SlideShare uma empresa Scribd logo

Iot security amar prusty

Transferir como PPTX, PDF
A
amarprusty

IOT Security is critical to Smart Cities,Connected Cars,Wearables,Industryial

Tecnologia
1 de 109
IOT Security Name of the Speaker : Amar Prusty Company Name : DXC Technology Place: Bangalore Confidential – For Training Purposes Only
WHO AM I ◆ Cloud & Data Center Architect ◆ Worked for Global Clients across Industry Verticals ◆ Been in IT 17+ years ◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC ◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics ◆ Hobbies– Cooking, Cycling, Reading, Travelling ◆ https://www.linkedin.com/in/amar-prusty-07913028/ Confidential – For Training Purposes Only
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
What is IoT? • The Internet of Things (IoT) is the network of physical objects—devices, vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity—that enables these objects to collect and exchange data. Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Various Names, One Concept • M2M (Machine to Machine) • “Internet of Everything” (Cisco Systems) • “World Size Web” (Bruce Schneier) • “Skynet” (Terminator movie) Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Where is IoT? Education – Partnership – Solutions Information Security Office of Budget and Finance It’s everywhere!
Smart Appliances Healthcare Education – Partnership – Solutions Information Security Office of Budget and Finance Wearable Tech
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
The Challenge of IoT Security • IoT is an evolutionary technology Hardware Operating System Network Web Mobile Cloud IoT
Why be concerned about IoT? • It’s just another computer, right? – All of the same issues we have with access control, vulnerability management, patching, monitoring, etc. – Imagine your network with 1,000,000 more devices – Any compromised device is a foothold on the network Education – Partnership – Solutions Information Security Office of Budget and Finance
Does IoT add additional risk? • Are highly portable devices captured during vulnerability scans? • Where is your network perimeter? • Are consumer devices being used in areas – like health care – where reliability is critical? • Do users install device management software on other computers? Is that another attack vector? Education – Partnership – Solutions Information Security Office of Budget and Finance
Attacking IoT • Default, weak, and hardcoded credentials • Difficult to update firmware and OS • Lack of vendor support for repairing vulnerabilities • Vulnerable web interfaces (SQL injection, XSS) • Coding errors (buffer overflow) • Clear text protocols and unnecessary open ports • DoS / DDoS • Physical theft and tampering Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Framework assessment • Based on a prototypical IoT deployment model • Designed like a checklist or benchmark
Example Edge Considerations • Are communications encrypted? • Is storage encrypted? • How is logging performed? • Is there an updating mechanism? • Are there default passwords? • What are the offline security features? • Is transitive ownership addressed?
Education – Partnership – Solutions Information Security Office of Budget and Finance
Example Gateway Considerations • Is encryption interrupted? • Is there replay and denial of service defensive capabilities? • Is there local storage? Is it encrypted? • Is there anomaly detection capability? • Is there logging and alerting?
Example Cloud Considerations • Is there a secure web interface? • Is there data classification and segregation? • Is there security event reporting? • How are 3rd party components tracked/updated? • Is there an audit capability? • Is there interface segregation? • Is there complex, multifactor authentication allowed?
Example Mobile Considerations • What countermeasures are in place for theft or loss of device? • Does the mobile authentication degrade other component security? • Is local storage done securely? • Is there an audit trail of mobile interactions? • Can mobile be used to enhance authentication for other components?
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Why it Looks so Bad • Breakers have a long history and robust tools – Automated network attack tools – Exploits for most segments of IoT stack – Physical access and hardware hacking • Builders are still searching for – Secure toolkits – Proven methodologies – Successful models • Result: – Builders cobble together components – Build very fragile full stack solutions – No visibility into security or attack surface – Attackers have a field day
Education – Partnership – Solutions Information Security Office of Budget and Finance
OWASP IoT Project • An overall IoT security effort – Attack surfaces (present) – Vulnerability lists (working) – Reference solutions (coming) • Aggregates community resources • Guidance for developers • IoT specific security principles • IoT framework assessment
