1. Most think of IOT like BYoD We try to identify & control
IoT coined 15 years ago -
4 THINGS!!!
devices can alter the way we interact with & collect data in all aspects of our lives.
Most companies put the IoT into the BYOD (Bring Your Own Device) bucket in terms of.
BYOD & the IoT are two very different concepts. The IoT encompasses a larger set of devices enterprises utilize that include not only personal devices, but those that are built into emerging
technologies such as building control systems (think ZigBee/Wi-Fi enabled light bulbs), security systems (Bluetooth locks), health & fitness (collecting/transmitting data on our vitals). Most of the time
these new technologies are deployed in an environment without the company knowing the inherent security risk.
Not long ago the only wireless protocol was WiFi & many companies have mature WiFi security controls in place. However, there are many protocols on IoT devices that cannot be detected with
traditional WiFi scanners. These protocols include Bluetooth, Bluetooth Smart (or Low Energy), ZigBee, Zwave, ANT, NFC, Nike+ (yes, the shoe manufacturer has their own protocol). A new protocol is
in the works by giants Google/Samsung called Thread.
study by HP's Fortify group Of 10 popular devices tested:
7 contained immediately noticeable security exposures
25 holes or risks of compromising the home network, on average, found for each device
8 did not require passwords of sufficient complexity & length
9 collected at least one piece of personal information
7 allowed an attacker to identify a valid account through account enumeration
For IT security professionals, the list above is a reflection of what they have spent their careers policing. The potential problems introduced by rogue IoT devices are similar to those of wired
hardware/software:
Lack of encryption
Weak or default authentication
Lack of software update processes
Default services enabled even if not used
So what is a company to do? How do you secure that which you cannot detect? Like all good security programs, your IoT security efforts will be on multiple fronts:
• Education about the risks of IoT devices will drive more users to your door to stay compliant.
• Implement segregation of devices that introduce new networks or connection points.
• For example, the vendor that provides HVAC controls may attempt to deploy "smart" units that create their own mesh network for exchange of data. If these units also have an Ethernet
connection to your environment then you have just introduced a new path into your core.
• Require certification & penetration testing of new suppliers & devices.
3
2. • Keep an eye out for the latest security technologies that help you increase your posture by scanning your IoT space & doing regular security assessments of your environment.
3
3. 4 concepts we have to understand when it comes to IoT…
#1… IoT is NOT BYoD!!!
Father’s Day campaign ‘14 Brazil
Johnnie Walker 100,000 bottles
Smart labels
create personalized tributes & shared
For their Father’s day campaign in 2014 in Brazil, Johnnie Walker built a platform that connected 100,000of their whiskey bottles to the Internet.
With innovations in smart labeling, the whiskey brand allowed anyone to create a personalized film tribute. Gifters & receivers could opt into further
promotions & share the video on social channels
4
4. 4 concepts we have to understand when it comes to IoT…
#1… IoT is NOT BYoD!!!
Father’s Day campaign ‘14 Brazil
Johnnie Walker 100,000 bottles
Smart labels
create personalized tributes & shared
For their Father’s day campaign in 2014 in Brazil, Johnnie Walker built a platform that connected 100,000of their whiskey bottles to the Internet.
With innovations in smart labeling, the whiskey brand allowed anyone to create a personalized film tribute. Gifters & receivers could opt into further
promotions & share the video on social channels
5
5. 4 concepts we have to understand when it comes to IoT…
#1… IoT is NOT BYoD!!!
Father’s Day campaign ‘14 Brazil
Johnnie Walker 100,000 bottles
Smart labels
create personalized tributes & shared
For their Father’s day campaign in 2014 in Brazil, Johnnie Walker built a platform that connected 100,000of their whiskey bottles to the Internet.
With innovations in smart labeling, the whiskey brand allowed anyone to create a personalized film tribute. Gifters & receivers could opt into further
promotions & share the video on social channels
6
6. #2 STUXNET targeted intelligence
#3 WHITEHOUSE friendliness
– email came from a state department source – assumed to be
trusted
Accepted by security professionals that any network can be compromised eventually.
- Year-over-year increases in # of attacks
- Increasingly sophisticated
- What was sophisticated yesterday is easy today – script kitties using Metaspoilt
- Multiple methods
- Evade detection – average time from penetration to detection = 18 mo.’s
- Detection to correction – average of 27 days
- Utilities are a high value target (59% of attacks reported in 2013 to DHS)
Not if but when
9. #4 PII Does not include:
Home automation
Entertainment
Personal fitness
Location
(BIG DATA!!! ANALYTICS!!!
HABITS!!! PERSONALITY PROFILES!!!)
