Principals of IoT SecurityStephanie Sabatini, Cyber Security Professional

Principals of IoT Security AgendaOver the next 20 minutes we’ll discuss the following:The Fear• Be afraid (very afraid)The Challenge• IoT Security isn’t easyThe Solution• Don’t be a statistic

The FearPrincipals of IoT Security

IoT Security – The Fear• Baby monitors• Thermostats• Cars• Medical devices• Children’s toys• Toasters• Locks• ETC…

IoT Security – The Fear

Gartner predicts 26 billion by 2020• Revenue exceeding $300 billion in 2020• $1.9 Trillion in global economic impact

The financially motivated attacker has 26 billion targets and 300 billion reasons.

The ChallengePrincipals of IoT Security

IoT Security – The ChallengeThe top 10 security challenges with IoT:1. Insecure Web Interface2. Insufficient Authentication / Authorization3. Insecure Network Services4. Encryption5. Privacy Concerns 6. Insecure Cloud Interface7. Insecure Mobile Interface8. Insufficient Security Configurability9. Insecure Software / Firmware10. Poor Physical Security

IoT Security – The ChallengeMany IoT producers aren’t committed to security like a major tech company would be. Toy companies, for example – Toys made by Mattel Inc. (Fisher Price brand) with internet connectivity have been hacked revealing names, ages and geographical location of children. They specialize in making toys – not security.

These ‘things’ live differently than the traditional internet connected devices. Many attacks that we have seen so far take advantage of these differences. They exploit the differences.

The challenge is applying security controls on non-traditional devices. The principal is the same, but the control itself needs to be adapted (or innovated) to fit the security gap.

Network + Application + Mobile + Cloud = IoT

The SolutionPrincipals of IoT Security

Perimeter

Network

Host

Application

Data

IoT Security – The Solution

Security by design and a defense in depth approach will consider security from the design phase to the end-of-life and destruction of information phase.

IoT Security – The Solution

A holistic approach needs to be built in – not bolted on• The device (end point security)• The cloud• The mobile application• The network interfaces• Encryption• Authentication• Patching• Physical security• Data Destruction

IoT Security – The Solution

Developers – build components securely using secure development methodologies and perform static code analysis.Infrastructure Support – build infrastructure with secure end points, detective and preventative controls.Testers – include all attack vectors in testing methodologies.Manufacturers – Due diligence! Check, test, audit – make sure that you are manufacturing a secure product by bringing experts to the table. Plan for sufficient budgets.Consumers – change passwords regularly, use encryption – use the technology safely.

The ConclusionPrincipals of IoT Security

IoT Security – The Conclusion• DO NOT TRY THIS AT HOME!

• Experts! Call the experts! • Expert solutions can’t be matched by homegrown solutions.

• DON’T PANIC• Defense in depth• Innovate!

Stephanie SabatiniCyber Security Professional & StrategistStephanie@sabatiniconsulting.com514-895-8635