10.2.1 Privacy

The number one issue in dealing with the IoT is privacy. This is the case because these sensors and devices have come into very close proximity of our lives and our personal spaces like homes, cars, and even our bodies, and hence, maintaining privacy with all the data collected becomes a paramount issue. A vivid example will be that of the hacking of a baby monitor that took place in April of 2014. An intruder was able to gain access to a baby monitor remotely while the family was asleep. He was actually able to swivel the camera to any direction he wanted and was also heard screaming at the baby and yelling very expletive words (Wagstaff, 2014).

This is a glaring example of a traumatizing violation of the privacy of this family. In an organizational setting, the intruder could have used this avenue to monitor the organization. Information such as who is the last to leave or the first to come into the office and the hours spent at the facility could be easily obtained. Not only that but they might be able to obtain passcodes to open doors either visually or by the beep tones produced as the door is unlocked. A statement by the manufacturing company of the baby monitor indicated that the model in question was 3 years old and had not gotten a firmware update, hence creating the avenue for this attack. A routine audit of devices in an organization would be able to identify such devices, which are behind on their firmware update and thus avert any potential privacy violations.

10.2.2 Confidentiality, Integrity, and Availability

Confidentiality is roughly equivalent to privacy (Yang et al., 2010). However, here we are very much concerned with the measures that need to be taken to prevent sensitive information from reaching wrong people. Integrity deals with maintaining consistency, accuracy, and trustworthiness of the data throughout its life cycle (Yan, 2016). Devices connected to a network can be hijacked if the network is breached and the integrity of the data in that network can be compromised or falsified. Availability here deals with maintaining functionality when needed by the user.

In 2014, a study by the SANS institute indicated that 375 health organizations in the United States were compromised all within a month. The intruder infiltrated a set of new and improved radiological imaging units in tandem with the network and was able to gain access to patients files and confidential information (Filkins, 2014). The patients' information was at the mercy of the intruder who could as well have changed or manipulated the data thus violating its integrity. They could also have introduced a bug to the system to hamper the proper functioning of the imaging units denying medical professionals its availability at crucial moments. An audit performed on this category of devices in such medical establishments will reveal the potential areas intruders might exploit and offer recommendations on the best course of action. Admittedly, some manufacturers might not immediately see the need for integrated security in devices such as components of an imaging unit. However, once the industry/organizations start putting standard audit procedures into place, manufactures will be forced to think about how best to integrate security into their products in order to be audit compliant.

10.2.3 Identity Management

Identity management issues might arise if the user uses their social media account to access their IoT service online. In a scenario where their social media account gets compromised, the IoT account/device could also be compromised. For example, an intruder can take control of your home security once they breach your social media account that is connected to a smart watch or Fitbit. The intruder could also perpetrate identity theft once they have access to details from the social media account as well as other personal information available on the devices, for example, financial information used by NFC apps present in phones and also smart watches/bands. Standard audit procedures within any organization would either prevent vulnerable devices from joining the network or notify the network administrators of devices in need of patch or firmware update.

10.2.4 Physical Attacks

Attackers can stage targeted physical attack on the smart network in many ways. Cutting off power or tampering with circuit breakers, installing signal jamming devices on communication lines, and so on, are all possible physical attacks that can debilitate the network. Another facet of physical attacks in scenarios where proximity permits could also include resetting the passwords, changing settings, and redirecting traffic to a server controlled by the hacker. From their servers, attacks can be launched in a number of different ways, for example, studying the firmware of the device and exploiting unmitigated vulnerabilities. Local attacks can also occur over Wi-Fi/Ethernet.

10.2.5 Cloud Infrastructure Attacks

Allowing the users to use weak passwords, not locking out users after unsuccessful attempts, missing two-factor authentication (2FA), unsecured password recovery, and, in general, not enforcing standard security procedures offers an easy target for lurking attackers. Scenarios such as these invariably attract attacks such as brute force attacks, blind SQL injection attacks, and other targeted account-harvesting attacks. Eventually, any successful attack will allow the attacker gain access to the device(s) and personal data. With some of the attacks, such as blind SQL injection attacks, the hacker can end up with read access to the database of the console and obtain the login credentials of the other users connected to the cloud IoT infrastructure.

10.2.6 Malware Attacks

Malware bearing software accidentally downloaded to any device could easily tell the attacker about the devices in the network and perform the previously mentioned attacks. It would just be a matter of time before the attacker can use the device as well as other connected devices to perform attacks like connected toasters that mine crypto currencies or smart TVs that are held ransom by Malware. IoT auditing of these devices will also be to identify anomalous' in the logs and generate alerts to that effect.