10
10. #4 PII Does not include:
Home automation
Entertainment
Personal fitness
Location
(BIG DATA!!! ANALYTICS!!!
HABITS!!! PERSONALITY PROFILES!!!)
11
11. 2020 Dumpster Diving route2work 3 trips urologist coffee on sat morn
PII (Society of Surveillance!) DARK WEB! CC AT&T
GPS on car –
TV camera –
camera or mic –
Appliances
Home automation (early warning system)
Ultra Spear fishing (Your wife’s credit card.)
MY new AT&T router installed.
12
13. old frameworks won’t work! How do we update them?
Risk Model
Information Flow & Gap Analysis
Game Theory
Process Oriented (NOT Event Oriented!)
14
14. THIS SLIDE IS FOR REFERENCE
Step-by-step –
OWASP
refer to OWASP.org. It’s a pretty cool step by step model
Externalities
• Device owner or data custodian don’t always feel the bulk of the impact
• Reputational harm only goes so far
• Regulation should focus on where the harm occurs
Typical Stakeholders
• Data subjects
• Those using the devices (possible physical harm)
• Public at-large/community
• Device owners
• Data custodians
• Regulators (local, state, national, global)
15
16. THIS SLIDE IS FOR REFERENCE
Step-by-step –
OWASP
refer to OWASP.org. It’s a pretty cool step by step model
Externalities
• Device owner or data custodian don’t always feel the bulk of the impact
• Reputational harm only goes so far
• Regulation should focus on where the harm occurs
Typical Stakeholders
• Data subjects
• Those using the devices (possible physical harm)
• Public at-large/community
• Device owners
• Data custodians
• Regulators (local, state, national, global)
17
17. New Kill Chain – Frig SPAM relay
Blackmail/Sabotague
Behavior Habits
Attack -> Intel
Easier to Gather
Build Target Rich Victims for very targeted spear fishing
Thermostat
TV
Mic/cam/motion detector on every device in your home
GPS tracker
18
18. Begin to think of security more and MORE LIKE A PROCESS rather
than EVENTS OR SEQUENCES that can occur somewhere in the kill
chain.
CHECKERS -> CHESS
InfoSec has been a game of checkers and we are fast moving into
a game of chess.
19
19. Let’s take a quick look at the process flow of the seemingly simple smart meter that was installed a
year or so back.
Now overlay that complexity with…
Your home automation system…
Your home entertainment system…
Your personal health monitoring system…
Your automobile…
Your shopping list…
Your to-do list…
And then tie all those systems together.
That’s the IoT from a security systems viewpoint.
20
20. Game theory…
We could spend an entire semester course applying all the
concepts in this diagram.
When I saw this the first time, it jumped out at me as quite
profound.
Essentially, we’re matching the defense to the offense – taking the
high level assessment of the attacks and optimizing how we use
our resources to defend against or prevent the most likely & most
dangerous attacks.
LOOK AT EACH VECTOR LIKE A CAMPAIGN!
21
21. Taking this concept just a little deeper, the approach on each
attack vector looks like this
You want to identify potential threats early & plot course
accordingly!
Tracking campaigns is enormously beneficial. We are not trying to
stop 1s & 0s, we are trying to stop people, so we need to
understand the how & the when of the operation – even the why
can be critical to understand.
The principle goal of campaign analysis is to determine the patterns & behaviors of attackers, their
tactics, techniques, & procedures (TTP), to detect “how" they operate rather than specifically “what"
they do. The campaign heatmap allows us to quickly hone in on which adversaries are active over a
particular timeframe & understand when & how they attack. The use of the heat-map has been
important to understanding what triggers an APT attack (i.e. new zero-day vulnerabilities, or other
significant events). This allows us to assess our defensive posture on a campaign-by-campaign
basis, & based on the assessed risk of each, develop strategic courses of action to cover any gaps.
22. Game theory…
The concept takes all the complexity of the previous two slides
and codifies our approach.
Essentially, we’re matching the defense to the offense & applying
the relative cost in a way that helps us understand the places
where our resources are best devoted.
23
23. NAC – the folly of 802.1x – I’ve been saying this for 3 years
Anyone who has implemented NAC that has a premise of 802.1x has
painted themselves into a corner and will have to re-architect their
entire network security strategy.
Meta trends:
Watson intelligence in event monitoring
Merging of physical & info security
Interfaces between security systems
Listen & Learn – Younger workers have a completely different view on
privacy
I know a CISO who has cultivated a ‘vendor mentor’
Trusted
Wide perspective
Not product oriented
Rules of Engagement – no talk about products of the vendor
24