IOT Security: Attack surface areas, Vulnerabilities & Considerations

In this post we will discuss the security aspects around connected devices solution. As typically goes in M2M information flow, from connected devices hardware till the information is available to end-user on dashboard or mobile gadget.

There are varieties of connected devices getting in market day by day. The size and processing power of each of such devices put extra emphasis on the security aspects around these devices. Here we will discuss the information flow in case of connected devices, how data flows from devices to end users of those devices. On top of that what are different attack surface areas, what common vulnerabilities those expose and what are the common ways to eliminate those threats for connected devices.

In the previous posts, we discussed about availability of different type of IOT platforms in market, typical characteristics of such a platform and the technical challenges in building your own IOT platform.

IOT Platform: Typical Characteristics
Building IOT platform, Technical challenges

Below diagram explains the typical IOT data flow, possible vulnerabilities is such system and the considerations to build strong and secure security architecture model for such solution.

Information Flow Networks

In a typical IOT scenario, the device captures the data, either using local gateway or telecom the data is transmitted to cloud server for further processing. The processed data is further made available to end consumer or respective events are triggered or information shared further with ecosystem parties.

Commonly below different data flow networks are used in the system,

1. Device Network
2. Device Communication Network
3. Telecom Network
4. Internet
5. Hosting/Cloud environment Network
6. IOT Platform
7. Mobile applications/Gadgets network
8. Data Privacy

Read the rest of this entry »

Java Application performance analysis and optimization using AppDynamics

The enterprise java application stack is growing bigger and bigger which makes it equally difficult to keep control on all the layers of the infrastructure to get maximum result out of it. One of the basic requirement of any web application is well performing, we will cover here an ideal enterprise java web application setup and see how to analyze and optimize the same using AppDynamics tool.

Java Enterprise web application N-tier set up

Take an example of below n-tier java web application interacting with complex middleware system, integrate with numerous external web api’s and equally powerful backend storage system.

enterprise_java_web_application_setup

The diagram covers quite common and complex enterprise application set up.

• Web Servers (eg. Apache web server)
• Application Servers (tomcat application server)
• Mobile application server (tomcat application server)
• Email Server
• Web content management server (eg. Team Site, Alfresco)
• Web application Administration server (tomcat application server)
• File servers (Shared disk eg. NFS)
• Real time/Messaging/Queue server (eg. ActiveMQ)
• Data/File processing backend servers (tomcat application server)
• Data storage/Database servers (eg. MySQL/Oracle)

Problem Context

Read the rest of this entry »

Flex: Enterprise security implementation using Chimp, permission based filtering component

This post covers how you can implement enterprise security solution for flex applications. You can implement flex side security using Chimp which is permission based filtering of flex components using metadata and Spring Security on the server side and integrating the two.

This is part of the series of posts:

Flex then, now & tomorrow – From a java developer’s perspective
Flex: Cairngorm (MVC), SpringActionscript (IOC) and other Cairngorm Extensions
Flex: SpringActionscript (IOC) & SpringActionscript Cairngorm Extension Sample Code Examples
Flex: Cairngorm View Notifications Strategies, Responders from Command to View
Flex: Choosing the right flex data transfer strategy and designing the application accordingly
Flex Tips&Tricks

to cover different strategies in flex development using Cairngorm framework to solve different practical problems.

Consider an enterprise application where you need to have security on both flex side and server side. You want access control on flex side and depending on user roles you would like to create, remove, hide, enable particular view components in the application. Similarly, have access control on the server side that user having specific roles only would be able to use some service, package or call some particular methods.

There is very nice article by Ryan on Enterprise security for Flex which covers the spring security integration and flex side security implementation using chimp.

Read the rest of this entry »

Network Security Assessment

Network Security Assessment by Chris McNab is really nice book to get the clear idea about the different strategies used from both offensive and defensive point of view to secure your network.

If you have any questions related to :

NSA – Rationale
What is done?
Tools Required
How is done?

Feel free to have a look:

http://books.google.co.in/books?id=_g6MHX88bXUC

Security Mailing Lists:

• BugTraq, http://www.securityfocus.com/archive/1
• VulnWatch, http://www.vulnwatch.org
• NTBugTraq, http://www.ntbugtraq.com
• Full Disclosure, http://lists.netsys.com/pipermail/full-disclosure/
• Pen-Test, http://www.securityfocus.com/archive/101
• Web Application Security, http://www.securityfocus.com/archive/107
• Honeypots, http://www.securityfocus.com/archive/119
• CVE Announce, http://archives.neohapsis.com/archives/cve/
• Nessus development, http://list.nessus.org/
• Nmap-hackers, http://lists.insecure.org/nmap-hackers/

Vulnerability Databases and Lists:

• MITRE CVE, http://cve.mitre.org
• ISS X-Force, http://xforce.iss.net
• OSVDB, http://www.osvdb.org
• BugTraq, http://www.securityfocus.com/bid/
• CERT vulnerability notes, http://www.kb.cert.org/vuls/
• Secunia, http://www.secunia.com

First Message

This blog will contain all kind of topics including technical, humour and security & hacks related stuff. Please wait the updates will come soon.