OWASP IoT Top 10 Category IoT Security Consideration Recommendations I1: Insecure Web Interface •Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization •Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services •Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption •Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns •Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface •Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability •Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware •Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security •Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands...
Principles of IoT Security • Assume a hostile edge • Test for scale • Internet of lies • Exploit autonomy • Expect isolation • Protect uniformly • Encryption is tricky • System hardening • Limit what you can • Lifecycle support • Data in aggregate is unpredictable • Plan for the worst • The long haul • Attackers target weakness • Transitive ownership • N:N Authentication
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Potential Points of Vulnerability ● Coffee makers ● Crock pots ● Refrigerators ● Dishwashers ● Thermostats ● Garage door openers ● Webcams ● Baby monitors ● Smart TVs ● Adjustable beds ● Heart monitors ● Breathing ventilators
...Additional Unique Risk Factors... This market is driven by consumers who DO NOT associate IT risk with their purchases Susceptible device vendors are led by executives focused on sales, profit margin, and market share – NOT IT Security This market sector has little or no experience with, knowledge of, or sensitivity to... IT Security
Potential Damage Theft and exploitation of banking and credit card account numbers and logins Theft and exploitation of business information, including information corruption Utilization of access and credentials to proliferate spam & DoS attacks via home appliance botnets Utilization of access to alter IoT device settings, including medical devices Violation of user privacy, including access to baby monitors
Add'l Threat Information Per “Massive Media” 10/31/16 – Other Mirai exploits have since been identified Universal Plug & Play (UPnP) poses a security risk: - NO form of user authentification is required - ANY app can ask the router to forward a port over UPnP – probably NOT secure... Firmware updates delivered through WeMo- paired devices commonly use non-encrypted channels
So, Where Do We Stand? NO federal laws, policies, or guidelines exist Vendor efforts are focused primarily on providing “legalese” disclaimers...protecting THEM Third-party components in products may constitute a significant – and HIDDEN – threat It may NOT BE POSSIBLE to change passwords in some products OR disable the IoT features IoT capable devices CAN BE SUSCEPTIBLE to tampering, return, re-sale, and exploitation by hackers
What Can We Do? VERIFY the IoT capabilities and associated risks with ALL existing ...and new...products Consider MOVING AWAY from devices which CANNOT be readily or practically secured MONITOR THE MEDIA for information about IoT exploits and risks Investigate products such as “Dojo” to block access and “Shodan” to monitor devices Be careful DISPOSING OF IoT appliances – Remember what we all learned about printers ???
...Worst Case Scenario... ● Your “smart” bed folds up and traps you... ● The thermostat drives up the temperature... ● The IoT vacuum cleaner blocks the door... ● Your SmartPhone answers that you are “out”... ● Your webcam broadcasts the whole thing while the coffee pot, the crock pot, and the microwave bubble over and celebrate in the kitchen while the garage door happily opens and closes...
Recommendations Accommodate IoT with existing practices: – Policies, Procedures, & Standards – Awareness Training – Risk Management – Vulnerability Management – Forensics Education – Partnership – Solutions Information Security Office of Budget and Finance
Recommendations • Plan for IoT growth: – Additional types of logging, log storage: Can you find the needle in the haystack? – Increased network traffic: will your firewall / IDS / IPS be compatible and keep up? – Increased demand for IP addresses both IPv4 and IPv6 – Increased network complexity – should these devices be isolated or segmented? Education – Partnership – Solutions Information Security Office of Budget and Finance
Recommendations • Strengthen partnerships with researchers, vendors, and procurement department Education – Partnership – Solutions Information Security Office of Budget and Finance
Threat vs. Opportunity • If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety • If understood and secured, IoT will enhance communications, lifestyle, and delivery of services Education – Partnership – Solutions Information Security Office of Budget and Finance
Final Thoughts • Privacy in realms of big data is a problem – No real technical solution to this one • Regulation is probably coming – FTC set to release guidelines next year • Consumers may eschew security but business won’t • Security can be a differentiator
...Other Options.. Buy a Dumb Car... Learn to cook over a campfire... Learn to love “dumb” devices - some of us can relate to them pretty easily... NEVER leave your IoT devices together in the dark where they can conspire against you!
Questions and Discussion Education – Partnership – Solutions Information Security Office of Budget and Finance

