Cybersecurity is critical to protecting IoT and mesh networks. Network sensors and endpoints are the most vulnerable network assets. As endpoint diversity expands to nontraditional assets and applications, stakeholders must adopt cybersecurity best practices to protect their networks. This talk focuses on strategies to harden the IoT security posture.
In 2019, interconnectivity and growth of data have exploded. The digital world continues to expand at breakneck speed, with 20 billion networked devices and data anticipated to grow tenfold from 2017 to 2025. 96% of companies now use cloud services and 81% of enterprises operate multi-cloud landscapes. There are over 5 billion mobile phone users, with 2 billion customers preferring mobile banking rather than enter a physical branch.
IoT is an integral part of the future of data technology - and it may hinge on safe code-signing. The increased importance and intelligence of software operating IoT devices, and the need for frequent code updates to address rapidly changing service functionality and security requirements, are driving the need for IoT device software and firmware signing. Without good code signing hygiene, manufacturers incur major risks as attackers can alter the software running on deployed devices, stealing information or tampering with device functionality. This presentation will review code-signing best practices for IoT – and how to strike a balance between security and usability – through multi-party computation.
Key Takeaways:
1. Code-signing keys are both notoriously difficult to manage and integral to the heart of enterprise data security
2. Hardware-based code-signing solutions are neither scalable nor flexible enough to keep up with the growth of IoT devices
3. Multi-party computation-based solutions offer hardware-grade security via software-defined cryptography - cryptographic key management for the digital era
4. Code-signing best practices for enterprise include:
a. Protecting code signing keys: Key exfiltration is the riskiest because it gives attackers the most freedom to sign any code anywhere. Use cryptographic key protection and management solutions to help ensure that attackers cannot get hold of the valuable private keys.
b. Establishing advanced quorum authorization for sensitive signing operations: By requiring multiple people and/or systems to authorize sensitive cryptographic operations, such a signing code—especially code that can impact low-level system operations—you can eliminate rogue actors tainting the code with malware.
c. Monitoring and auditing all code signing transactions: A comprehensive log of all operations including the source of those operations can help quickly identify the source and mitigate attacks after they occur.