The Anti-Malware Testing Standards Organization (AMTSO) released its first guidelines for testing IoT security products on Thursday.
Based on feedback from testers and vendors, the guidelines cover the following areas: basic principles for testing IoT security products; offer recommendations on test environments; testing specific security features; determining detections; and performance benchmarking for testers.
“IoT security solution testing is quite different from anti-malware testing because it has to protect a wide variety of different smart devices in businesses and homes, so setting up the testing environment can be challenging” , said Vlad Iliushin, member of the board of AMTSO. . “Additionally, since smart devices mostly run on Linux, testers should use samples of specific threats to which these devices are vulnerable so that they can make their assessments relevant.”
Tony Goulding, cybersecurity evangelist at Delinea, said security and privacy guidelines drive industry regulations such as PCI, HIPAA and SOX. Goulding said it was important to protect access to IoT devices used in sensitive environments.
“In the absence of an equivalent set of regulations, the AMTSO guidelines represent a step in the right direction to help IoT vendors test their products’ ability to detect and prevent attacks,” said said Goulding. “As a security community, we strive to eliminate or stifle attack vectors that can give adversaries illicit access to our infrastructure, resulting in a data breach, ransomware attack, or shutdown. line of critical OT infrastructure. IoT devices represent additional vectors, increasing our attack surface. Organizations should prioritize IoT products from vendors that have undergone such testing to ensure that these risks are mitigated in their products.
Bud Broomhead, CEO of Viakoo, added that the IoT represents a rapidly growing attack surface. Broomhead said securing vulnerable IoT devices has become critically important for businesses as hacked IoT devices have devastating effects: they include ransomware, loss of data, altering the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.
“Many cybercriminals target IoT devices as an entry point because attackers can exploit them and move laterally within corporate networks, leading to widespread vulnerability exploits,” Broomhead said.