10.3.1 IoT Auditing

A proper understanding of the challenges facing IoT devices will elucidate that these IoT devices need a certain degree of security controls and standards. This is evident as the evolution and progress of most of these devices have been disparate. Thus, bringing a huge number of functionally disparate devices into a single network could potentially make for a network with gapping loopholes that is susceptible to cyberattacks. Given their geographically dispersed originating factories, these devices are not always manufactured with the necessary security protocols and standards. A lot of manufacturers already involved in the manufacture of other Internet capable or peripheral devices might use the same procedures and standards to build IoT devices. As with the common Internet capable peripheral devices, such as routers, switches, gaming consoles, manufacturers pressed for time or to meet up with demand surges could ramp up production without necessarily enforcing security. This was the case with Sony games and the recently hacked Jeep Cherokee car replete with IoT-like technology (Newcomb, 2016; Martin, 2016). Hence the result of devices manufactured and built with varying standards could very well imply that they will be vulnerable to attacks common to any device connected to the Internet and possibly other newly developed attacks. An added risk that ensues it that since these devices eventually become part of the network, there is a high probability that these “weak links” in the system can potentially provide a gateway to attack the rest of the network as well as the other devices connected to the network. The vulnerabilities discussed earlier shown in Figure 10.2 would be a serious concern in any business model where these devices are used and may have serious repercussions if not addressed in a timely manner (Rawlinson, 2017).

10.3.2 Need for Auditing

With the proliferation of IoT, billions of devices are to be continually connected to a vastly expanding network all in a bid to improve the quality of peoples' lives, change business processes and models, and reinvent entire industries. On the other hand, IoT also has the potential to provide entrance points for cybercriminals into personal and corporate networks and data storage units. This unequivocally poses a problem that warrants auditing procedures. The loss related to these sorts of attacks have historically been significant when you consider examples like Target, Sony, Home Depot, and Ashley Madison (Keith, 2017).

Clearly the main challenge in today's and future implementations of the IoT is ensuring we have not made any compromises on the security aspect. Lack of proper security measures could provide chances for intruders to access and use personal information that is collected and transmitted to or from a device. Personal information can be misused by the unauthorized person and may result in identity theft or fraud. This may also create risks to physical and public safety in some cases (Alexandra Carmichael, 2011; Tollefson, 2015). To achieve desirable levels of security, IoT systems must adopt and evolve a multilayered security checks and balances, which will be evaluated during auditing. The device, the software, the communication channels must all be tamper proof and ensure data confidentiality. Security should not be an afterthought whereby a layer of protection is wrapped around a finished product. Industry standardization and best practices should push for a “security by design” approach where security is built into the different layers of the device presenting several walls obstructing access to any intruder. This can take several forms, for example, 2F authentication (already commonly used today) or proximity authentication, which will block out most remotely staged attacks. Regardless of the security and assurance technique used, provisions have to be made by the manufacturer to allow for audits within the organization.

Speaking of the organization, incidentally, most of the IoT devices are not actually included in the security audits, as it is currently. An internal audit function can educate the managing body on the competitive edge that a properly functioning IoT implementation can bring to the enterprise. It will also elaborate on the importance, benefits, and potential cost saving advantages in that respect. On the other hand, potential security loopholes and malpractices can be identified and the associated risks dealt with. Moving forward, preventive, corrective, and detective measures and controls could also be implemented to reenforce the IoT infrastructure. This practice of auditing becomes a very important routinely needed exercise especially with the constant progress of the field because the associated risks and vulnerabilities also change with the technology's rapid evolution.

Performing internal audits can be very beneficial as it has the potential to offer strategic advice to the organization's management on the importance, the benefits, and the competitive edge that the IoT could offer the organization. A competent audit can demonstrate to the organization's management how IoT can be effectively implemented in daily operational procedures such as the automated tracking of inventory. These can range from inbound logistics, sales, and marketing all the way to product disbursement. The internal auditing process also permits constructive recommendations and advice to management on how to implement preemptive preventive, detective, and effectively corrective measures. Given the incredible pace at which the IoT is advancing, the inherent risks are a major looming concern, as evidently not enough time will be devoted to the security evaluation of these systems (Salman, 2015).

