, several security APIs, and libraries across Intel including for IoT platforms. He performs security reviews for both Intel's IoT and cryptographic implementations and represents Intel at the IETF. Within the Internet of Things, Dave has contributed to Intel's Software-Defined Industrial Systems architecture and Intel's Internet of Things group's Health Application Platform. Prior to Intel, Dave held various lead software and systems architecture positions at Motorola, Honeywell Bull, General Dynamics, as well as his own firm. Dave has designed and built several hardware security engines, including a Type-2 security coprocessor for a software-defined radio, and the Intel Wireless Trust Module--a hardware cryptographic coprocessor on the Intel XScale processor. He has implemented several cryptographic libraries and protocol layers, including an IPSec-type implementation for an SDR radio; header compression protocol layers for IP, TCP, and UDP over multicast; a connectionless network layer protocol; two-factor authentication verification over RADIUS for a firewall VPN; PPP for serial; an instant messaging protocol over Bluetooth; and many others. of Intel's Internet of Things to make Intel's products and software projects secure. Blog: http://crypto-corner.typepad.com Twitter: @dmwheel1 LinkedIn: https://www.linkedin.com/in/davidmwheeler/ Damilare D. Fagbemi CISSP, GXPN, had what might be considered the best possible introduction to the field of information security. An innovative software system that he built, the first of its kind in Nigeria at the time, was hacked minutes before a highly publicized deployment. After that, needless to say, Damilare got interested in information security fairly quickly. He began learning about the security of data and networks, then took and passed the CISSP. Considering his background in software development, he wondered where the intersection might be between the vast disciplines of software and security. A few years later, in Ireland, he stumbled upon a job advertisement for product security engineering. Th e rest as they say, is history. Since then, Damilare has had the opportunities to serve as an engineer, architect, and technical leader at high-tech firms such as Intel Corporation and McAfee LLC, in the United States and Ireland. In those roles, he has had the pleasure of working with talented product teams to architect and build secure Internet of Things (IoT), web, and mobile solutions. As part of Intel's innovation in Smart Cities, he designed an IoT solution for Intelligent Transportation and contributed to the architecture of an artificial intelligence (AI)-powered platform for rapid decision making at the IoT edge. Damilare leads the Libraries Product Security Expert Center in Intel's Architecture Graphics and Software group, where he has enjoyed creating and leading a cross-organizational and cross-located security engineering team. He has taught security architecture and design across three continents--North America, Africa, and Europe--and served as Chapter leader of the Open Web Application Security Project (OWASP) in Nigeria. He is also a former co-founder of a software development company, with clients spanning private and government sectors. Blog: https://tech.edgeofus.com Twitter: @damilarefagbemi LinkedIn: https://www.linkedin.com/in/damilarefagbemi/ JC Wheeler began her career at US West Cellular analyzing analog network traffic and contributing to the rollout of one of the first commercial CDMA infrastructures in the nation, where she helped design the metrics and tools for CDMA traffic analysis. She then moved to Motorola to design cellular and satellite network protocols, authentication, crypto key management, and end-user features. She began consulting at General Dynamics in 2005, where she designed and integrated VoIP, header compression, multicast communications protocols, over-the-air provisioning, and IPSec variants for both MANET and satellite SDR waveforms. Th e small business she co-owned won a DoD SBIR and was a semifinalist in Th e Arizona Innovation Challenge for its smartphone secure framework; it was also a Navy Phase 2 SBIR subcontractor, building an AI engine to troubleshoot MANET radio configurations. JC is now retired and enjoys researching new technologies and macroeconomic trends.

Summary:

This book describes how to architect and design Internet of Things (loT) solutions that provide end-to-end security and privacy at scale. It is unique in its detailed coverage of threat analysis, protocol analysis, secure design principles, intelligent loT's impact on privacy, and the effect of usability on security. The book also unveils the impact of digital currency and the dark web on the loT-security economy. It's both informative and entertaining. "Filled with practical and relevant examples based on years of experience ... with lively discussions and storytelling related to loT security design flaws and architectural issues."-- Dr. James F. Ransome, Senior Director of Security Development Lifecycle (SOL) Engineering, Intel 'There is an absolute treasure trove of information within this book that will benefit anyone, not just the engineering community. This book has earned a permanent spot on my office bookshelf."-- Erv Comer, Fellow of Engineering, Office of Chief Architect Zebra Technologies 'The importance of this work goes well beyond the engineer and architect. The IoT Architect's Guide to Attainable Security & Privacy is a crucial resource for every executive who delivers connected products to the market or uses connected products to run their business."-- Kurt Lee, VP Sales and Strategic Alliances at PWNIE Express "If we collectively fail to follow the advice described here regarding loT security and Privacy, we will continue to add to our mounting pile of exploitable computing devices. The attackers are having a field day. Read this book, now."-- Brook S.E. Schoenfield, Director of Advisory Services at IOActive, previously Master Security Architect at McAfee, and author of Securing Systems

Contents:

