Comments (6)
scriptingxss
commented on July 20, 2024
Hi @kanetil,
We wanted to make sure requirements are actionable, measurable, and testable. Process and operational oriented requirements were left out of scope.
Vulnerability tracking related requirements in 1.1.6 1.1.7 1.2.1 3.2.4. Perhaps we could clarify one of them further?
Logging related requirements in 2.2.5 3.1.6 3.2.6 They're focused around information disclosure and verbosity.
from iot-security-verification-standard-isvs.
kanetil
commented on July 20, 2024
Understood, so to clarify, my issue is about having the proper capabilities to monitor the device remotely, and not stored on the device alone without capabilities to research an incident in progress on a remote device.
Example:
"Verify any collected logs are retrievable over an online connection either periodically or on-demand."
an IoT SIEM is of importance, especially for non-consumer IoT devices, and it needs a way to get its logs
from iot-security-verification-standard-isvs.
scriptingxss
commented on July 20, 2024
Good point from the incident perspective. Devices need to retain logs locally and remotely for longer periods of time. The implementation might be tricky because the required architecture is more involved with authentication, authorization, and/or a PKI to encrypt logs over the wire using the RoT certificate (potentially). Each of these could introduce additional entry points if not properly designed although thats complicating things a bit. :)
How about something like the following
Verify that collected logs are securely retrievable over an online connection either periodically or on-demand.
from iot-security-verification-standard-isvs.
kanetil
commented on July 20, 2024
Looks good.
Now we need to define the logs as tamper-proof to some degree, but that's a different requirement probably
How about:
verify that tamper prevention controls are embedded in the security logging mechanism
from iot-security-verification-standard-isvs.
scriptingxss
commented on July 20, 2024
We are working to understand if there are other IoT specific monitoring capabilities we should consider outside of retrieving over an online connection.
Tamper protections on devices may not be prevalent for the time being but there is an argument to be made from the ecosystem perspective although that is more server side.
from iot-security-verification-standard-isvs.
kanetil
commented on July 20, 2024
There are multi-device logic you can embed on the backend system (sink-hole detection, detection of version downgrade etc) - do we want to go into that rabbit-hole? a whole world of threat hunting awaits
from iot-security-verification-standard-isvs.
Related Issues (20)
- Difficulties to check 1.1.1. HOT 5
- 1.2.3. Security-by-default HOT 4
- 1.2.5. Remove debug for all interfaces HOT 4
- Create 1.2.9. Integrity (and authenticity?) verification HOT 1
- Create 1.2.10 Secure update provisions HOT 2
- 2.x Configuration backup HOT 1
- 2.1.16 is confusing HOT 1
- 2.3.5. Privacy Policy HOT 1
- 3.4.12. Secure communications HOT 4
- 3.4.13. Authorization to update HOT 1
- Usability regarding WPS HOT 1
- Modify or remove 3.2.10 IMA HOT 1
- Missing Freeze and Mix & Match attack cases HOT 1
- LoRaWAN security requirements requested
- L3 requirements for Bluetooth and Wifi aren't high enough HOT 2
- Replace GitBook
- Detect & Response set of requirements missing HOT 1
- V2: Missing anti-bruteforce & reauthentication requirements in authentication section HOT 2
- 3.2.9 RAM scrambling? HOT 1
- 4.1.2: Align recommendation on TLS with ASVS HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iot-security-verification-standard-isvs.