new challenges to secure the iot (with notes)

Most think of IOT like BYoD We try to identify & control

IoT coined 15 years ago -

4 THINGS!!!

devices can alter the way we interact with & collect data in all aspects of our lives.

Most companies put the IoT into the BYOD (Bring Your Own Device) bucket in terms of.

BYOD & the IoT are two very different concepts. The IoT encompasses a larger set of devices enterprises utilize that include not only personal devices, but those that are built into emerging

technologies such as building control systems (think ZigBee/Wi-Fi enabled light bulbs), security systems (Bluetooth locks), health & fitness (collecting/transmitting data on our vitals). Most of the time

these new technologies are deployed in an environment without the company knowing the inherent security risk.

Not long ago the only wireless protocol was WiFi & many companies have mature WiFi security controls in place. However, there are many protocols on IoT devices that cannot be detected with

traditional WiFi scanners. These protocols include Bluetooth, Bluetooth Smart (or Low Energy), ZigBee, Zwave, ANT, NFC, Nike+ (yes, the shoe manufacturer has their own protocol). A new protocol is

in the works by giants Google/Samsung called Thread.

study by HP's Fortify group Of 10 popular devices tested:

7 contained immediately noticeable security exposures

25 holes or risks of compromising the home network, on average, found for each device

8 did not require passwords of sufficient complexity & length

9 collected at least one piece of personal information

7 allowed an attacker to identify a valid account through account enumeration

For IT security professionals, the list above is a reflection of what they have spent their careers policing. The potential problems introduced by rogue IoT devices are similar to those of wired

hardware/software:

Lack of encryption

Weak or default authentication

Lack of software update processes

Default services enabled even if not used

So what is a company to do? How do you secure that which you cannot detect? Like all good security programs, your IoT security efforts will be on multiple fronts:

• Education about the risks of IoT devices will drive more users to your door to stay compliant.

• Implement segregation of devices that introduce new networks or connection points.

• For example, the vendor that provides HVAC controls may attempt to deploy "smart" units that create their own mesh network for exchange of data. If these units also have an Ethernet

connection to your environment then you have just introduced a new path into your core.

• Require certification & penetration testing of new suppliers & devices.

3

• Keep an eye out for the latest security technologies that help you increase your posture by scanning your IoT space & doing regular security assessments of your environment.

3

4 concepts we have to understand when it comes to IoT…

#1… IoT is NOT BYoD!!!

Father’s Day campaign ‘14 Brazil

Johnnie Walker 100,000 bottles

Smart labels

create personalized tributes & shared

For their Father’s day campaign in 2014 in Brazil, Johnnie Walker built a platform that connected 100,000 of their whiskey bottles to the Internet.

With innovations in smart labeling, the whiskey brand allowed anyone to create a personalized film tribute. Gifters & receivers could opt into further

promotions & share the video on social channels

4





Smart labels





5





Smart labels





6

#2 STUXNET targeted intelligence

#3 WHITEHOUSE friendliness

– email came from a state department source – assumed to be

trusted

Accepted by security professionals that any network can be compromised eventually.

- Year-over-year increases in # of attacks

- Increasingly sophisticated

- What was sophisticated yesterday is easy today – script kitties using Metaspoilt

- Multiple methods

- Evade detection – average time from penetration to detection = 18 mo.’s

- Detection to correction – average of 27 days

- Utilities are a high value target (59% of attacks reported in 2013 to DHS)

Not if but when

#4 PII Does not include:

Home automation

Entertainment

Personal fitness

Location

(BIG DATA!!! ANALYTICS!!!

HABITS!!! PERSONALITY PROFILES!!!)

10

#4 PII Does not include:

Home automation

Entertainment

Personal fitness

Location

(BIG DATA!!! ANALYTICS!!!

HABITS!!! PERSONALITY PROFILES!!!)

11

2020 Dumpster Diving route2work 3 trips urologist coffee on sat morn

PII (Society of Surveillance!) DARK WEB! CC AT&T

GPS on car –

TV camera –

camera or mic –

Appliances

Home automation (early warning system)

Ultra Spear fishing (Your wife’s credit card.)