Cover

Half Title

Title Page

Copyright Page

Dedication

Contents

Foreword

Preface

Acknowledgments

About the Authors

Part One

Chapter 1 How We Got Here

1.1 We Forgot Security When Building the Internet

1.2 What's This Book About and Who's It For?

1.3 Let's Break Down the Book

1.4 What's an IoT System?

1.4.1 Everyone Needs to Know the Location of the Nearest Pizza

1.4.2 Computing Everywhere

1.5 An IoT System's Major Components

1.5.1 The Human IoT System

1.6 Shall We Just Connect Everything?

1.7 Wait! We Need to Add Security!

References

Chapter 2 The IoT Castle and Its Many Gates

2.1 And the Internet Got Hacked: Analyzing the Mirai Attack

2.1.1 Resolution of the Mirai Attack

2.2 "Full Disclosure," Ethics, and "Hacking Buildings for Fun and Profit"

2.3 Defending IoT Castles

2.3.1 Know Thine Enemy

2.4 Attacking the IoT Castle

2.5 A Closer Look at IoT Attack Surfaces and Breach Consequences

2.6 The Road Ahead

Chapter 3 The IoT Security Economy

3.1 A Toy Is Not a Plaything, It's a Tool for Cybercrime

3.2 Understanding the IoT Economy

3.3 The Cybercriminal Economy

3.4 Cryptocurrency 01100101

3.4.1 Mining, Minting, and Verifying Transactions

3.4.2 The Draw of Crypto Mining

3.4.3 The Monero Cryptocurrency

3.5 Where Cybercriminals Go to Hide

3.6 Accessing the Dark Web with Tor

3.7 Money Money Money . . . Making Bank on the Dark Web

3.8 Challenges in the Regular IoT Economy: Out of the Dark, and into Naïvety

3.9 Why You Should Care

Part Two

Chapter 4 Architecting IoT Systems That Scale Securely

4.1 The IoT System Architecture

4.1.1 The Cloud Layer

4.1.2 The Gateway Layer

4.1.3 The Devices Layer

4.2 IoT Must Be a Low-Cost System.

4.2.1 IoT Gateway Layer: Reason 1-Client Volume

4.2.2 IoT Gateway Layer: Reason 2-Energy Costs

4.2.3 IoT Gateway Layer: Reason 3-Long-Haul Communications Costs

4.2.4 IoT Gateway Layer: Reason 4-Security

4.2.5 IoT Gateway Layer: Reason 5-Scaling

4.3 Details of the IoT Architecture Layers

4.3.1 Basic IoT Edge Device Architecture

4.3.2 Simple IoT Gateway Architecture

4.4 Fundamental IoT Cloud Architecture

4.5 Why Security Is Hard in IoT Systems

Chapter 5 Security Architecture for Real IoT Systems

5.1 Preparation for the Coming Storm

5.2 What Is Security Architecture?

5.3 The Security Architecture Process

5.3.1 Analyze the System Architectural Views

5.3.2 Perform Threat Analysis

5.3.3 Threat Disposition

5.3.4 Incorporate Threat Mitigation into the System Architecture

5.3.5 Rinse and Repeat

5.3.6 Security Architecture Review Board

5.3.7 After Security Architecture Approval

5.4 Design Principles for Security Architecture

5.4.1 Open Design Principle

5.4.2 Economy of Mechanism Principle

5.4.3 Fail-Safe Default Principle

5.4.4 Separation of Privilege Principle

5.4.5 Complete Mediation Principle

5.4.6 Least Privilege Principle

5.4.7 Least Common Mechanism Principle

5.4.8 Defense-in-Depth Principle

5.4.9 Trust No One Principle

5.4.10 Secure the Weakest Link Principle

5.5 Addressing the Security Concerns of an Industrial IoT System

5.5.1 The Autonomous Factory

5.5.2 Architecting for IoT Manageability

5.5.3 Architecting IoT Device Trust

5.5.4 Architecting End-to-End Encryption

5.5.5 Architecting for Longevity

5.5.6 Architecting IoT with Intelligence

5.5.7 Architecting for Scale

5.6 Summarizing IoT Security Architecture

Chapter 6 Securing the IoT Cloud

6.1 The History of The Cloud

6.2 So What Is the Cloud?.

6.3 Cloud Architecture Overview

6.3.1 Object Storage Service

6.3.2 Block Storage Service

6.3.3 Compute Service

6.3.4 Image Service

6.3.5 Networking Service

6.3.6 Identity Service

6.4 How the Cloud Enables and Scales IoT Security

6.4.1 Secure Centralization of Data Management and Analytics

6.4.2 Secure IoT Device Management

6.4.3 Secure Multi-Presence Access to IoT Devices

6.5 A Summary of Security Considerations for IoT Cloud Back Ends

6.6 Practical IoT Cloud Security Architecture: The "Dalit" Smart City Use Case

6.6.1 Introducing ATASM as a Threat Modeling Tool

6.6.2 Dalit Cloud Architecture Overview

6.6.3 Data Ingestion and Processing View

6.6.4 Device Software (and Firmware) Updates View

6.6.5 Networking View

6.6.6 Cloud Resource Monitoring and Auditing View

