Security

The power of the Internet of Things is obvious now but before you rush out and purchase a whole bunch of devices think about interoperability and security. Every device we sell can be used with the AssetBook IoT software we recommend. The security level is determined by the system, not generally the device.

AssetBook Security Overview Technical Overview AssetBook is a modular and scalable cloud app solution that`s built on cutting edge, secure and future proof software, and standards. It`s based on a containerized micro services architecture, which means it adapts to and scales with changing conditions and prerequisites in client implementations. The solution is agnostic to hardware and operating systems. Modules can be added and removed dynamically from the setup, providing easy adaptations and scalability. Data traffic is streamlined for cost/performance benefits and the input/output and storage architecture can handle huge amounts of requests (up to 300,000 requests/ second per instance) and it`s secured through next level cryptography. The solution is made for rapid prototyping and deployment, so that new ideas and customizations can be pushed to production quickly. Great emphasis is put on user experience and mobility in client software – Simplicity, intuitiveness and accessibility are key words in AssetBook. AssetBook is built with the following technologies: o WebSocket – Standard for high Performance data communications o Docker – Packages applications into isolated, scalable, and deployed environments o NodeJS – Cross-platform, scalable, high preforming run-time environment o NoSQL – Efficient and flexible object storage, optimized for big data and IoT o Native and web app environments (C++, TypeScript, Swift, Java, C#, Electron, Vue, JS and more).

System Architecture

Security overview Docker TL;DR: Docker is a secure way to provide service isolation for applications from the rest of the operating and file systems on the computer in-order to avoid port mismatch and other issues raising from running the same application multiple times on the same computer. While also providing the entire application in a container with all its dependencies and files setup and ready to go in a fast, simple and secure way means that we can spin up a new application in seconds rather than hours or days.

1. Docker Introduction: Docker is a popular containerization platform that allows applications to run within isolated containers. By leveraging Docker's security features, we can enhance the overall security posture of our microservices.

2. Docker and Security:

2.1 Isolation and Encapsulation: Docker employs a containerization approach, which provides strong isolation between application components. Each application or service is encapsulated within its own container, ensuring that it operates independently from other containers. This isolation prevents unauthorized access and limits the impact of potential security breaches.

2.2 Reduced Attack Surface: By utilizing Docker, we can significantly reduce the attack surface available to potential threats. Docker containers only include the necessary components and dependencies to run an application, eliminating unnecessary software and libraries. This reduces the potential vulnerabilities and entry points for attackers, making it harder for them to exploit the system.

2.3 Security Patching and Updates: Docker simplifies the process of applying security patches and updates to the underlying system and containers. When vulnerabilities are discovered, patches can be deployed centrally and consistently across all containers within the platform. This ensures that all instances of an application are running the latest secure versions, minimizing the risk of known exploits.

2.4 Resource Isolation and Resource Limitation: Docker provides resource isolation and limitation mechanisms, allowing us to allocate specific CPU, memory, and network resources to each container. These limits prevent resource abuse and denial-of-service attacks, ensuring fair resource distribution among containers. By enforcing resource constraints, Docker helps mitigate the impact of malicious activities on the overall platform.

2.5 Image Integrity and Verification: Docker employs a layered image architecture, where each layer of an image is cryptographically hashed. This enables the verification of image integrity and ensures that the deployed containers are consistent with the original trusted images. Docker's image verification mechanisms provide an additional layer of security by preventing tampering and unauthorized modifications to containerized applications (microservices).

2.6 Rapid Deployment and Rollback: Docker's containerization model enables quick and consistent deployment of applications and services. This feature is particularly useful for responding to security incidents or vulnerabilities, as patches and updates can be rapidly deployed across the platform. Additionally, Docker allows for easy rollback to previous versions if issues or vulnerabilities are detected, ensuring a faster recovery process.

3. Best Practices for Docker Security: While Docker offers inherent security benefits, it is crucial to follow best practices to maintain a secure environment. As such we are following the Docker security recommendations:

3.1. Regularly update Docker and its dependencies to benefit from the latest security enhancements.

3.2. Implement strong access controls and authentication mechanisms for Docker hosts and container orchestration systems.

3.3. Utilize security scanning tools to analyse Docker images for known vulnerabilities before deployment.

3.4. Apply the principle of least privilege by granting only necessary permissions to containers and restricting container privileges.

3.5. Employ network segmentation and firewall rules to isolate containers and control communication between them.

3.6. Monitor Docker logs and utilize intrusion detection and prevention systems to detect and respond to potential security incidents.

3.7. Regularly review and audit container configurations to ensure compliance with security standards and industry best practices. 

Authentication and communication Our system is made using a microservice architecture mindset and is therefore completely modular, each of the modules connects with each other securely through an end-to-end encrypted WebSocket tunnel through a central core module which then handles the routing of traffic and events. The only way to establish a connection to the core is with an authenticated and unique JWT (JSON Web Token) that has been generated by the core. This creates a secure environment where someone without a valid JWT will not be able to connect. External communication For external communication between a third-party system and AssetBook they have multiple ways to choose from, for example:

➢ HTTPS REST-API using a JWT generated by the core that only allows certain calls to the API.

➢ MQTT Over TLS / MQTT Over WSS using a username and API token generated by the Core for access to certain pub/sub topics.

➢ WebSocket(TLS) can also be used to interact directly with the Core like any other module protected by a JWT that decides what events it can send a receive data on. Sensitive details storage such as Passwords or Social Security Numbers (Hashed things that do not require being able to be read.) Passwords and SSNs are hashed using Argon2id with a unique “salt” for each password/SSN as well as “peppered” meaning it’s also encrypted; we use symmetric encryption/decryption utilizing elliptic curve cryptography (ECC) and then store in the information into the database. This means that even if an attacker gets access to the database, they cannot brute force the contents to find a password or SSN. The ECC private/public keys are stored in a secure element on the server and not in the database and therefore protects the hashed content on an additional level.

