great - now we have to secure an "internet of things"
DESCRIPTION
TRANSCRIPT
1111
Great – Now We Have to Secure an “Internet of Things”
John PescatoreDirector, Emerging Security Trends
[email protected]@John_Pescatore
2
What the Heck is That??
3
Different Views of the Internet of Things
4
Venture Capital Definition
5
Rapid Penetration
6
Simple View of the Internet of Things
Information Technology
Personal Technology
Operational Technology
PCsServersVirtualizationRoutersSwitches
TabletsSmartphonesMiFi
Home energyMedical wearablesMedical implantsHome entertainmentHome control
ICS/SCADAMedical MachinesKiosksManufacturingCloud Service Infra.Env. monitoring
Mobility, Smart Buildings/ICS, Medical Devices Are Main IoT Issues
Con
sum
er d
evic
es (
set
tops
,...
Sm
art
build
ing/
HV
AC
aut
om..
.
Ele
ctric
al,
wat
er,
gas
prod
ucti.
..
Med
ical
dev
ices
Oth
er t
rans
port
atio
n sm
art
...
Aut
omot
ive
smar
t sy
stem
s
Man
ufac
turin
g sy
stem
s (n
ot e
...
Foo
d pr
oduc
tion
syst
ems/
ref.
..0%10%20%30%40%50%60%70%80%
What types of IoT applications is your organization involved in or planning to be involved in?
Producing
Operating/Managing
Source: SANS 2013
Partly Cloudy or Partly Sunny?
17.2%
48.8%
21.4%
12.6%
Which statement best captures your feelings about the IoT and security?
The IoT will be a security disas-ter.
The IoT will have the same level of security problems we have today with other applica-tions and systems.
The IoT will provide an oppor-tunity to increase security over today.
Other
Source: SANS 2013
9
Major Differences
Old Things
• General purpose OS• Fixed, wired• TCP/IP, 802.11, HTML5• Layered apps• Homogeneous• Enterprise-driven• 2-3 year life cycle• Impact data
New Things• Embedded OS• Mobile, wireless• Zigbee, IoT6, WebHooks• Embedded apps• Heterogeneous• Consumer-driven• .2 to 20 year life cycle• Impact health/safety
Enhancement and Augmentation of Existing Security Controls
Aut
hent
icat
ion/
auth
oriz
atio
n
Sys
tem
mon
itorin
g
Enc
rypt
ion
of c
omm
unic
atio
ns
Sec
urity
eva
luat
ion
and
test
o..
.
Seg
men
tatio
n
New
IT
sec
urity
con
trol
s
New
phy
sica
l sec
urity
con
trol
s
Sec
ure
AP
Is
TP
Ms
for
hard
war
e en
cryp
tion.
..
Geo
-loca
tion
serv
ices
Oth
er
0%
10%
20%
30%
40%
50%
60%
70%
80%
What controls are you using currently to protect against the risks im-posed by new “Things” on your network? What controls do you plan on
deploying in the next 2 years to address these issues?
Current Next 2 years
The Critical Security Controls
11
1 23
4
5
6
7
89
10111213
14
15
16
17
18
1920
1) Inventory of Authorized and
Unauthorized Devices
11) Limitation and Control of Network Ports,
Protocols and Services
2) Inventory of Authorized and Unauthorized Software
3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4) Continuous Vulnerability Assessment and Remediation
5) Malware Defense
6) Application Software Security
7) Wireless Device Control
8) Data Recovery Capability
9) Security Skills Assessment and Appropriate Training to Fill Gaps
10) Secure Configuration of Devices such as Firewalls, Routers, and Switches
20) Penetration Tests and Red Team Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Loss Prevention
15) Controlled Access Based on Need to Know
14) Maintenance, Monitoring and Analysis of Audit Logs
13) Boundary Defense
12) Controlled Use of Administrative Privileges
16) Account Monitoring and Control
12
Evolving Critical Security Controls to the Internet of Things
• What will be the connectivity and governance model? (CSC 6, 7, 9, 19)
• What is mine, what’s running on it, where is it? (CSC 1-4)
• How do I protect from attack? (CSC 5, 10-13, 15, 16)
• How do I detect and recover from compromise? (CSC 8, 14, 17, 18, 20
Requiring Secure Products from IoT Manufacturers
Our
IT
sec
urity
gro
up
The
Thi
ng m
anuf
ac..
.
Our
IT
ope
ratio
ns .
..
Dep
artm
ent
man
a...
Our
phy
sica
l sec
uri..
.
Oth
er
0%10%20%30%40%50%60%70%80%90%
In your opinion, who should take responsibility for manag-ing the risk imposed by new “Things” connecting to the In-
ternet and your network?
14
Learn From Mistakes of the Past
1. More defendable endpoints1. Hardware security2. White list3. Sandbox4. Auto update
2. Smarter Internet1. Endpoint Validation/Network Access Control2. Filter Known Bad3. Assume hostility (IPSEC, DNSSEC, better CA, etc)
15
Government Efforts
• Stuxnet?• NSTAC – “Industrial Internet”• FTC – “Internet of Things - Privacy and Security
in a Connected World”• DoE – Smart Grid Task Force• DoT/NHTSA – Autonomous Vehicles• FAA – Drones• FCC – Baby monitors, M2M, …
16
Summary
• The IoT is an opportunity to not repeat the mistakes of the past– IPSEC, DNSSEC, etc– New device capabilities– Building security in, extending the perimeter
• Basic hygiene is Job 1• Drive suppliers to higher quality/security• How can the security community raise the bar?