The Center for Internet Security, Inc. (CIS) has recommended best practices for securing IT systems and data. For large organizations it is key to implement organizational CIS controls to focus on people and processes—and drive change, executing an integrated plan to improve the organizational risk posture. CIS Control 20: Penetration Testing and Red Team Exercises is a well-defined method to implement organizational controls. These tests allow cyber security experts to detect vulnerabilities and assess the overall strength of an organization's defense by simulating the actions of an attacker. Often attackers target software deployment vulnerabilities—such as configurations, policy management, and gaps in interactions among multiple threat detection tools to exploit security gaps.
First, IoT devices can have several types of interfaces—web-based interfaces for consumers, or object interfaces for governance as code–type of application such as control systems. Hence input validation, command injection, and code injection should be a primary focus of penetration testing of IoT devices.
Second, the network infrastructure interconnecting IoT objects can often be vulnerable and for IoT devices on a single network, malicious attacks need only a single exploit to be successful. It is important to use both automated tools and manual penetration testing methods to do complete specialized penetration testing on the network infrastructure, associated cryptographic schemes, and communication protocols.
Finally, it is critical to scan proprietary programs which represent the entire system architecture. According to the seventh “Open Source Security and Risk Analysis” (OSSRA) report, 81% of the audited codebases contained at least one vulnerability. This represents immense heterogeneity and complexity in the codebases—hence it is important for experienced penetration testing professionals to use intelligent gray box testing to have excellent coverage on test types required for a comprehensive penetration test.