Recomendados

IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
IoT security
IoT securityIoT security
IoT securityYashKesharwani2
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...CableLabs
 
IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 Tonex
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
 
IoT Security Awareness Training : Tonex Training
IoT Security Awareness Training : Tonex TrainingIoT Security Awareness Training : Tonex Training
IoT Security Awareness Training : Tonex TrainingBryan Len
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITYThe Avi Sharma
 

Recomendados

IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
IoT security
IoT securityIoT security
IoT securityYashKesharwani2
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...CableLabs
 
IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 IoT Security Training, IoT Security Awareness 2019
IoT Security Training, IoT Security Awareness 2019 Tonex
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
 
IoT Security Awareness Training : Tonex Training
IoT Security Awareness Training : Tonex TrainingIoT Security Awareness Training : Tonex Training
IoT Security Awareness Training : Tonex TrainingBryan Len
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITYThe Avi Sharma
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of ThingsBryan Len
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTUniversity of Ontario Institute of Technology (UOIT)
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security ElementsEurotech
 
Iot(security)
Iot(security)Iot(security)
Iot(security)Shreya Pohekar
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIntel® Software
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
 
Internet & iot security
Internet & iot securityInternet & iot security
Internet & iot securityUsman Anjum
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Ulf Mattsson
 
Security Aspects in IoT - A Review
Security Aspects in IoT - A Review Security Aspects in IoT - A Review
Security Aspects in IoT - A Review Asiri Hewage
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Iot Security
Iot SecurityIot Security
Iot SecurityMAITREYA MISRA
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of thingssreelekha appakondappagari
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsStanford School of Engineering
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Ahmed Mohamed Mahmoud
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Introduction to IOT security
Introduction to IOT securityIntroduction to IOT security
Introduction to IOT securityPriyab Satoshi
 
IoT security patterns
IoT security patterns IoT security patterns
IoT security patterns Exosite
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyCysinfo Cyber Security Community
 
Internet of Things(IOT)
Internet of Things(IOT)Internet of Things(IOT)
Internet of Things(IOT)University of Potsdam
 

Mais conteúdo relacionado

Mais procurados

Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of ThingsBryan Len
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security ElementsEurotech
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIntel® Software
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
 
Internet & iot security
Internet & iot securityInternet & iot security
Internet & iot securityUsman Anjum
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Ulf Mattsson
 
Security Aspects in IoT - A Review
Security Aspects in IoT - A Review Security Aspects in IoT - A Review
Security Aspects in IoT - A Review Asiri Hewage
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsStanford School of Engineering
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Ahmed Mohamed Mahmoud
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Introduction to IOT security
Introduction to IOT securityIntroduction to IOT security
Introduction to IOT securityPriyab Satoshi
 
IoT security patterns
IoT security patterns IoT security patterns
IoT security patterns Exosite
 

Mais procurados (20)

Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOT
 
IoT Security Elements
IoT Security ElementsIoT Security Elements
IoT Security Elements
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you SpamIoT Security Imperative: Stop your Fridge from Sending you Spam
IoT Security Imperative: Stop your Fridge from Sending you Spam
 
Internet & iot security
Internet & iot securityInternet & iot security
Internet & iot security
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
 
Security Aspects in IoT - A Review
Security Aspects in IoT - A Review Security Aspects in IoT - A Review
Security Aspects in IoT - A Review
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address them
 
Iot Security
Iot SecurityIot Security
Iot Security
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of things
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
 
Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of Things
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
Introduction to IOT security
Introduction to IOT securityIntroduction to IOT security
Introduction to IOT security
 
