SecCon 2015The impact of security on how we work, live, play and learn.

Internet of ThingsThe Expanded Security PerimeterMichael Jack – Spirent CommunicationsSr. Product Marketing Manager

Agenda

• Internet of Things (IoT) Market • Increased Security Concerns• IoT Hacks• Testing Practices• Summary

The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems. (Webopedia - August, 2015)

Quick Definition: IoT - Internet of Things

IoT - It’s Huge Already!

2015 Acquity Group

Proliferation of Devices

The Smart…devices are everywhere• Home

– Security sensors– Entertainment

• Building– HVAC– Lighting/Electric use

• Industry– Control Systems– Smart Grid

• City– Parking meters– Trash Cans (yes – trash cans)

• You name it!

=

The Walking Host – How many IP addresses are on your person?• Smart watches• Fitness Devices• Medical devices• Smartphones• Tablets• Smart glasses• Headsets• And more

Confidential information is passed between Smart Watches and Host Phones

Medical and Health devices store and transmit personal data

Device firmware and application updates are not necessarily secure

Source: Digital Attack Map - Powered by Google Ideas. DDoS data ©2014, Arbor Networks, Inc.

IoT: A whole new world of security

concerns!

The Adversary• Exploits and Malware Persist Everywhere

• SOURCE: Cisco 2015 Annual Security Report, Mandiant M-Trends 2015: A view from the front lines, McAfee Labs Threats Report June 2014

IoT – The Expanded Security Perimeter• Weaker Perimeter Security

– Devices never meant to be Internet enabled are now online

– New sources of DDoS generators– Susceptible to DDoS– Conduit for data theft– More points for Malware infection

• When devices “phone home” for firmware or other updates SSL is not always used

• Attacks against these devices has become new domain in hacker community

OWASP Top 10 IoT Vulnerabilities Areas• 1 Insecure Web Interface• 2 Insufficient Authentication/Authorization• 3 Insecure Network Services• 4 Lack of Transport Encryption• 5 Privacy Concerns• 6 Insecure Cloud Interface• 7 Insecure Mobile Interface• 8 Insufficient Security Configurability• 9 Insecure Software/Firmware• 10 Poor Physical Security

https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf

IoT Hack - The Smart City• Smart street lights, centrally managed and can

adapt to weather conditions, report problems, or be automated by time of the day

• Smart Public Transportation and Traffic control Systems adjust traffic lights based on current traffic conditions

• Smart parking application to find available parking slots

• Smart Water and Energy Management, provides information regarding the quality of air, water needs

The Smart City – Most Vulnerable• Santander, Spain• New York City, USA• Aguas De Sao Pedro, Brazil• Songdo, South Korea• Tokyo, Japan• Hong Kong• Arlington County, Virginia, USA

Smart IoT devices create huge attack surfaces for potential cyber attacks, making the future of smart cities more vulnerable than today's computers and smartphones.

Cyber Attacks Leverages Internet of Things

Smart devices such as traffic and surveillance cameras, meters, street lights, traffic lights, smart pipes, and sensors are easy to implement, but are even easier to hack due to lack of stringent security measures and insecure encryption mechanisms.

These cities are implementing new technologies without first testing cyber security.

The Hacker News July 2015

IoT Hack – Smart Appliance• Gmail Integrated Refrigerator• SSL used for secure Gmail access• Devices did not validate certificates• Allowed hackers to gain access to username

and password of connected devices• According to hackers – this was easy and

there are other faults with this $2000 home appliance

Test – Principals You Use Today• Security Testing Lifecycle for IoT

– Authentication– Authorization– Network Enforced Policies– Secure Analytics: Visibility and Control

Best Practice – Stack Hardening• What is tested?

– New network devices, anything that has a protocol stack – Gateways, proxies, end servers

• How is it tested?– Fuzz testing

• Why is is Critical?– Most attacks focus on finite state machine bugs or corner case

conditions. Fuzzing automatically checks the “Hardness” of the stack, identifying a possible weak point in the design

• What can make this fail?– Fuzzing is a “weakest link” event, if you do not test all the protocols, a

failure or exposed vulnerability may be found• When / What do you test?

– Acceptance test level, when ever there is new software or a new device, you must test

• Fuzzing Value– “Spidering” fuzzing will quickly zones in on problems and test those area

more deeply as opposed to random generation of patterns.

Best Practice – Security Audit• What is tested?

– Ability of the SUT (System Under Test) to mitigate the “Newest” Attacks

• How is it tested?– Use the latest and up-to-date attack vectors– Attacks generators by comprised devices

• Why is is Critical?– As new attacks are discovered, you can test if your updated

code in your SUT is blocking traffic– Mixes Valid and attack traffic for SUT loading

• What can make this fail?– Frequency of scanning, new attacks are added weekly, or

more frequently based on severity• When / What do you test?

– On-going testing• What to look for in test environment

– Topical attack database must be very thorough

Best Practice – Blended Volumetric Attack Testing• What is tested?

– Ability to mix multiple DDoS attacks in an orchestrated fashion

• How is it tested?– Full flexibility to blend and orchestrate ‘Scenarios’

• Why is is Critical?– Test each attack with high realism under high volume

load• What can make this fail?

– Not testing critical combinations of attacks• When / What do you test?

– Weekly testing, or on demand is recommended• Value

– Be able Mix and match valid and DDoS Traffic – Very high load

Example of Spirent Blended Volumetric Attack

Best Practice – Quality of Experience Validation• What is tested?

– Measure “Tennant Happiness” over any condition• How is it tested?

– Schedule complex app scenarios - Internet enabled device traffic on network

– Measure directly Quality of Experience under Load and secure communications (SSL and Ipsec)

– Blend in attacks– Measure results

• Why is is Critical?– Tenants expect network to work through network issues

• What can make this fail?– Not testing or measuring user specific applications

• When / What do you test?– Provisioning a new tenant, troubleshooting a tenant problem,

anytime there is a network change• Value

– Ensure test emulate users traffic under elastic conditions

Application Security Testing

Summary• IoT brings new security challenges to

network equipment providers and their customers

• More elements on the network need to be managed monitored and secured

• Deeper and wider security testing can expose new weaknesses allowing you to deliver better solutions and services

Thank you.