Process
Risk assessment is dependent on customer specific security requirements. It starts right from sensor and devices till IoT application covering entire network and IT infrastructure. Every software and hardware component is required to be evaluated for secured IoT system after deployment. Individual OEMs can choose their respective components for vulnerability assessment before deployment in the integrated environment.
Scope definition
Defining the boundaries of assessment helps to set the objectives, identify the attack vectors, inclusions & exclusions, timeline and testing approach.
Vulnerability assessment & penetration testing
We use automated tools as well as manual methods for vulnerability scanning and penetration testing of network, applications, mobile applications, IoT sensors, devices & its firmware. We provide gap analysis with risk prioritization and severity level along with recommended solution to fix the gaps. The report is prepared based on OWASP IoT top 10 standard.
System hardening & configuration review
System hardening is a best practice to reduce the attack surface for all networked devices like servers, workstations and other network devices. Along with the hardware, the operating system software is also assessed for potential threats and the technique is applied to minimize the unneeded services & packages. Firewall is audited for its configuration and rules as per security requirement. We apply OWASP hardening standard to ensure security lockdown.
Code Review
Many times the vulnerabilities related to the code development for applications and firmware of embedded devices get exposed only after the deployment. Our tech experts work with the development teams of the customer during development stage itself to help develop the code which is secure prior to the deployment on the network.
Compliance Audits
A security compliance audit is comprehensive third party review of the organization for its readiness & adherence to cyber security processes and best practices. Compliance audits provide organizations an opportunity to continuously improve its risk management capability. Some of the compliances are regulatory in nature and are mandatory as per laws and regulations of specific country while some provides strong foundation for cyber risk assessment & security management. Valency Networks has been providing implementation consultancy and audit services for major information security compliances such as ISO 27001, ISO 27017/18, HIPAA, GDPR, SOC 2, PCI DSS, ITAR and FDA CFR Part 11 & 820.
ICS/SCADA Security Assessment
Industrial control systems popularly known as SCADA & DCS are part of operational technology (OT) and are considered as critical infrastructure for any industry. IT-OT convergence has brought these systems in forefront from the security stand point as these systems are not designed by security. With exposure of ICS network to corporate network and internet, these systems have become more vulnerable to network and physical attacks.
The potential threat to the ICS systems inflicts very high cost to capital investment, huge production loss and danger to human lives. While assessing the risks for ICS systems, there is a need to treat these systems differently than any other IT system. Valency Networks? domain expertise helps industry to assess the system & network vulnerabilities and manage the risks to strengthen the network & physical security of the ICS system by conducting vulnerability assessment, penetration testing and ICS security audits on specific parameters applicable for ICS environment.
Deliverables
Valency Networks has unique approach to risk assessment and reporting.
Every technical assessment is based on automated tools, custom built scripts & manual testing.
The report is generated based on OWASP top 10 & CWE 25 standard.
Compliance Audits for various industry standards & regulations.
Prioritization of Risks/vulnerabilities according to threat level.
Recommended solution to fix the gap for all vulnerabilities.
Documentation as per requirements of standards & regulation.
Audit report comprising of gap analysis and solutions.
Over 300,000 malware attacks on Internet of Things (IoT) devices are identified in the analysis for cyberattacks.
Many IoT devices use symmetric encryption, in which a single key gets used to encrypt and decrypt data. The fact that the data gets encrypted offers a secure layer of security, particularly compared to using hardcoded or default passwords, but sharing and storing the encryption key creates risk.
Smart hubs account for 15% and “network-attached” storage devices for 12% of commonly hacked IOT items found in the home or office. The remainder belongs to printers, smart TVs, and IP Phones that are commonly used and provide success in hacking attempts.
The Most Important Security Problems with IoT Devices
While increased adoption has given wings to IoT growth, the core industry is really concerned about the security and privacy concerns surrounding this platform. Since many of these devices work primarily as trackers and monitors, the primary function is to send back data at regular intervals sometimes in seconds. This becomes a considerable amount of data size over a larger duration say weeks or months. Also, with the minimalistic embedded computing devices capabilities in IoT devices, placing complicated security tools or technologies becomes impossible.
Attack surface refers to the exposed areas or vulnerabilities in the IoT device that can be exploited by a malicious hacker to gain unauthorized access.
The most commonly used IoT cybersecurity standard is by OWASP. The Top 10 vulnerabilities given by OWASP are as-
Any vulnerable web interface, mobile, cloud interface, or API may be a component of insecure ecosystem interfaces. The list of issues under this category is as follows-
Possible test cases to test the update mechanisms of IoT devices:
Intrusion Detection is the process of finding out an external influence trying to gain illegal access to the software. As its name implies, any form of unlawful access is discovered and reported for necessary action to be taken against the intrusion. It’s like the technology that detects burglary and sounds the alarm. During penetration testing, the company will automatically determine whether the intrusion detection technology in its software is functioning correctly.
Ways to protect IoT devices are-
Attacks are defined by the layer of the IoT infrastructure targeted but can be generalized into the following categories as IoT infrastructure isn’t standardized.
Threats to IoT systems and devices translate to bigger security risks because of certain characteristics that the underlying technology possesses. These characteristics make IoT environments functional and efficient, but they are likely to be abused by threat actors.
These characteristics include:
The attack surfaces could be-
Passwords are one of the most vulnerable forms of user authentication. We can see this in practice when we look at how they're put to use. Oftentimes users may reuse the same password across multiple websites, which means that if an attacker manages to break into one of their accounts, they can compromise all of them.
What Our Customers Say?
Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.