MY new AT&T router installed.

12

old frameworks won’t work! How do we update them?

Risk Model

Information Flow & Gap Analysis

Game Theory

Process Oriented (NOT Event Oriented!)

14

THIS SLIDE IS FOR REFERENCE

Step-by-step –

OWASP

refer to OWASP.org. It’s a pretty cool step by step model

Externalities

• Device owner or data custodian don’t always feel the bulk of the impact

• Reputational harm only goes so far

• Regulation should focus on where the harm occurs

Typical Stakeholders

• Data subjects

• Those using the devices (possible physical harm)

• Public at-large/community

• Device owners

• Data custodians

• Regulators (local, state, national, global)

15

THIS SLIDE IS FOR REFERENCE

Step-by-step –

OWASP

refer to OWASP.org. It’s a pretty cool step by step model

Externalities

• Device owner or data custodian don’t always feel the bulk of the impact

• Reputational harm only goes so far

• Regulation should focus on where the harm occurs

Typical Stakeholders

• Data subjects

• Those using the devices (possible physical harm)

• Public at-large/community

• Device owners

• Data custodians

• Regulators (local, state, national, global)

17

New Kill Chain – Frig SPAM relay

Blackmail/Sabotague

Behavior Habits

Attack -> Intel

Easier to Gather

Build Target Rich Victims for very targeted spear fishing

Thermostat

TV

Mic/cam/motion detector on every device in your home

GPS tracker

18

Begin to think of security more and MORE LIKE A PROCESS rather

than EVENTS OR SEQUENCES that can occur somewhere in the kill

chain.

CHECKERS -> CHESS

InfoSec has been a game of checkers and we are fast moving into

a game of chess.

19

Let’s take a quick look at the process flow of the seemingly simple smart meter that was installed a

year or so back.

Now overlay that complexity with…

Your home automation system…

Your home entertainment system…

Your personal health monitoring system…

Your automobile…

Your shopping list…

Your to-do list…

And then tie all those systems together.

That’s the IoT from a security systems viewpoint.

20

Game theory…

We could spend an entire semester course applying all the

concepts in this diagram.

When I saw this the first time, it jumped out at me as quite

profound.

Essentially, we’re matching the defense to the offense – taking the

high level assessment of the attacks and optimizing how we use

our resources to defend against or prevent the most likely & most

dangerous attacks.

LOOK AT EACH VECTOR LIKE A CAMPAIGN!

21

Taking this concept just a little deeper, the approach on each

attack vector looks like this

You want to identify potential threats early & plot course

accordingly!

Tracking campaigns is enormously beneficial. We are not trying to

stop 1s & 0s, we are trying to stop people, so we need to

understand the how & the when of the operation – even the why

can be critical to understand.

The principle goal of campaign analysis is to determine the patterns & behaviors of attackers, their

tactics, techniques, & procedures (TTP), to detect “how" they operate rather than specifically “what"

they do. The campaign heatmap allows us to quickly hone in on which adversaries are active over a

particular timeframe & understand when & how they attack. The use of the heat-map has been

important to understanding what triggers an APT attack (i.e. new zero-day vulnerabilities, or other

significant events). This allows us to assess our defensive posture on a campaign-by-campaign

basis, & based on the assessed risk of each, develop strategic courses of action to cover any gaps.

Game theory…

The concept takes all the complexity of the previous two slides

and codifies our approach.

Essentially, we’re matching the defense to the offense & applying

the relative cost in a way that helps us understand the places

where our resources are best devoted.

23

NAC – the folly of 802.1x – I’ve been saying this for 3 years

Anyone who has implemented NAC that has a premise of 802.1x has

painted themselves into a corner and will have to re-architect their

entire network security strategy.

Meta trends:

Watson intelligence in event monitoring

Merging of physical & info security

Interfaces between security systems

Listen & Learn – Younger workers have a completely different view on

privacy

I know a CISO who has cultivated a ‘vendor mentor’

Trusted

Wide perspective

Not product oriented

Rules of Engagement – no talk about products of the vendor

24

CounterTack & Tanium

26