Furthermore, due to the lack of security audit in IoT, there is no way for an organization to ascertain the source and the type of attack. An organization will be ill-prepared for such an incident and this would affect the business continuity of the organization. To mitigate the risks involved with the use of IoT devices, an organization has to perform a risk-based assessment of all the assets included under the IoT umbrella and perform an end-to-end security audit at appropriate intervals along with the documentation, testing, and reporting of business continuity procedures. Organization can also perform controlled self-assessment (CSA) that would aid in seamless audits. Controlled self-assessment is an internal control assessment technique that has been used in industry for identifying and managing aspects of risk and exposure within an organization. Strong arguments have been made in its favor as it also identifies and highlights areas in the organization with potential opportunities (Ahmed et al., 2003).

10.3.3 Risk Identification and Assessment

Every IT security audit begins with a thorough risk identification and risk assessment along with a holistic validation of the impact of the systems to the goals of the organization. This process essentially starts with risk identification where potential risks to the system are recognized and described. Risk identification is followed by risk assessment, where the likelihood and the consequences of each risk is determined and documented. Control risks, detection risks, inherent risks, and overall audit risk are considered.

After a thorough risk assessment, the auditor must define the scope of the audit by holistically validating the business function to be audited. Typically, prior approval from the senior management is obtained and authority is delegated from the board of directors before the audit process is initiated. An auditor will usually have to consider the points described in Figure 10.3 before auditing the IoT system.

Figure 10.3 outlines some very important points to consider before any auditing procedure can begin within the organization. Primarily, the value that the IoT system generates to the business or organization is key. A system that is centralized and directly integrated to the production or manufacturing arm of the organization would be very critical as it essentially forms an integral part of the organizations driving engine. This calls for a more critical assessment to ensure that the manufacturing or production engine is robust enough to withstand attacks that can bring the whole system down. IoT systems that are more peripheral in nature or decentralized might not necessarily need such scrutiny. Another important aspect directly related to the value of the IoT system in the organization is the threat environment. Not every IoT system is vulnerable to a particular attack. NFC and Bluetooth-based systems might not be necessarily vulnerable to remotely staged attacks, such as SQL injection, but could be vulnerable to attacks requiring close proximity. An understanding of this threat environment and plans for mitigation is therefore required. It is also worth mentioning that in recent times the damages caused by insider threats call for a closer scrutiny of people on the systems' access control list as they also could be a part of the threat environment. From instances such as that of Snowden and the NSA, we have come to understand that the list of users with access control privileges effectively constitute the threat environment. These insiders are capable of using any kind of IoT device and exfiltration method to siphon data out of the organization that effectively constitutes the threat environment.

Some other important points to consider as specified by Figure 10.3 include the evaluation of risk scenarios and anticipated business impact, privacy and legal issues that arise with the use of the IoT systems, type of information that is collected from these IoT systems, and the damages that can result if this data is obtained by intruders. All of these will permit the auditor draw up a more focused assessment plan for an audit that will better serve the organization. Organizations whose IoT systems are more customer centric will be worried more about privacy and legal issues; whereas, with more manufacturing or production centric organizations, they might be concerned more with risk scenarios and their related impact on business. After considering these points, an effective audit strategy can be developed based on what the expectations are with regard to the result of the audit.

10.3.4 Audit Strategy

An auditor must keep the organizations interest in mind while auditing the IT systems. An auditor's independence is of crucial importance so that he/she is not to be influenced by any factors that could jeopardize the audit. The audit can essentially begin by focusing on the following aspects of the IoT system:

• Security. As the name implies, the IoT devices generally have some built-in Internet connectivity capabilities, and hence, become just as susceptible to attacks from cyber criminals and hacktivists as laptops, notebooks, and other Internet capable devices. A thorough vulnerability assessment of the IoT systems must be conducted and potential risk factors and internal controls have to be identified. These vulnerabilities, threats, and controls have to be documented and periodically tested. The documentation is essential to strengthen the controls for IoT systems. Security of systems provided by third parties must also be considered and audited at frequent intervals. A thorough analysis of the encryption used in IoT systems must also be considered in the audit. Moreover, auditors must also ensure that these devices follow the basic security standards and protocols that have been defined by an appropriate security framework (Kessinger and Duffer, 2017; Hare-Brown, 2017).
• Health and Safety. Of all the risks posed by the IoT devices, risks associated with human life and safety are indispensable. Health and safety are of utmost importance in industries like health care, chemical industries, manufacturing unit, laboratories, where smart devices are employed. Examples of these health devices include pacemaker, defibrillators, or other vital signs tracking devices. These systems must be thoroughly tested before they are deployed into these business units. In addition to that, control measures are needed to ensure that the requisite testing procedures are completed before major overhauls such as upgrades, patches, and other changes are made to IoT systems. This is very critical where health and safety-related faults pose a significant risk (Crossman and Liu, 2015; Kessinger and Duffer, 2017).
• Resilience. Since IoT devices are used in crucial systems that are prone to attacks, an auditor must assess the existence of controls that could recover systems in the event of a failure. An auditor must elucidate the importance of business continuity, disaster recovery, and incident response to the senior management and actively participate in the design and testing of these procedures. These procedures are crucial to identify the organizations preparedness in the event of a mishap. All crucial systems must be considered while testing these scenarios and appropriate documentations must be in place to guide a smooth transition in the event of a change. Performing testing to ensure the continuity of these procedures are of prime importance to identify their concomitance to the RPO (recovery point objective) and RTO (recovery time objective) (Kessinger and Duffer, 2017).
• Monitoring. Akin to any other access-based system, there is a dire need for controls measures that can monitor the functioning of the IoT systems. Frequent testing has to be performed to ensure that the controls are operating as expected. Any exception or error that occurs in the system must be successfully recorded. These recordings can assume the form of any kind of logging available to the system. Logging obviously has been in the past and continues to be a tremendous asset during audits. It has been compared to an administrative partner that is always at work, never complains, never gets tired, and is always on top of things. If properly instructed, such a partner can provide extensive details on the time and place of every event that has taken place in the network or system (Tuli and Sahu, 2013). The SANS Institute identifies different logging levels such as Debug and Informational, Notice, Warning, Error, Critical, Alert, and Emergency in that order of severity (GadAllah, 2003). Considering a more proactive stance, preventive controls need to be consistently maintained and can be tested with penetration tests to ensure their operability. Likewise, detective controls need to log any illegal access to the system and corrective controls must successfully restore data if lost (Hare-Brown, 2017).
• ASSET Management. An auditor must give sufficient importance to the procurement and classification of IoT assets that are used in an organization. A holistic risk-based assessment must be performed while classifying these assets and the data that they transmit. These devices must also contain sufficient amount of encryption to the point where the loss of encrypted data does not pose serious risk to the organization (Hassan, 2016). This is of immense importance as recently U.S. HealthWorks suffered from a data breach via an unencrypted laptop that was lost (Lewis, 2017). Tightening up security measures in asset management evidently should be a major priority.
• CHANGE Management. While upgrading/changing a system from a legacy to an improved system, care must be taken to ensure a smooth transition. The newly employed system must mitigate the risks that possibly plagued the legacy systems while also not compromising on critical controls. As second generation IoT devices begin rolling off assembly lines and factories, it will be imperative to ensure that their integration into the organization does more in the way of mitigating existing loopholes and vulnerabilities. Due to pressing schedules, some legacy SCADA (Supervisory Control and Data Acquisition) systems undergo limited amounts of testing and fail to achieve a compromise between concrete security measures and smooth daily functioning. The security features turn out to be either too stringent and slow down smooth functioning or not stringent enough to promote robust functionality, hence allowing security loopholes and vulnerabilities. An example of such a failed attempt was observed with Windows 7's attempt on enforcing system-wide privacy and security. A thorough assessment of any new IoT devices and systems in general will, therefore, be needed before they can be deployed company wide.

10.4.1 Bring Your Own Devices

The first use case will deal with a Bring Your Own Device scenario, specifically wearable devices due to their growing popularity and expanding capabilities. Depending on the brand, smart watches can browse the web, sync up to your email, write notes, take voice recordings, and even take pictures. The enhanced functions of these wearable devices would allow for easier corporate espionage due to the ability to carry out small bits of data hidden on the watch. Another potentially dangerous scenario would be if the smart watch was hacked, either through the web function or through Bluetooth-based attacks. A virus could unwittingly be brought into the business office where the virus was then allowed to spread after the watch connected to your work computer or other devices in the office.

10.4.2 Electronic Utility Meter Readers

The next use case will deal with the idea of electronic utility meter readers. An electronic meter makes it easier to keep track of the utility costs in a company, but comes with its own hazards. If an outsider is able to gain access to those meters, they will be able to monitor traffic throughout the building or company. A malicious agent can figure out when a certain area will be least populated and then utilize social engineering to get through that area. It is a lot easier to fool one or two individuals with social engineering techniques than a whole group of people. In addition to that an agent who is out to cause lethal damage could redirect the flow of gas to concentrated areas within the building, which could end up in a fire hazard. Finding ways to cut off the flow of air to these regions of the buildings could have similar lethal effects on human lives.