6.6.7 Threat Analysis

6.7 What We Learned

Chapter 7 Securely Connecting the Unconnected

7.1 What Connectivity Means to IoT

7.2 Classifying IoT Communication Protocols

7.2.1 Bandwidth, Bits, Codes, and Hertz

7.2.2 Physical Layer Communications-Wired and Wireless

7.2.3 Wired Phys

7.2.4 Wireless Phys

7.2.5 Comparison of Different Phys

7.2.6 Upper-Layer Protocols

7.2.7 Application Layer Protocols for IoT

7.2.8 Protocols Summary

7.3 Network Security for IoT

7.3.1 Protecting the Little Ones

7.3.2 Additional Steps by the Bigger Devices- Self-Protection Services

7.3.3 System Protect and Detect Services

7.4 Security Analysis for Protocols

7.4.1 The Preliminaries and Definitions

7.4.2 An Informal Analysis Model for Protocol Design

7.4.3 An Informal Analysis of a Digest Authentication Protocol

7.4.4 The Formal Security Models

7.5 IoT Protocol Conclusions

Chapter 8 Privacy, Pirates, and the Tale of a Smart City.

8.1 Shroud for Dark Deeds or Fortress for the Vulnerable

8.2 Chapter Scope

8.3 AI and IoT Unite-Amplifying the Engineer's Significance in Society

8.4 The Elephant in the Room

8.5 Scenario: Safe Driving App Meets Smart Fridge

8.5.1 IoT Saves Our Bacon, but Tattles if We Eat Cured Fatty Pork

8.5.2 Smart Algorithms to the Rescue

8.6 From Autonomous Vehicles to Smart Cities

8.6.1 Scenario: The Tale of a Smart City

8.7 The Deepfake and IoT

8.8 Learning from Smart Appliances, Myopia, and Deepfakes

8.9 Privacy Playbook

8.9.1 Bring in the "Great White Shark"

8.9.2 Know the Pirate Lineup

8.9.3 Believe in the Data Afterlife

8.9.4 Defy Fate

8.9.5 Obfuscate Waldo

8.9.6 Playbook Wrap-up

Chapter 9 Privacy Controls in an Age of Ultra-Connectedness

9.1 Introduction

9.2 Defining Privacy and Information Privacy

9.3 A Better Definition of Personal Information and How That Becomes Personal Knowledge

9.3.1 Data from a Fitness App Turns into Military Intelligence

9.4 Who Cares about Privacy?

9.5 Privacy Controls

9.5.1 Access Controls

9.5.2 Anonymization

9.5.3 Differential Privacy

9.5.4 Homomorphic Encryption

9.5.5 Secure Multi-Party Computation

9.5.6 Zero-Knowledge and Group Signatures

9.5.7 Data Retention and Deletion Policy

9.6 Privacy Legislation

9.6.1 European Union Data Protection Directive

9.6.2 General Data Protection Regulation

9.6.3 California Consumer Privacy Act of 2018

9.6.4 California Online Privacy Protection Act

9.6.5 Children's Online Privacy Protection Act of 1998

9.6.6 Health Insurance Portability and Accountability Act of 1996

9.7 The Future of Privacy Controls

Chapter 10 Security Usability: Human, Computer, and Security Interaction

10.1 Poor User Experience Design Isn't Just Inconvenient, It's Painful.

10.2 Nightmare at 40: When Too Many Convenient Devices Become Too Difficult to Manage

10.3 Challenges of IoT Security Usability

10.3.1 Security Doesn't Make Sense to the Regular User

10.3.2 Security Is Not Interesting to the Regular User

10.3.3 Usable Security Is Not Demanded from Vendors

10.3.4 Barriers to Necessary Workflow

10.3.5 Different Views of Security, from Executive to Architect to Implementer, Then the User

10.4 Principles for Designing Usable IoT Security Controls

10.5 The Cause of Usable Security Belongs to All of Us

Part Three

Chapter 11 Earth 2040-Peeking at the Future

11.1 Whacking at the Future of IoT

11.2 The Fascination of Technology Innovation

11.2.1 Clairvoyance or Science?

11.2.2 Now

11.2.3 The Major Types of Change Introduced by IoT

11.3 The Evolving Cyber Threat Landscape

11.3.1 Threat Agents and Cyberattackers of the Future: AI and ML

11.4 A Vision of 2040

11.4.1 Healthcare

11.4.2 Agriculture

11.4.3 Cities and Homes, Energy, and Autonomous Transportation

11.5 The Emergent Future of Cloud Computing

11.5.1 Infrastructure as Code

11.5.2 Serverless Architecture

11.5.3 Elastic Container-Based Cloud

11.5.4 Autoscaling

11.5.5 Summarizing the Security Advantages of Emergent Trends in Cloud Computing

11.6 Do the Right Thing and the Future Will Take Care of Itself

Epilogue

Index.

Notes:

Description based upon print version of record.

Description based on print version record.

ISBN:

1-000-76261-0

1-000-76225-4

0-367-44093-8

9780367440930

OCLC:

1122923365