Date post: | 07-Apr-2018 |
Category: |
Documents |
Upload: | nguyenminh |
View: | 215 times |
Download: | 1 times |
AGENDA
• About Us
• The Threat Landscape
• IoT Standards
• Using an ISMS Approach
• Testing and Evaluation
• Privacy Considerations
2
ABOUT US
- YOW based company
- Global customer base
- Focus on Mobile, Cloud and IoT Security
- Sister company focuses on HW/SW R&D
- ISO standards are the basis for all our work
- Active in ISO standards development
- Team of 7+ {partnerships}
3
ABOUT ME
• 20+ years industry experience
• Chief Security Analysis - TwelveDot & TwelveDot Labs
• Financial Services, Government, Telecom, and MSP
• Chair for ISO/IEC SMC-SC27 in Canada
• Convener ISO/IEC SC27 SWG-M and SWG-IoT
• 4 Patents Granted & 6 Pending
4
APPROACH TO CYBERSECURITY
A CyberSec Culture
ISMS “lite”A Shift in
Mindset SDLC
Incident Mgmt
Standards
Mgmt Team
ISO STANDARDS
• WG 10 - IoT
• ISO/IEC 30141 IoT Reference Architecture
• ISO/IEC 20924 Use Cases
• TR {TBD} Vocabulary
• ISO {TBD} Interoperability
• SC 27
• Study Groups - what is lacking in the current base
13
HOW TO LEVERAGE STANDARDS
• Help to determine deficiencies in your company process and procedures (next sections)
• Data at risk?
• both for your company and your solutions
• PDAC {Plan, Do, Check, Act}
• Determine executive support for ISMS
• Align to IT and business objectives for the year and planned projects
• Make employees part of this process
14
USING AN ISMS {ISO 27001} APPROACH
• Need to build and implement policies and procedures around security and privacy
• Update your SDLC {yes even startup-up!} ISO 27034 Application Security
• HR hiring practices (i.e. background checks, sec. training ongoing)
• Data handling (source code repositories, clouds, remote access, breach plan, etc)
• These are not one time tasks they are on going
15
NEED TO THINK ABOUT
• Vulnerability management {29147}
• Incident handling {27035}
• Evaluating 3rd party libraries and source code
• HW other component manufactures
16
Say what you do, do what you say and be able to prove it
PRODUCT/SOLUTION CONSIDERATIONS
@Design Stage
• Threat Modelling
• PIA {ISO 29134} and TRA {ISO 27005/8}
• Know where your source code is and who has access to it
• These need to part of your SDLC and every solution you consider
17
PRODUCT/SOLUTION CONSIDERATIONS
@Testing
• Ensure you have regression test cases to deal with old vulns
• Monitor & evaluate 3rd party libraries
• Evaluate component suppliers {firmware}
• Industrial Controls {IEC 62443-x}
18
PRODUCT/SOLUTION CONSIDERATIONS
@Production
• Ensure devices/gateways/PLCs etc have a method for infield updating
• Monitor for attacks against field installations
• Ensure you have a vulnerability mgmt process (29147 & 30111)
19
PRIVACY CONSIDERATIONS
• Conduct an PIA at design stage and when each new major release is developed (ISO 29134}
• Lots of supporting docs at PCO web site
• Create a privacy policy and make your employees, customers, and partners aware of it
• Ensure your development practices align to the privacy policy {many don’t}
• Only collect what you need from any 3rd party
20
PRIVACY CONSIDERATIONS
• If you can use “de-identification techniques” for longer storage data
• Ensure you have a data destruction policy and process
• Ensure you know who has access to your critical data at all times
• Consider employee terminations and the removal of access
21
YOUR TURN
What would your approach be to securing this solution?
Data:Name, age, etcHR, BP, activity, location
Link:BluetoothUSBWiFi - SSL
Data:User personalNon-encrypted HDNo AV nor FW
Link:WiFi - SSL
Cloud Data:User personalNon-encrypted HD
RECAP
• Create a culture of security • Need to purchase standards sorry they are not free • Use good policies and procedures - standards as
the baseline • Educate your staff to security/privacy risks • Create a ISMS “lite” with the audit outputs for your
company • Prepare for the day a breach happens - because it
will
23
RISK MANAGEMENT WORKFLOW
6. Validation
7. Monitoring and audit Information security
risk managementprocess
For an application, systemfacility, environment, or vendor
1. Resource profiling
(Business owner)
Describe the resource andrate risk sensitive
2. Risk assessment
Identify and rate threats,vulnerabilities, and risks(Information security)
3. Risk evaluation
Decision to accept, avoid, transfer, or mitigate risk
(Information security and business owner)
4 Document
Document riskdecisions including except
and mitigation plans(Information security and
business owner)
5. Risk mitigation
Implement mitigation plan withspecified controls
(Resource custodian)
Test the controls to ensure the actual risk exposure matches the
desired risk levels(Information security)
Continually track changes to thesystem the may affect the risk
profile and perform regular audits(Information security and
business owner)
25