principals of iot security
Post on 08-Jan-2017
78 Views
Preview:
TRANSCRIPT
Principals of IoT SecurityStephanie Sabatini, Cyber Security Professional
Principals of IoT Security AgendaOver the next 20 minutes we’ll discuss the following:The Fear• Be afraid (very afraid)The Challenge• IoT Security isn’t easyThe Solution• Don’t be a statistic
The FearPrincipals of IoT Security
IoT Security – The Fear• Baby monitors• Thermostats• Cars• Medical devices• Children’s toys• Toasters• Locks• ETC…
IoT Security – The Fear
Gartner predicts 26 billion by 2020• Revenue exceeding $300 billion in 2020• $1.9 Trillion in global economic impact
The financially motivated attacker has 26 billion targets and 300 billion reasons.
The ChallengePrincipals of IoT Security
IoT Security – The ChallengeThe top 10 security challenges with IoT:1. Insecure Web Interface2. Insufficient Authentication / Authorization3. Insecure Network Services4. Encryption5. Privacy Concerns 6. Insecure Cloud Interface7. Insecure Mobile Interface8. Insufficient Security Configurability9. Insecure Software / Firmware10. Poor Physical Security
IoT Security – The ChallengeMany IoT producers aren’t committed to security like a major tech company would be. Toy companies, for example – Toys made by Mattel Inc. (Fisher Price brand) with internet connectivity have been hacked revealing names, ages and geographical location of children. They specialize in making toys – not security.
These ‘things’ live differently than the traditional internet connected devices. Many attacks that we have seen so far take advantage of these differences. They exploit the differences.
The challenge is applying security controls on non-traditional devices. The principal is the same, but the control itself needs to be adapted (or innovated) to fit the security gap.
Network + Application + Mobile + Cloud = IoT
The SolutionPrincipals of IoT Security
Perimeter
Network
Host
Application
Data
IoT Security – The Solution
Security by design and a defense in depth approach will consider security from the design phase to the end-of-life and destruction of information phase.
IoT Security – The Solution
A holistic approach needs to be built in – not bolted on• The device (end point security)• The cloud• The mobile application• The network interfaces• Encryption• Authentication• Patching• Physical security• Data Destruction
IoT Security – The Solution
Developers – build components securely using secure development methodologies and perform static code analysis.Infrastructure Support – build infrastructure with secure end points, detective and preventative controls.Testers – include all attack vectors in testing methodologies.Manufacturers – Due diligence! Check, test, audit – make sure that you are manufacturing a secure product by bringing experts to the table. Plan for sufficient budgets.Consumers – change passwords regularly, use encryption – use the technology safely.
The ConclusionPrincipals of IoT Security
IoT Security – The Conclusion• DO NOT TRY THIS AT HOME!
• Experts! Call the experts! • Expert solutions can’t be matched by homegrown solutions.
• DON’T PANIC• Defense in depth• Innovate!
Stephanie SabatiniCyber Security Professional & StrategistStephanie@sabatiniconsulting.com514-895-8635
top related