Identifying Shared Vulnerabilities and Mitigation Strategies for Cloud, Wireless and IoT
New capabilities and platforms, such as Internet of Things devices and cloud computing, require updated cybersecurity implementation strategies across different technologies and platforms. One approach is to examine multiple capabilities and platforms, identifying shared vulnerabilities and mitigation strategies. Benefits of this are three-fold: results can better inform an organization’s risk assessment, limited resources can be prioritized for higher risk vulnerabilities and overall complexity of security management can be reduced. One example of this strategy is to examine cloud computing, Internet of Things devices and Wi-Fi wireless networks to find shared vulnerabilities. To lessen the complexity of security management, identifying these shared vulnerabilities can allow security professionals to address multiple risks at once, benefiting the overall cybersecurity posture.
Key shared vulnerabilities of insecure Application Programming Interfaces (APIs) and poor access control lead to a security analysis of the mitigation strategies and targeted recommendations at the intersection of these key vulnerabilities.
Modern organizations rely on computing and data technologies to operate, enabling business lines to meet objectives. However, these capabilities must also maintain security, assuring confidentiality, integrity and availability of computing and data technologies, collectively known as the CIA Triad cybersecurity model. Confidentiality refers to the ability of a receiver to only access content in which that individual is authorized to view; integrity refers to the assurance that information is authentic without tampering; and availability refers to timely and reliable access for authorized users.
The underpinnings of implementing the CIA Triad model are to mitigate the risks of operating in a connected infrastructure. These may include disrupting, denying, stealing or ransoming critical data and information. Some common forms of threats are distributed denial of services (DDoS), ransomware or man-in-the-middle attacks. Common forms of vulnerabilities include lack of encryption, misconfiguration of systems and servers or failure to update software with the latest security patches.
With new technologies, new security challenges arise, not replacing previous challenges but increasing risk and requiring more adaptive cybersecurity approaches. Three examples of relatively new technologies—cloud computing, wireless communications and Internet of Things (IoT)—produce vulnerabilities that require adaptation to the changing environment. One approach is to first find shared vulnerabilities and then use targeted security analysis addressing them and providing security professionals relevant information to decide how and where to focus limited resources.
According to the National Institute of Standards and Technology (NIST), cloud computing is defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Most relevant to this analysis are the cloud service models infrastructure as a service, platform as a service and software as a service (SaaS).
In SaaS, the most likely to be implemented with IoT devices, the Cloud Service Provider (CSP) hosts the customer’s cloud-based software. Rather than installing client-based software on computing devices, users gain access to the functionality of the applications through a remote cloud network accessed through the Internet via a web browser or as an app through APIs. Software applications can be used to store and analyze data and collaborate on projects.
The four cloud deployment models are each defined according to specific properties of the location of resources, the number of tenants that share those resources and what entities have access to the provided cloud service(s): public, private, community and hybrid.
In the public cloud, the CSP provisions cloud infrastructure to any customer who rents their services. These customers will share the computing space with others in a multi-tenancy environment. Public clouds may be owned, managed and operated by a business, academic or government organization. Some common uses of public clouds include non-mission-critical tasks such as file sharing, web-based email and online office applications.
Major cloud application threats to organizations include misconfiguration, poor access control, missing function-level access control, insecure APIs, insider threats, shared tenancy and supply chain vulnerabilities.
Six major cloud application threats emerge for analysis. According to a recent report by the U.S. National Security Agency (NSA) on mitigating cloud vulnerabilities, misconfigurations are the most common type of cloud security vulnerability. Misconfigurations tend to be self-inflicted, often due to a lack of training or a lack of understanding of cloud computing’s shared responsibility model.
Access control is the ability of an organization to grant access to restricted data and resources to authorized users while blocking access for all unauthorized users. Organizationally, access to/restriction from resources may be based on various factors such as duty position, functional requirements, data sensitivity or requirements to work with mission partners outside the organization.
Poor access control, including sensitive data exposure, missing function-level access controls and insecure APIs may result from misconfiguration or a lack of training on specific cloud implementation requirements. Both access and API use are critical components of SaaS, in which applications function by consuming capabilities and web services from other applications. One way to mitigate vulnerabilities to poor access control is by excluding API keys from software version control systems where they can be unintentionally leaked.
Wireless communications networks consist of a body of protocol and standards that allow data to be transmitted and received via radio waves. Common examples of wireless networks include 4G/5G cellular, Bluetooth and IEEE 802.11 Wi-Fi.
Wireless Wi-Fi is most suitable for organizational use as it requires a low number of paid subscriptions to support a high number of device connections and customers, cost effectively supporting many IoT devices and applications.
Connecting Cloud, Wireless and IoT
The IEEE 802.11 Wi-Fi set of communication networks has existing threats to wireless communications, including evil twin attacks, wireless sniffing, unauthorized computer access and the theft of mobile devices. Actions to alleviate risk include frequently changing passwords, protecting Service Set Identifiers (SSIDs), installing firewalls, maintaining antivirus software, encrypting data, restricting access and using file sharing with caution.
Major wireless vulnerabilities include poor access control, insecure APIs, DDoS attacks, weak encryption implementation, rogue access points and supply chain vulnerabilities. These stem from a variety of different sources ranging from misconfiguration to weak or missing encryption protocols.
Poor access control can be either physical (placing wireless equipment in nonsecure areas, weak credentialing for access to sensitive areas and lack of auditing to review access) or logical (using weak encryption, failing to change default passwords and lacking an intrusion detection system to identify rogue access points).