IoT security patterns
IoT security patterns IoT security patterns
IoT security patterns
 

Semelhante a Iot security amar prusty

Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking BadNUS-ISS
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-securityskumartarget
 
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingAPNIC
 
Successful Industrial IoT Patterns
Successful Industrial IoT PatternsSuccessful Industrial IoT Patterns
Successful Industrial IoT PatternsWSO2
 
WSO2Con EU 2015: IoT in Finance
WSO2Con EU 2015: IoT in FinanceWSO2Con EU 2015: IoT in Finance
WSO2Con EU 2015: IoT in FinanceWSO2
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18japijapi
 
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPTInternet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPTMultisoft Virtual Academy
 
Internet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsInternet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsHuntsman Security
 
Successful Industrial IoT patterns
Successful Industrial IoT patterns Successful Industrial IoT patterns
Successful Industrial IoT patterns John Mathon
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestJay McLaughlin
 
NGN integrated information security v3 DetikNas
NGN integrated information security v3 DetikNasNGN integrated information security v3 DetikNas
NGN integrated information security v3 DetikNasEmyana Ruth
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 
Security For Business: Are You And Your Customers Safe
Security For Business: Are You And Your Customers SafeSecurity For Business: Are You And Your Customers Safe
Security For Business: Are You And Your Customers Safewoodsy01
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective amarukanda
 
Information Technology Security Management
Information Technology Security ManagementInformation Technology Security Management
Information Technology Security ManagementMITSDEDistance
 

Semelhante a Iot security amar prusty (20)

Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
Internet of Things(IOT)
Internet of Things(IOT)Internet of Things(IOT)
Internet of Things(IOT)
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
 
Successful Industrial IoT Patterns
Successful Industrial IoT PatternsSuccessful Industrial IoT Patterns
Successful Industrial IoT Patterns
 
WSO2Con EU 2015: IoT in Finance
WSO2Con EU 2015: IoT in FinanceWSO2Con EU 2015: IoT in Finance
WSO2Con EU 2015: IoT in Finance
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18
 
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPTInternet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
Internet Of Things(IOT) | IOT Project | IOT Products | IOT Examples | IOT PPT
 
Internet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsInternet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of things
 
Successful Industrial IoT patterns
Successful Industrial IoT patterns Successful Industrial IoT patterns
Successful Industrial IoT patterns
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
NGN integrated information security v3 DetikNas
NGN integrated information security v3 DetikNasNGN integrated information security v3 DetikNas
NGN integrated information security v3 DetikNas
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
Security For Business: Are You And Your Customers Safe
Security For Business: Are You And Your Customers SafeSecurity For Business: Are You And Your Customers Safe
Security For Business: Are You And Your Customers Safe
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
 
Information Technology Security Management
Information Technology Security ManagementInformation Technology Security Management
Information Technology Security Management
 

