Internet delle cose fra opportunità e rischi

A cura di Ing. Vito Santarcangelo

Internet of ThingsIot è una rete di oggetti fisici o “cose” caratterizzati da

elettronica/software/sensori e connettività , che sono in grado di scambiare

dati con altri dispositivi connessi

Esempi di applicazioni: Media, Surveillance, Building and home

automation, Environmental monitoring, Infrastructure management, Energy

management, Medical and healthcare systems

Fonte: https://inventrom.wordpress.com

Processo IoT

OBJECT INTERFACE NETWORK

IoT by Network InterfacesLAN / WIFI / BLUETOOTH

1

Fonte:http://www.internetpost.it/

Smartband

IoT mediante RFIDTag Attivi e Passivi

2

IoT mediante BARCODE2DQRCODE, DATAMATRIX, AZTEC CODE

3

“

BARCODE 2D

1556 bytes1914 bytes

2953 bytes

PERICOLI NELL’IoT

“

www.shodan.io

Google finds web sites - Shodan finds devices

e.g.

Search by features (e.g.

OpenSSL version, OS)

Search by vendor

Heartbleed is a bug present in

OpenSSL versions 1.0.1 through 1.0.1f.by features

by vendor

SHODAN MAP

Dynamic Port Forwarding

Quick Connect

Possibile

SOLUZIONE◇User Awareness

◇Robust authentication credentials

◇Firmware upgrade

◇Use of OTP (One Time Password) Auth Method

◇Use of Single Sign On (SSO) Auth Method

◇Security devices as Firewall, IDS and IPS

◇VPN Networks

IoT Spamming◇Mass Flooding

◇Redirection Hiding technique

Security Risks

Brand Reputation Damage

Technology Reputation Damage

Possibile

SOLUZIONE◇USER/TECHNOLOGY AWARENESS

◇ANTIVIRUS MOBILE

UNA POSSIBILE GUIDA

ISO 27000 : Fundamentals and vocabulary

ISO 27001 : ISMS Requirements (normative)

ISO 27002 : ISMS Code of practice (guide)

ISO 27001’s Annex A

list of 114 controls /best practices

(35 control objectives, 14 key points from A.5 to

A.18)

POLICIES PER IOTA.6 Organization of information security

A.6.2 Mobile devices and teleworking (to enable connection from mobile devicesthrough teleworking infrastructure)

A.9 Access control

A.9.1 Business requirements of access control (to establish an access control policy to limit access to information)A.9.2 User access management (to prevent unauthorized access to systems and services)A.9.3 User responsibilities (user must safeguard their authentication information)A.9.4 System and application access control (secure log-on procedures)

A.10 Cryptography

A.10.1 Cryptographic controls (to ensure proper and effective use of cryptography toprotect the confidentiality, authenticity and/or integrity of information)

POLICIES PER IOT

A.12 Operation security

A.12.2 Protection from malware (controls against malware)

A.13 Communication security

A.13.1 Network security management (network controls, security of network

services, segregation in networks)

A.13.2 Information transfer (information transfer policies and procedures)

Thanks!Any questions?You can find me at:

http://www.researchgate.net/profile/Vito_Santarcangelo

Presentation template by SlidesCarnival

Photographs by Unsplash