Logging Enabling full system logging is as easy as just starting the “Logging” module which will log everything it encounters. Note that Access logs are still logged even if the logs module is not enabled. Attack prevention DDoS (Distributed Denial of Service attack) DDoS protection is crucial for maintaining the availability and stability of online services. One effective approach we utilize to mitigate DDoS attacks is by leveraging our private cloud infrastructure combined with floating dynamic IPs. In this setup, our private cloud provides scalability and flexibility, allowing the platform to handle sudden traffic spikes caused by DDoS attacks. By dynamically allocating floating IP addresses to the instances, the infrastructure becomes more resilient to attacks as the IP addresses constantly change, making it difficult for attackers to pinpoint and overwhelm a specific target. This distributed IP approach helps distribute the attack traffic across multiple instances and reduces the impact on any single server. Additionally, by employing advanced DDoS detection and mitigation techniques within the private cloud environment, such as traffic analysis and rate limiting, we can proactively identify and block malicious traffic, ensuring the continuous and secure operation of our services. Brute force Brute force protection is essential for safeguarding sensitive accounts and systems against malicious login attempts. One effective strategy we utilize for brute force protection is account lockout policies coupled with strong authentication mechanisms. By setting a threshold for the number of failed login attempts within a specified time frame, we can automatically lock user accounts, temporarily or permanently, after multiple unsuccessful login attempts. This helps deter brute force attacks by preventing attackers from continuously guessing passwords. Additionally, deploying multi-factor authentication (MFA) adds an extra layer of security, requiring users to provide additional verification, such as a code generated on their mobile device, along with their passwords. This significantly enhances the security posture by making it much more challenging for attackers to gain unauthorized access through brute force techniques. By implementing these measures, we can effectively mitigate the risk of brute force attacks and protect our tenants and user accounts from unauthorized access.

We also on top of this have a setting on each tenant where an administrator can choose the minimum login method, meaning they can set the login requirements to be for example, only allowed with Swedish BankID which completely removes the Brute Force aspect. Cross-site scripting (XSS) Cross-site scripting (XSS) poses a significant threat to web applications, making effective protection measures crucial. To mitigate the risk of XSS attacks, we employ multiple layers of defence. Firstly, input validation and output encoding techniques are implemented to sanitize user-supplied data and prevent it from being interpreted as executable code. This involves validating and filtering user input to remove or escape any potentially malicious content. Secondly, adopting a content security policy (CSP) allows us to define a set of rules that specify which types of content can be loaded on a web page, thereby limiting the potential sources of XSS vulnerabilities. Additionally, utilizing a web application firewall (WAF) provides real-time monitoring and detection of suspicious activities, blocking requests that match known XSS patterns. Regular security testing, including vulnerability scanning and penetration testing, is crucial to identifying and addressing any potential XSS vulnerabilities. By implementing these preventive measures, we can significantly reduce the risk of XSS attacks and ensure the integrity and security of our web applications and user data.

Penetration test cases

The following test cases is mainly automatically performed with test tools. Serverside/Backend

➢Verify user session ends upon log off.

➢Verify if any critical data like the password is stored in secret files on the system.

➢Check for uncontrolled format string attack –a security attack that can cause the application to crash or execute the harmful script on it.

➢Verify if the error pages are displaying any information that can be helpful for a hacker to enter into the system.

➢Verify that all applications, operating systems and database versions are up to date.

➢Verify that directory browsing is disabled on the server.

➢Verify all HTTP requests are blocked and automatically redirects a client to HTTPS.

➢Verify if the password meets the required standards. The password should be at least 8 characters long containing at least one number and one special character and no 3-character sequence of the email or name (Can be changed for each Tenant).

➢Important input validations should be done at server side as well as JavaScript checks at the client side.

➢ Verify that NoSQL Injections are protected.

Infrastructure

➢Proxy server –Check if network traffic is monitored by proxy appliances. Proxy server makes it difficult for hackers to get internal details of the network thus protecting the system from external attacks.

➢Verify if system or network is secured from DoS (denial-of-service) attacks.

➢Verify if the system is safe from Brute Force Attacks.

➢Firewall - Make sure entire network and computers are protected with Firewalls.

➢Verify if there is unnecessary open ports in/out to/of the network.

➢Verify that all usernames and passwords are encrypted and transferred over secured connection.

Client/App

➢Verify if the application is returning more data than it is required.

➢Verify information stored in website cookies/local storage. If sensitive data, it should not be in readable format.

➢Application login page should be locked upon few unsuccessful login attempts.

➢Verify URL manipulation to check if a web application is not showing any unwanted information.

➢Error messages should be generic and should not mention specific error details like “Invalid username” or “Invalid password”.

➢Verify if special characters, HTML tags and scripts are handled properly as an input value.

➢Verify if reset password functionality is secure.

➢Verify application for HTML script injection attacks.

➢Verify application for Cross Site Scripting.

➢Verify memory leak and buffer overflow checks.

 

OWASP Top Ten (The Open Web Application Security Project) In addition to the above we also continuously monitor, check and verify that we are protected against the OWASP Top 10. https://owasp.org/Top10/ ioXt Alliance (The Global Standard for IoT Security (ioxtalliance.org)) We are a member of the ioXt Alliance and have received the following security rating from their certified experts.

NOTE: This document is a small list of the security checks and verifications we do on the AssetBook platform and due to security, we keep some security details secret. We have chosen to not make everything we do public information.