Último

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 

Último (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 

Iot security amar prusty

  • 1. IOT Security Name of the Speaker : Amar Prusty Company Name : DXC Technology Place: Bangalore Confidential – For Training Purposes Only
  • 2. WHO AM I ◆ Cloud & Data Center Architect ◆ Worked for Global Clients across Industry Verticals ◆ Been in IT 17+ years ◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC ◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics ◆ Hobbies– Cooking, Cycling, Reading, Travelling ◆ https://www.linkedin.com/in/amar-prusty-07913028/ Confidential – For Training Purposes Only
  • 3. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 4. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 5.
  • 6. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 7. What is IoT? • The Internet of Things (IoT) is the network of physical objects—devices, vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity—that enables these objects to collect and exchange data. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 8.
  • 9. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 10. Various Names, One Concept • M2M (Machine to Machine) • “Internet of Everything” (Cisco Systems) • “World Size Web” (Bruce Schneier) • “Skynet” (Terminator movie) Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 11. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 12. Where is IoT? Education – Partnership – Solutions Information Security Office of Budget and Finance It’s everywhere!
  • 13. Smart Appliances Healthcare Education – Partnership – Solutions Information Security Office of Budget and Finance Wearable Tech
  • 14. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 15. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 16. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 17. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 18. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 19. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 20. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 21. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 22.
  • 23. The Challenge of IoT Security • IoT is an evolutionary technology Hardware Operating System Network Web Mobile Cloud IoT
  • 24. Why be concerned about IoT? • It’s just another computer, right? – All of the same issues we have with access control, vulnerability management, patching, monitoring, etc. – Imagine your network with 1,000,000 more devices – Any compromised device is a foothold on the network Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 25. Does IoT add additional risk? • Are highly portable devices captured during vulnerability scans? • Where is your network perimeter? • Are consumer devices being used in areas – like health care – where reliability is critical? • Do users install device management software on other computers? Is that another attack vector? Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 26. Attacking IoT • Default, weak, and hardcoded credentials • Difficult to update firmware and OS • Lack of vendor support for repairing vulnerabilities • Vulnerable web interfaces (SQL injection, XSS) • Coding errors (buffer overflow) • Clear text protocols and unnecessary open ports • DoS / DDoS • Physical theft and tampering Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 27. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 28. Framework assessment • Based on a prototypical IoT deployment model • Designed like a checklist or benchmark
  • 29. Example Edge Considerations • Are communications encrypted? • Is storage encrypted? • How is logging performed? • Is there an updating mechanism? • Are there default passwords? • What are the offline security features? • Is transitive ownership addressed?
  • 30.
  • 31. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 32.
  • 33. Example Gateway Considerations • Is encryption interrupted? • Is there replay and denial of service defensive capabilities? • Is there local storage? Is it encrypted? • Is there anomaly detection capability? • Is there logging and alerting?
  • 34.
  • 35.
  • 36.
  • 37.
  • 38. Example Cloud Considerations • Is there a secure web interface? • Is there data classification and segregation? • Is there security event reporting? • How are 3rd party components tracked/updated? • Is there an audit capability? • Is there interface segregation? • Is there complex, multifactor authentication allowed?
  • 39.
  • 40.
  • 41.
  • 42. Example Mobile Considerations • What countermeasures are in place for theft or loss of device? • Does the mobile authentication degrade other component security? • Is local storage done securely? • Is there an audit trail of mobile interactions? • Can mobile be used to enhance authentication for other components?
  • 43.
  • 44. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 45. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 46. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 47. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 48. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 49. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 50. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 51. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 52. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 53. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 54.
  • 55. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 56. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 57. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 58.
  • 59. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 60. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 61. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 62. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 63. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 64. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 65. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 66. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 67.
  • 68.
  • 69. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 70.
  • 71.
