kid proofing the internet of things

April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 1

2015 NTX-ISSA Cyber Security Conference (Spring)

Copyright © 2015 Raytheon Company. All rights reserved.

Kid Proofing the Internet of Things


• As Information Security (IS) professionals (or students), we regularly defend enterprise networks

• General Internet threats- Malware, hackers, identity thieves

• Threats to and from our kids- The threats our kids bring in

Malware, spyware, etc.- The threats against our kids

Objectionable content, predators

Why We Want To Lock Down Our Home Networks

What is important in your Network Castle?


• General Controls- Firewalls

Perimeter firewall (wireless router) Host-based firewall

- Anti-Virus- User Account Controls (UAC)

• Kid-Specific Controls- Parental controls / Google controls- “Kid Safe” browsers- “Deep Freeze”

The Usual Solutions People Use To Do It (PCs)

Securing a desktop is easier (but not easy)


• The real problem is all the other devices on your network- With the Internet of Things have you really

thought about how these affect the security of your home network?

- Were these devices built with security in mind?

• Devices you or your kids likely have on the network- Tablets (IOS, Android, Chrome, other Linux

variants)- Game Systems (Playstation, Wii, Nintendo DS,

etc.)- TVs (Linux, Windows, Netflix, Hulu, YouTube,

etc.)- Phones (IOS, Android)

All The Other Devices On Your Network

The Internet of Things is a different matter…


• Hard lesson learned about these devices- They don’t care about your security concerns…- At best they have VERY limited content controls- All connected, but no control over Internet

content

• Game systems / TVs- Ratings Controls

• Android / Linux / IOS- Limited Parental Controls – can control

purchases- Apple’s “Restriction” Controls (slightly better)- “Kid Safe” Apps and Browsers

Device Lockdowns


• Apple has some decent controls via their “Restrictions” settings to make the IOS “kid safe” on any network…

• Some strategies I use / have used- Don’t let the kids install / delete Apps (they

hate this)- Disable iCloud and Messages (they hate this

more)- Disable Safari / YouTube / remove “problem”

apps- Install a “kid safe” browser- Configure Google parental controls

• Hacking IOS opens additional opportunities / risks

Locking Down The IOS

Making IOS “kid safe” is reasonably doable


• What do all these devices have in common?- The home network and Internet Gateway…

• Conventional Router Controls- Basics

Encrypt wireless traffic (devices may limit strength)

MAC address restrictions Guest network (if available)

- Good ingress screening- May have limited egress screening

Limit sites and times for some / all users Generally these are hard to manage

So What Does That Leave Us?


• Segment your LAN into security zones- Move “high risk / value” devices to their own

zone- Allows you to apply different access policies

• Some security zones to consider…- Adult Household Member Zone- Hardwired Zone / Finance Zone

Consider moving Finance into a VM- Adult Guest Zone- Kid Zone (Household Member and Guests)- Entertainment Device Zone (May be Kid Zone)

Advanced Strategies For More Security

Adult, Visitor, and Kid Zones are my minimums


• One Router to rule them all…- There are MANY possible variants of this

• Use the existing router as a master device- Leave the DNS the same or use unfiltered

OpenDNS- With a dual wireless router this can be Adult +

Visitor

• Add a new wireless router per zone- Connect Wireless APs via wire to master device- If this is to be a filtered network (Kids) then

reconfigure the DNS to use filtered OpenDNS

How To Implement Security Zones

Shared network devices like printers are issues…


• Advanced Internet Access Control is a difficult problem- Devices have very limited controls- Wireless routers are marginally better- Is there another way to provide this filtering?

• OpenDNS to the rescue (almost)- If you control DNS, you control the Internet*- OpenDNS is a free (and paid) service that

provides a filtered / controlled Internet experience via DNS Free has a bunch of stock settings Paid has the ability to customize these +

add custom site rules

Advanced Internet Controls At The Network Layer


• OpenDNS does not protect mobile devices when they leave your network (tablets, phones, laptops, etc.)- Sorry but I do not think there is a good solution

for this- Auditing the device is probably the best work

around

• OpenDNS (paid) can only be used on one “Zone” unless you have more than one public IP- It keys off the source IP to decide how things

resolve- You can use OpenDNS (free) on other zones…- This may affect how you implement your

zoning strategy

OpenDNS - Living With An Imperfect Solution (1)

Controlling devices off your network is very hard…


• OpenDNS does not stop direct access via an IP- Kids that understand what an IP can be a

problem- Kids that know what a hosts file is can still

have DNS

• OpenDNS works great for devices using DHCP…- But if the device lets you change the DNS

settings – OpenDNS can be bypassed at the host

• If your kids are more computer and network savvy than you, this will not work for long…

OpenDNS - Living With An Imperfect Solution (2)

Its not a perfect solution, but works for me…


Questions?


Presenter Bio

Monty D. McDougal is a Raytheon Intelligence, Information and Services (IIS) Cyber Engineering Fellow. He has worked for Raytheon for the last 16+ years performing tasks ranging from programming to system administration and has an extensive web development / programming background spanning 18+ years. His work has included development/integration / architecture / accreditation work on numerous security projects for multiple government programs, internal and external security / wireless assessments, DCID 6/3 compliant web-based single sign-on solutions, PL-4 Controlled Interfaces (guards), reliable human review processes, audit log reduction tools, mail bannering solutions, and several advanced anti-malware IRADs / products / patents.

Monty holds the following major degrees and certifications: BBA in Computer Science / Management (double major) from Angelo State University, MS in Network Security from Capitol College, CISSP, ISSEP, ISSAP, GCFE, GAWN-C, GSEC, and serves on the SANS Advisory Board. Monty has previously held the GCIH, GCFA, GREM, GCUX, and GCWN certifications. Monty is also the author of the Windows Forensic Toolchest (WFT).

E-mail: [email protected]

<mug shot>


Abstract

Kid Proofing the Internet of Things

This presentation is intended to address the unique challenges parents face in securing their home networks both against their kids and in order to protect their kids from the evils of the Internet. It is particularly focused on the problems the Internet of Things brings to us as parents.

-Why we want to lock down our networks

-The usual tools we would attempt to do it with (PC Solutions)

-What about all those other devices on your network… the real issue

-Device lockdowns

-Wireless Router / security zoning

-OpenDNS and why it may be your best friend in this fight

-Living with an imperfect solution…

kid proofing the internet of things

Internet

information security

security concerns

decent controls

ios kid safe

limited content controls

google parental controls

security zones mov

network tablets ios