5 Best Practices for Securing Linux Devices at the Edge

The Internet of Things. It sounds innocuous enough. After all, how much damage can one little thing cause? But if they called it The Internet of Unsecured Devices with Easy Access to Your Network and Confidential Data, well, that sounds pretty scary indeed. Unfortunately, it’s also a lot closer to the truth.

According to Check Point Research, in any given week, 54 percent of organizations will be targeted with an IoT-based cyber attack. And with the number of IoT devices expected to more than double in the next few years, it stands to reason these cyber attacks will become even more prevalent. From security cameras to medical devices, automated factory robots to autonomous drones, CISOs will have plenty of things to worry about.

At Wind River, securing network-connected devices at the edge is a big part of what we do. Many of these devices run mission-critical operations that require a hardened Linux operating system to protect them against the common vulnerabilities and exploits (CVEs) directed against commercially available software from Microsoft, Google, and other software vendors. Yet, even so, Linux-based edge devices still need protection. To address this need, we’ve identified these five best security practices for securing Linux devices at the network edge.

Best Practice #1:  Survey Your Threat Landscape

Connected devices now outnumber people on the Internet by a margin of roughly 3:1, yet many security teams still take a decidedly user-centric view when it comes to protecting against cyber attacks. A better practice is to understand your threat landscape across your entire network by asking questions such as:

·       What do we really need to protect? Is it just data and people, or devices and environments too?

·       What kind of threats are we vulnerable to as an organization?

·       How much risk can we safely assume? Can we withstand operational disruption for an hour? A day? Will our reputation recover after news of a data breach and, if so, how quickly?

·       What limits and penalties exist for us as a result of federal or industry regulation?

·       Do we have a planned response for IoT-based security attacks or are we just planning to wing it?

·       Who is responsible for responding to a cyber attack? Is it all down to our security team or should we bring in vendors and consultants to help?

Best Practice #2: Lock Down Your Data

It’s safe to assume that your organization already has some kind of data protection plan in place. But it’s dangerous to assume that plan is airtight. Data security as a discipline involves dozens of different security mechanisms, and it’s unlikely to find an organization that does all of them well. For the purpose of edge-based devices, two things that organizations absolutely need to get right are patch management (the more automated, the better) and cryptographic sanitization (i.e., wiping devices clean before decommissioning them).

Best Practice #3: Mitigate the Most Dangerous Attacks First

Last year, there were more than 25,000 unique CVEs identified, with new CVEs being created every 20 minutes according to some estimates. With so many cyber attacks in motion, security teams need to attack the problem intelligently by prioritizing their remediation and mitigation efforts around the most serious attacks first. Wind River has identified six critical components in effectively combatting the IoT cyber attack problem:

1.     Measure the potential impact of the attack.

2.     Focus on the most commonly exploited attacks first.

3.     Protect those areas where business risk is greatest.

4.     Address the “easy” fixes early in the process.

5.     Pay attention to security measures that are mandated by compliance.

6.     Give higher priority to those attacks with high CVSS (Common Vulnerability Scoring System) scores.

Best Practice #4: Automate Your Security

Given the sheer number of threat vectors and attacks, organizations can’t hope to contain cybercriminal activity through manual remediation processes. Automation is critical for the efficient detection, investigation, identification, and remediation of cyber attacks. In this case, Wind River has something even better than a best practice. We offer the best vulnerability scanning tool for Linux-based edge devices on the market… and we offer it for free. Our vulnerability scanning tool automates a host of security activities including CVE lifecycle management, accurate security data collection, community data research, vulnerability scanning, triage, license identification, D, dashboards, security reports, and security bill of materials generation.

Best Practice #5: Finish What You Start

Protecting your network and networked devices against cyber attack isn’t a step, it’s a process. Organizations need to view edge-based device security as a continuous cycle of planning, development, deployment, operations, and decommissioning. The sad fact is that cybercrime doesn’t take a holiday (in fact, it usually works overtime on the holidays), and your security activities likewise can’t let their guard down. Following industry best practices, automating everything that you can, and leveraging the expertise of experienced security partners is the best recipe for protecting your network edge against whatever cybercriminals cook up next.

If you’d like to read further on this topic, download our free whitepaper, Securing Linux Devices at the Edge: Best Practices.