  • 72. Why it Looks so Bad • Breakers have a long history and robust tools – Automated network attack tools – Exploits for most segments of IoT stack – Physical access and hardware hacking • Builders are still searching for – Secure toolkits – Proven methodologies – Successful models • Result: – Builders cobble together components – Build very fragile full stack solutions – No visibility into security or attack surface – Attackers have a field day
  • 73. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 74. OWASP IoT Project • An overall IoT security effort – Attack surfaces (present) – Vulnerability lists (working) – Reference solutions (coming) • Aggregates community resources • Guidance for developers • IoT specific security principles • IoT framework assessment
  • 75. OWASP IoT Top 10 Category IoT Security Consideration Recommendations I1: Insecure Web Interface •Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization •Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services •Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption •Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns •Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface •Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability •Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware •Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security •Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands...
  • 76. Principles of IoT Security • Assume a hostile edge • Test for scale • Internet of lies • Exploit autonomy • Expect isolation • Protect uniformly • Encryption is tricky • System hardening • Limit what you can • Lifecycle support • Data in aggregate is unpredictable • Plan for the worst • The long haul • Attackers target weakness • Transitive ownership • N:N Authentication
  • 77.
  • 78.
  • 79.
  • 80. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 81. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 82. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 83.
  • 84.
  • 85.
  • 86.
  • 87.
  • 88.
  • 89.
  • 90.
  • 91.
  • 92.
  • 93.
  • 94.
  • 95.
  • 96. Potential Points of Vulnerability ● Coffee makers ● Crock pots ● Refrigerators ● Dishwashers ● Thermostats ● Garage door openers ● Webcams ● Baby monitors ● Smart TVs ● Adjustable beds ● Heart monitors ● Breathing ventilators
  • 97. ...Additional Unique Risk Factors... This market is driven by consumers who DO NOT associate IT risk with their purchases Susceptible device vendors are led by executives focused on sales, profit margin, and market share – NOT IT Security This market sector has little or no experience with, knowledge of, or sensitivity to... IT Security
  • 98. Potential Damage Theft and exploitation of banking and credit card account numbers and logins Theft and exploitation of business information, including information corruption Utilization of access and credentials to proliferate spam & DoS attacks via home appliance botnets Utilization of access to alter IoT device settings, including medical devices Violation of user privacy, including access to baby monitors
  • 99. Add'l Threat Information Per “Massive Media” 10/31/16 – Other Mirai exploits have since been identified Universal Plug & Play (UPnP) poses a security risk: - NO form of user authentification is required - ANY app can ask the router to forward a port over UPnP – probably NOT secure... Firmware updates delivered through WeMo- paired devices commonly use non-encrypted channels
  • 100. So, Where Do We Stand? NO federal laws, policies, or guidelines exist Vendor efforts are focused primarily on providing “legalese” disclaimers...protecting THEM Third-party components in products may constitute a significant – and HIDDEN – threat It may NOT BE POSSIBLE to change passwords in some products OR disable the IoT features IoT capable devices CAN BE SUSCEPTIBLE to tampering, return, re-sale, and exploitation by hackers
  • 101. What Can We Do? VERIFY the IoT capabilities and associated risks with ALL existing ...and new...products Consider MOVING AWAY from devices which CANNOT be readily or practically secured MONITOR THE MEDIA for information about IoT exploits and risks Investigate products such as “Dojo” to block access and “Shodan” to monitor devices Be careful DISPOSING OF IoT appliances – Remember what we all learned about printers ???
  • 102. ...Worst Case Scenario... ● Your “smart” bed folds up and traps you... ● The thermostat drives up the temperature... ● The IoT vacuum cleaner blocks the door... ● Your SmartPhone answers that you are “out”... ● Your webcam broadcasts the whole thing while the coffee pot, the crock pot, and the microwave bubble over and celebrate in the kitchen while the garage door happily opens and closes...
  • 103. Recommendations Accommodate IoT with existing practices: – Policies, Procedures, & Standards – Awareness Training – Risk Management – Vulnerability Management – Forensics Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 104. Recommendations • Plan for IoT growth: – Additional types of logging, log storage: Can you find the needle in the haystack? – Increased network traffic: will your firewall / IDS / IPS be compatible and keep up? – Increased demand for IP addresses both IPv4 and IPv6 – Increased network complexity – should these devices be isolated or segmented? Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 105. Recommendations • Strengthen partnerships with researchers, vendors, and procurement department Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 106. Threat vs. Opportunity • If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety • If understood and secured, IoT will enhance communications, lifestyle, and delivery of services Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 107. Final Thoughts • Privacy in realms of big data is a problem – No real technical solution to this one • Regulation is probably coming – FTC set to release guidelines next year • Consumers may eschew security but business won’t • Security can be a differentiator
  • 108. ...Other Options.. Buy a Dumb Car... Learn to cook over a campfire... Learn to love “dumb” devices - some of us can relate to them pretty easily... NEVER leave your IoT devices together in the dark where they can conspire against you!
  • 109. Questions and Discussion Education – Partnership – Solutions Information Security Office of Budget and Finance

