The Anti-Malware Testing Standards Organization (AMTSO) on Thursday released its first guidelines for testing IoT security products.
Based on input from from testers and vendors, the guidelines cover the following areas: basic principles for testing IoT security products; offering recommendations on test environments; testing of specific security functionality; determining detections; and performance benchmarking for testers.
“Testing IoT security solutions is quite different from anti-malware testing as they need to protect a huge variety of different smart devices in businesses and homes, so the setup of the test environment can be challenging,” said Vlad Iliushin, an AMTSO board member. “Also, as smart devices mostly are primarily run on Linux, testers have to use specific threat samples that these devices are vulnerable to so they can make their evaluations relevant.”
Tony Goulding, cybersecurity evangelist at Delinea, said guidelines for security and privacy are what drives industry regulations such as PCI, HIPAA, and SOX. Goulding said it’s important to protect access to IoT devices that are used in sensitive environments.
“With no equivalent set of regulations, the AMTSO guidelines represent a step in the right direction to help IoT vendors test the ability of their products to detect and prevent attacks,” Goulding said. “As a security community, we strive to eliminate or choke vectors of attack that can give adversaries illicit access to our infrastructure, resulting in a data breach, ransomware attack, or taking critical OT infrastructure offline. IoT devices represent additional vectors, increasing our attack surface. Organizations should prioritize IoT products from vendors that have undergone such testing to help ensure such risks are mitigated in their products.”
Bud Broomhead, chief executive officer at Viakoo, added that IoT represents a rapidly growing attack surface. Broomhead said securing vulnerable IoT devices has become critically important for enterprises as breached IoT devices are having devastating impacts: they include ransomware, data loss, changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.
"Many cybercriminals target IoT devices as their point of entry because attackers can exploit them and move laterally within corporate networks, leading to extensive vulnerability exploits," Broomhead said.