10.4.3 Smart Parking Meter Interfaces

Another use case can involve smart parking meters and their connections to buildings' or organizations Wi-Fi. Smart parking meters in a particular building will be connected to a main interface that can provide incoming drivers with information on exactly where parking is available in that building. In such a scenario, an incoming driver can quickly query the building's parking interface to obtain information on the parking available in that building. For instance, a vehicle might have just pulled out of Level 1 parking spot 27, making that spot available on the building's parking interface. An incoming vehicle would not have to go to level 5 to find a parking spot. An additional benefit of this interface would be the automated tagging of employees' cars. So, employees would no longer need a physical tag to park but could use RFID tags or possibly have the car computer system connected to the smart parking grid network, which could as well be hosted through the organizations intranet. The first issue that could arise with this is some sort of denial-of-service (DoS) attack where an attacker or malicious agent can breach the system and tag empty lots as occupied thereby denying legitimate users parking service. The situation becomes more critical if the attacker can connect to the organization's intranet and extract valuable information on the organization or trivial information such as what vehicle the CEO drives. There are a number of different ramifications that could come with this particularly the potential loss of valuable information. Organizations who own or share smart parking grid interfaces would have to work together to establish common standards to enhance security and consequently audit procedures.

10.5.1 Traditional Security Measures

Another best practice for a company is to minimize the data collected by this network or to notify consumers to make them fully aware of this collection of data. People are wary of any data collection due to “Big Data” being a major buzzword in the media. Unless all players in a certain grouping (e.g., wearables) get together, and all promise to disclose the extent of data collection, this solution will not be taken seriously. If one brand announces the collection of data, consumers will jump ship from that brand to another brand that has not announced collection, even though most likely their some data be produced for a hacker to steal.

The solutions that the FTC is pitching need to be disseminated further before they can be accepted as serious answers. So, while the FTC may only be offering basic ideas, this may eventually create enough public attention to get these ideas implemented in future products to increase security moving forward. The FTC cannot just have workshops attended by industry insiders and expect instant change to current practices. They do have their reports and information on their site, but realistically, if a consumer cared about this topic, they would most likely already have collected all of the relevant and meaningful information from another source. The average consumer is just aware of the benefits they stand to gain from being able to connect to more devices around their house.

There are numerous other big, high-tech firms providing their thoughts on this topic, and there does not seem to be one magic answer as to how to infallibly secure this network is. In the meantime, we just keep growing the network because we do not believe that hackers will crack into our fridges or other such devices. As with credit card theft, we never think that it will happen to us, until it does. And even then, we are already so ingrained into this system that we do not know how to act different so we hope that an issue does not happen again. With this in mind, it calls into question the Federal Trade Commission's warning of doom for the growth of the IoT in relation to consumer buy-in and privacy concerns. By getting the word out to the average consumer about potential dangers and the impact they can have on a company's bottom line if security is not made a top priority, the FTC can help ensure change.

10.5.2 New Policies to Address New Threats

Industries that are keen on implementing these IoT devices must be prepared to efficiently manage IoT devices to gain maximum rewards from it. They must have prepared to mitigate any risks that IoT poses by following specific guidelines and standards. A few recommendations for organizations planning to implement IoT are as follows:

• Designing security into IoT systems from the bottom-up. Security must not be added to these systems after their implementation, but rather, they must be incorporated from the initial stages of development. In other words, security controls must not be a value added to the IoT systems, but an essential integrated feature.
• Understanding vital assets and values and investing in their protection. Health companies focus on the well-being of the patient while commercial organizations focus on great products and sales maximization. These assets and values have to be the central focus when planning on IoT implementations.
• Collecting sufficient amount of data that is required and encrypting the sensitive data.
• Partnering with appropriate vendors on elements of security like identity management, access control management intelligence analytics, and patch management.
• Conducting a comprehensive security audit of the IoT systems including privacy, risks, and fraud assessment.
• Sufficient testing before implementing or changing the IoT systems.
• Training the organization staff on the risks related to IoT systems and reiterating it.
• Creating a security awareness program and educating all the members of the organization on the importance of security practices related to IoT systems (Hare-Brown, 2017).