Notas do Editor

  1. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  2. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  3. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  4. Just what is this? Its components are: A Raspberry Pi, an external hard drive, a wireless router, a GSM device, a battery backup. What does it do, what is it for? An IoT mystery….
  5. The Internet of Things (IoT) definition.
  6. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  7. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  8. British entrepreneur Kevin Ashton first coined the term in 1999 while working at Auto-ID Labs (originally called Auto-ID centers - referring to a global network of Radio-frequency identification (RFID) connected objects).[10] Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications.[11] The interconnection of these embedded devices (including smart objects), is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid,[12] and expanding to the areas such as smart cities. Cisco Systems refers to IoT as the “Internet of Everything”… Bruce Schinerer recently referred to two new colloquial terms – World Spanning Robot and Benign Organization. There is also the term “Skynet” in reference to the Terminator movies that is frequently discussed in Blog and online postings/jargon.
  9. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  10. IoT is everywhere! (Audience Participation)
  11. In our daily lives, we have become more reliant on IoT with our wearable tech, appliances, our cars, how we receive health care.
  12. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  13. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  14. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  15. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  16. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  17. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  18. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  19. M2M/IoT Sector Map :: Beecham Research http://www.beechamresearch.com/article.aspx?id=4 The following graphic from Beecham Research depicts how the Internet of Things may interact with various service sectors within the public/private sectors and ordinary consumers. Public sector entities (such as universities) may have some level of involvement and interaction within all service sectors depicted; ranging from the operation and industry elements of buildings, to levels of research, retail entities, transportation, and IT/Networks. **Place emphasis on service sectors, that it is likely that at least one example of devices may be found within university networks.
  20. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  21. Like all new technology, the Internet of Things brings both a beneficial and disruptive element. With the concept of “always-on”, such technology will require a change in mindset when considering implementation of products and services related to IoT. Since IoT is more and more an element in the daily lives of individuals and organizations, maintaining both privacy, security and business operations/opportunities will be more of a priority both today and in the future.
  22. How visible will IoT devices be considering identification through network vulnerability scans? What defines a network perimeter or “edge” How are consumer devices thorough BYOD policies used in sensitive areas? Since IoT is more and more an element in the daily lives of individuals and organizations, maintaining both privacy, security and business operations/opportunities will be more of a priority both today and in the future. : IoT are not generic items or auxiliary services like those that have been prevalent in business for years; rather, IoT devices should be considered as unique devices, each with a distinct set of security risks. Both security controls as well as security training necessary to effectively manage IoT devices may not yet be fully developed.
  23. Issues that are common when attacking IoT infrastructure is similar to current levels of attacks that are currently experienced today. The avenue of how attacks may occur may however be through untraditional methods: It may be more often to find default, weak, and hardcoded credentials (usernames passwords) within IoT devices The issue of upgrading firmware to counter vulnerabilities may be dependent both upon how devices are designed during development; issues may occur that upgrading may break functionality. For this reason, vendors may be hesitate or refuse to render support in product lines and make adjustments during the next design phase of projects. Certain IoT devices with embedded web services may also be subject to the same vulnerabilities that commonly plague web server platforms today; also with the premise that updating such functionality may run into the same issues such as Buffer overflows are quite common vulnerabilities within technology infrastructure, with IoT no exception. Devices may also at times use protocols that transmit credentials in the clear, in addition to having open ports DOS/DDOS attacks may be the results in hacking or hijacking IoT devices on network(s); it also possible that through misconfigurations of IoT devices that such “attacks” may be false positives and cause business disruption The issue of physical attacks of IoT devices may result in tampering to inject malicious code or make hardware modifivcations to IoT devices. In addition, impersonating or counterfeiting devices may be issues when safeguards are not in place to protect physical security. Infiltration through non-traditional communication protocols; such as Bluetooth, Zigbee, Zwave, Sigfox, NFC, 6LowPAN, and other types of non traditional wireless communication outside of Wifi. communication protocols as well that may not be within scope through common incident and forensic management tools. Cross-site scripting – certain IoT devices may have embedded web server technology, putting them at risk Buffer overflows – design flaws that may not be immediately corrected because of patching mechanisms, developmental issues during the SDLC process Open ports – common issue on device ports that are not locked down and may be used via reconnaissance.
