Post on 26-Dec-2019
transcript
DESIGN.BUILD.SECURE
Preventing a Global Disaster
IOT SECURITY
IoT Security: Preventing a Global Disaster
Page
A Security Practitioner who is an Engineer
MY JOURNEY
1
My journey was accidental and eye opening2
Security and Privacy are a way of life3
We can secure IoT but we much change our way of thinking4
2Pa
gePa
ge2
How did we get here?
Page
IoT Security: Preventing a Global Disaster
BY THE NUMBERS 4
Source Code
Space Shuttle 400,000 16,000
Firefox 8,000,000 320,000
Boeing 747 14,000,000 560,000
F35 Jet Fighter 25,000,000 1,000,000
MS Office 2013 44,000,000 1,760,000
Car Software 100,000,000 4,000,000
Google 3,300,000,000 120,000,000
Page
IoT Security: Preventing a Global Disaster
• SCADA systems started adding IP connections • Components became cheaper due to mass manufacturing • WiFi and cellular connectivity became broadly available • Mobile and cloud became a “big thing”
WE STARTED CONNECTING 5
Page
IoT Security: Preventing a Global Disaster
• Business and consumer software is not required to undergo any formal assessment or validation prior to use
• Vendors hide behind licensing agreements • Vendors are not liable for vulnerabilities….but this is changing • Many developers lack skill set to develop securely • Vendors - No formal SDLC that include security testing
WE ARE ACCEPTING OF SUBSTANDARD SOFTWARE 6
Page
IoT Security: Preventing a Global Disaster
EARLY WARNING INDICATORS 7
ransomware
WannaCry
Mirai
IoT security
Source: trends.google.com
routers, security cameras, printers and digital video
recorder (DVRs)
Un-patched Windows desktops
Source: trends.google.com
default passwords & configs
Page
IoT Security: Preventing a Global Disaster
EARLY WARNING INDICATORS 2 8
15,000,000 Elevators Globally
665Gbps is only the “baseline” from weaponized things
Page
IoT Security: Preventing a Global Disaster
• Lack of global expertise in IoT Cyber Security ~500K • Lack of security testing and validation of products/deployments • Zero-days waiting to be discovered {and traded} • Weaponizing current generation IoT devices • Many organizations lack breach plans • State sponsored actors
THE PERFECT STORM 9
The IoT Attack Surface
Page
IoT Security: Preventing a Global Disaster
ANATOMY OF AN ATTACK 11
Recon Plan Attack Execute Attack Owned
Get to know your
target
Write a toolkit or
script
Launch attack and
validate success
Use your new device for fun and adventure
Page
IoT Security: Preventing a Global Disaster
THE ATTACK SURFACE 12
OT Network Internet
Platform API
Cloud Database
Threat VisibilityNo Threat Visibility
Hackers, State
Sponsored Threats, and other cyber
criminalsGateway“Thing”
Page
IoT Security: Preventing a Global Disaster
• Stuxnet • Marai • Vehicles • Home Monitoring • Medical Records
IOT ATTACK TURNING POINTS 13
Page
IoT Security: Preventing a Global Disaster
• Stuxnet - Policy • Mirai - Design, Threat Modeling and Testing • Automotive - Design, Threat Modeling and Testing • Consumer Devices - Design, Threat Modeling and Testing • Medical Records - Policy, Design, Threat Modeling and Testing
HOW THESE COULD OF BEEN PREVENTED 14
Security Controls 101
Page
IoT Security: Preventing a Global Disaster
• Prove that your organization was not negligent • Reduce product costs • Reduce legal fees and possible legal action • A higher level of assurance for end user • Competitive advantage
THE GOAL OF SECURITY 16
Page
IoT Security: Preventing a Global Disaster
• Implement a Information Security Management System (ISMS) • Create a SDLC that implements Secure Coding Methodology
• Threat Modelling (What is the attack surface?) • Secure by Design (Runtime, Updating, Tamper resistance,
monitoring, etc) • Source Code Evaluation • Understand your component supply chain • Test (TRA, Pen Test, VA at a minimum) for every major release • Formal Evaluation for IIoT (IEC 62443)
• PIA
SECURING YOUR IOT SOLUTION 17
Page
IoT Security: Preventing a Global Disaster
• With your ISMS you will know your data at risk! • Ensure your quality of data - Integrity • Validation of Data • Realize that decisions must be decentralized vs. asynchronous • You may want to consider a meta data approach
SECURING YOUR DATA 18
Page
IoT Security: Preventing a Global Disaster
• Primarily in IIoT but implications in consumer market with healthcare and wearables
• You must ensure you do not endanger human life with your product - based on the Threat Model
• Need to consider: Runtime, fault, resilience, and detection • Testing and Validation by 3rd party is key
SAFETY IN IOT 19
Privacy in an IoT World
Page
IoT Security: Preventing a Global Disaster
• Personally Identifying Information (PII) • Any collection of data that identify a person including:
• Name, address, DOB, Health number, SIN, passport, credit card • Need to known the legal and regulatory requirements for your
jurisdiction • Your responsible for data collected, processed and stored
• What is usable “life” of the data?
PRIVACY 21
Page
IoT Security: Preventing a Global Disaster
• Make sure you meet regulatory requirements • Use a “Privacy by Design” approach • Conduct a Privacy Impact Assessment (PIA) • Determine useful life of data collected • Securely delete old data
IMPLEMENTING PII 22
Standards
Page
IoT Security: Preventing a Global Disaster
• Don’t try to boil the ocean • Why ISO? • Determine what you need for your sector • At a minimum consider:
• IEC 62443 - for IIoT • ISO/IEC 27000 Series for ISMS • ISO/IEC 27034 for Application Security • ISO/EIC 29134 for Privacy Impact Assessment
STANDARDS 24
Conclusions
Page
IoT Security: Preventing a Global Disaster
• Change your company culture to be secure 1st • Implement an ISMS • Implement an SDLC • Threat Model when designing • Evaluate all 3rd party software and HW component for signs of
tampering • Respect PII of your users • Test, test, and test
HOW TO BE SUCCESSFUL AT IOT SECURITY 26
Page
IoT Security: Preventing a Global Disaster
• Read IEC White Paper IoT 2020: Smart and secure IoT platform • Read RIoT Control: Understanding and Managing Risks and the
Internet of Things — Tyson Macaulay • Actively track security mailing lists and CVE for new vulns • Track the changing landscape of attack targets • Get to know your data at risk • Get to know your risk posture at any given time
YOUR HOMEWORK 27
IoT Security: Preventing a Global Disaster
faud.khan@twelvedot.com @encrypto99
+1 613 447 3393
www.twelvedot.com
THANK-YOU FOR YOUR TIME