Wireless networks, especially those relying on remote access for configuration and management, use APIs to administer backend functions. Vulnerabilities are similar to access control ones, with the addition of port control management. Securing API interfaces rely on strong authentication/access procedures such as multifactor authentication, connecting via virtual private networks and deactivating unused ports.
IoT refers to devices connected to the Internet or each other to sense, communicate, compute or provide measurement data. As more technologies incorporate increasingly sophisticated connection capabilities for older and newer devices, the deployment of IoT devices creates a bigger attack surface, increasing risk considerations.
According to the Department of Justice’s Cybersecurity Unit, IoT devices are vulnerable to malware and hacking, possibly leading to private network access. Vulnerabilities include weak passwords, unsecured network services, lack of privacy protections and improper data transfer and storage.
Major IoT vulnerabilities related to enterprise may involve poor access control, insecure APIs, lacking physical security, limited device security options, limited ability to upgrade and patch software and supply chain vulnerabilities.
IoT vulnerabilities stem from devices generally having low computational power and hardware limitations, making it difficult to implement built-in security features and software updates.
Mitigation strategies include using unique passwords, changing default credentials and using encrypted data. IoT vendors can use anti-rollback mechanisms to further protect devices against threats by preventing unauthorized entities from reverting software to a less secure and older version, as well as ensuring that the operating system, code and third parties are not providing insecure products.
To address one aspect of security complexity, the major vulnerabilities from cloud, wireless and IoT were compared, as seen in Table I. In listing the vulnerabilities side-by-side, the analysis shows at least two commonalities: access control and API implementation. Supply chain and DDoS were also identified without further analysis. Supply chain requires an in-depth examination of the structure of each of the platform’s supply chains, while DDoS encompasses an array of options to carry out the attack.
Comparison of Cloud, Wireless and IoT
Key shared/common vulnerabilities at the intersection of cloud, wireless and IoT are poor access control and insecure APIs.
Best practices implement access control measures and API interface authorizations according to a policy or set of policies. This is unique to each organization and simultaneously grants and constrains access in a manner that is correct for the organization’s goals.
The difficulty with this in practice is that both AC and API interface authorizations are not fixed arrangements, changing according to the needs of the organization, customer and/or mission requirements.
Access control vulnerabilities for cloud, wireless and IoT include sensitive data exposure, missing function-level access control, weak encryption and lack of auditing to review physical/logical access. The next step is to analyze various countermeasures and identify if/what common characteristics exist among the mitigation strategies.
Surveying the recommended mitigation strategies for access control and APIs leads to recommending a set of actions, taken together that can reduce risk for an organization. These mitigation strategies are listed in Table II, with the vulnerability of action addressed in parenthesis.
In examining the common characteristics, one mitigation strategy emerges: strong access control mechanisms such as reducing overprivileged access (cloud, IoT) and restricting access via whitelists (cloud, wireless). In a dynamic organizational environment, additional tools, such as focused data analytics that collect and process near real-time events, can be overlayed on top of existing mitigation strategies, providing context and granularity for the security manager.
Comparison of Cloud, Wireless and IoT
Another access control mitigation strategy is seen on at least two of the platforms: granting access to the system/device with multifactor authentication (MFA). All three platforms can benefit from implementing MFA, though MFA may not be feasible on all IoT devices either by hardware design or physical configuration.
While no clear mitigation strategy emerges for API implementation, there are several overlapping mechanisms, such as authenticating API calls and strong data verification/validation procedures. Tools that enhance near real-time detection of unauthorized data calls and overlay that detection data on top of implemented security protocols can provide a checks-and-balances approach to the organization’s network and data security measures.
Threats and vulnerabilities associated with cloud computing, wireless Wi-Fi and IoT device implementation have commonality and overlapping mitigation strategies. In conducting a side-by-side comparison, two key shared challenges are identified: poor access control and insecure APIs. Regarding the mitigation strategies, concentrating on two specific strategies show promise. The first is strong access controls that reduce overprivileged access yet remain responsive to organizational needs. The second is API call authentication requiring verification of the requesting system yet allowing further business capability development.
Possible benefits for organizations include applying actionable information to an organization’s risk assessment, reducing complexity and prioritizing resources. Instead of treating cloud computing, wireless and IoT system vulnerabilities in isolation, security managers can view their common characteristics and concentrate limited resources on mitigation strategies that will address all three.
Veronica “Vern” Wendt has over two decades of experience in telecommunications systems and emerging technologies. She is research fellow at the National Defense University’s College of Information and Cyberspace, where she coordinates a student-led, problem-based research agenda that seeks to improve capacities in defense-related basic social science. Vern is a decorated veteran who retired from the U.S. Army after serving 21 years as a telecommunications specialist. She holds a B.S. in mechanical engineering from the United States Military Academy and an M.S. in telecommunications management from UMUC.
Michelle Ann Guo is a research graduate of the Master of Science Computer Science (MSCS) program at the University of the District of Columbia (UDC). Her research primarily focused on Android mobile app development, artificial consciousness, and cybersecurity. She was granted a UDC Lockheed Martin Research Fellowship, is an alumna of UDC’s CodePath program and was a presenter during UDC’s Spring 2021 Research Week.
Dr. Anteneh Girma is the director of Cybersecurity Program and associate professor of computer science/cybersecurity at the University of the District of Columbia. Dr. Girma is a cybersecurity researcher and review board member for Cybersecurity and Computer Science program committees. Dr. Girma’s research works have been published on different peer-reviewed journals and book chapters.