Secure System Design: Why Plug and Play Is a Dangerous Game

by Debra B. McCraw | Sep 24, 2018

When the sitcom “The Big Bang Theory” premiered in 2007, the internet of things (IoT) was in its infancy, at least from a consumer standpoint. In an early episode, the show’s main characters – Leonard, Sheldon, Raj and Howard – set out to connect a variety of household items and gadgets to the internet. After testing it themselves, they enabled public access, allowing people from afar to control them. They got excited when someone from China turned the lights on and off and when people began driving their remote-control cars with video cameras attached. But their neighbor, Penny, was less than amused when the cars began following her.

 

This clip perfectly illustrates the importance of securing IoT devices. While the guys in “The Big Bang Theory” may have found it cool to let someone else control their devices, they opened themselves up to a host of vulnerabilities by enabling public access.

In today’s world, it’s not out of the realm of possibility for hackers to be able to access a device and cause harm. For example, they could penetrate the system of a connected vehicle and shut off the engine while it’s driving. Or they could interfere with lifesaving medical devices, like connected insulin pumps or pacemakers.

CompTIA Security+, and the new CompTIA CertMaster Learn for Security+, address many of the cybersecurity issues related to IoT, including secure systems design. (Lesson 17 if you’re already in CertMaster Learn for Security+.) Taking cybersecurity courses or using an eLearning tool like CertMaster Learn and getting a cybersecurity certification like CompTIA Security+ can help you gain and validate the skills needed to land a cybersecurity job. Secure systems design is just one of many of the topics covered both by the IT training and IT certification.

IoT and Embedded Systems

Before we can dive into IoT security, we need to establish baseline knowledge about embedded systems. CompTIA CertMaster Learn for Security+ defines an embedded system as “a complete computer system that is designed to perform a specific, dedicated function.”

A screenshot of the Embedded Systems definition in CertMaster Learn.

Click for a larger image.

Embedded systems are typically static environments, which means they do not experience the frequency of changes that dynamic environments, like PCs, do. With a PC, you may frequently add or remove hardware, software and data, but with a static environment, that doesn’t happen.

When it comes to security, having a static environment is ideal because it’s easier to protect – it’s not constantly changing. However, the risk comes from having little support for identifying and correcting security issues.

Most smart devices use a Linux or Android kernel. Because they’re effectively running mini-computers, smart devices are vulnerable to some of the standard attacks associated with web applications and network functions. For example, integrated peripherals such as cameras or microphones could be compromised to facilitate surveillance.

Many of the devices we have in our homes and use every day – including IoT and smart devices, home automation, wearables, multi-function devices, medical devices, connected vehicles and drones – all use embedded systems. Your video doorbell, Amazon Echo or Google Home, smartwatch and smart thermostat all have embedded systems and are connected to the internet – making them vulnerable to cybersecurity threats if not configured properly.

Securing Embedded Systems

Because we don’t have access to the operating system on embedded devices, securing them can be tricky. But, there are ways to make these devices less vulnerable and ensure the network is protected from anything that might penetrate these devices.

Network Segmentation

Network segmentation helps you protect the crown jewels – the critical data. It’s a practice in which your embedded systems connect to one part of the network and your PCs, servers and other dynamic environments connect to a separate part of the network. This way, if an attacker gets in through your IoT device, they cannot reach the critical data.

Application Firewalls

In some cases, you may be able to deploy application firewalls to mitigate the risks associated with connecting embedded systems to the network. They are designed to protect specific applications and devices, but they can be difficult to find. Also, many embedded systems lack the processing power and memory to run the firewall’s functions.

Wrappers

A wrapper encapsulates data so that an attacker only sees the endpoints – not the data itself. This can protect data that needs to travel between trusted networks.

Whatever you’re connecting to the network – a smart refrigerator, an insulin pump, a flow valve or your building’s heating, ventilation and air conditioning (HVAC) system – security needs to be top of mind. Plug and play without proper configuration is a dangerous game and could expose your entire network to threats.

Cybersecurity courses and eLearning tools like CompTIA CertMaster Learn for Security+ can help you gain the skills you need for a cybersecurity job. CertMaster Learn is a comprehensive, self-paced eLearning environment that uses videos, assessment and performance-based questions to prepare candidates for the CompTIA Security+ certification exam.

Start learning the cybersecurity skills employers are looking for with CompTIA CertMaster Learn for Security+.

1 Comments

  • sosaiete l savini

    Friday, September 28, 2018

    Thanks. Good read.

Leave a Comment

Boost your Career with a Certification

Find out more about our Certifications

How to get Certified

4 Steps to Certification

Already certified? Let us and others know!

Share Your Story