  24. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  25. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  26. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  27. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  28. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  29. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  30. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  31. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  32. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  33. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  34. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  35. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  36. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  37. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  38. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  39. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  40. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  41. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  42. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  43. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  44. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  45. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  46. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  47. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  48. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  49. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  50. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  51. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  52. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  53. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  54. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  55. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  56. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  57. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  58. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  59. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  60. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  61. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  62. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  63. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  64. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  65. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  66. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  67. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  68. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  69. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  70. And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  71. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  72. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  73. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  74. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  75. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  76. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  77. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  78. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  79. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  80. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  81. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  82. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  83. No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  84. How do current UT165 and institutional policies, standards, and procedures take into account IoT? Are they sufficient to address areas of confidentiality of data? Does current BYOD policies address wearable tech items? Concerning the present might these policies also BYOx? bring your own device (BYOD)  bring your own apps (BYOA) bring your own encryption (BYOE) bring your own identity (BYOI) bring your own technology (BYOT) bring your own network (BYON) bring your own wearables (BYOW) Awareness building for IoT will involve similar approaches currently developed in University training. Relationship building with those departments, vendors and academia/research entities will perpetuate dialogue concerning the subject of IoT; whether within the marketing/sales/procurement of IoT devices and services and/or when internal development occurs, as in the case of research. Building relationships also assists in the awareness in the areas of privacy (both of data and individuals), what is logged when it comes to data and other transactional information, the reasons why items need to be logged (local, State, Federal laws and acts, industry-specified compliance requirements.) Training initiatives may need to be rethought in the areas of IoT; do University partners as well as Information Technology/Information Security How we assess for risk may change in certain retrospect. We may need to go “dig deeper” on our current risk assessments of networks, data centers, departments; to include how we assess in the areas of legal and regulatory requirements (e.g. HIPPA, PCI-DSS, FERPA). Considerations must be taken into account when system owners assume or transfer risk in relation to IoT. Different measurements may need to be considered when considering both risk formulation as well as risk acceptance when considering IoT; for system owners and data owners risk acceptance may involve additional measures IT and Security staffs must take to protect information/data. Security controls must be in place to leverage such risk acceptance in the overall network. There is the need to consider how we scan for vulnerabilities; while certain IoT Devices may show up on scans, others types of IoT devices may not. Forensic approach to IoT may require some retooling in the areas as to whether local Security staffs are equipped and trained to deal with incidents when they occur, as well forensics capabilities in the situations with forensics may be outsourced/required of by third party entities.
  85. With the incorporation of IoT in today’s networks, there will be an increase in the need for logging and monitoring capabilities Increasing need for log storage “Needle in a bigger haystack” will make incident response and forensics more challenging, are current capabilities sufficient? Logging in regards to compliance may involve a number of factors; to include storage of logs, relevance of logs, privacy concerns when dealing with University partners of logging. Considerations for the redesign of networks may come as more demand for traditional IPv4 addresses, with the contingency on planning for further IPv6 implementations in regards to IoT. Planning of network design may also require changes on how bandwidth as consumed, quality of service, and prioritizing network traffic through new designs. And further, the redesign of networks may also take into account of how firewalls and IDS/IPS may handle IoT traffic when considering IPv6
  86. What is the level of relationship with research departments on campus? What improvements can we make with researchers who may already be working with IoT and develop dialogue and partnership concerning security awareness and initiatives, while at the same time letting those same researchers build upon the opportunity that IoT offers? Consider how we might be doing business with vendors and reviewing items prior to implementations on campus. Build the relationships with Procurement departments, let them work with you when items may be purchased that spur a security review/assessment/questions/dialogue.
  87. In closing, while, how we as security professionals work, support, and provide the security expertise for Higher Education business initiatives is crucial to success in the scope of IoT.
  88. Questions and Answers section