spirent: the internet of things: the expanded security perimeter
TRANSCRIPT
SecCon 2015The impact of security on how we work, live, play and learn.
Internet of ThingsThe Expanded Security PerimeterMichael Jack – Spirent CommunicationsSr. Product Marketing Manager
Agenda
• Internet of Things (IoT) Market • Increased Security Concerns• IoT Hacks• Testing Practices• Summary
The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems. (Webopedia - August, 2015)
Quick Definition: IoT - Internet of Things
IoT - It’s Huge Already!
2015 Acquity Group
Proliferation of Devices
The Smart…devices are everywhere• Home
– Security sensors– Entertainment
• Building– HVAC– Lighting/Electric use
• Industry– Control Systems– Smart Grid
• City– Parking meters– Trash Cans (yes – trash cans)
• You name it!
=
The Walking Host – How many IP addresses are on your person?• Smart watches• Fitness Devices• Medical devices• Smartphones• Tablets• Smart glasses• Headsets• And more
Confidential information is passed between Smart Watches and Host Phones
Medical and Health devices store and transmit personal data
Device firmware and application updates are not necessarily secure
Source: Digital Attack Map - Powered by Google Ideas. DDoS data ©2014, Arbor Networks, Inc.
IoT: A whole new world of security
concerns!
The Adversary• Exploits and Malware Persist Everywhere
• SOURCE: Cisco 2015 Annual Security Report, Mandiant M-Trends 2015: A view from the front lines, McAfee Labs Threats Report June 2014
IoT – The Expanded Security Perimeter• Weaker Perimeter Security
– Devices never meant to be Internet enabled are now online
– New sources of DDoS generators– Susceptible to DDoS– Conduit for data theft– More points for Malware infection
• When devices “phone home” for firmware or other updates SSL is not always used
• Attacks against these devices has become new domain in hacker community
OWASP Top 10 IoT Vulnerabilities Areas• 1 Insecure Web Interface• 2 Insufficient Authentication/Authorization• 3 Insecure Network Services• 4 Lack of Transport Encryption• 5 Privacy Concerns• 6 Insecure Cloud Interface• 7 Insecure Mobile Interface• 8 Insufficient Security Configurability• 9 Insecure Software/Firmware• 10 Poor Physical Security
https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf
IoT Hack - The Smart City• Smart street lights, centrally managed and can
adapt to weather conditions, report problems, or be automated by time of the day
• Smart Public Transportation and Traffic control Systems adjust traffic lights based on current traffic conditions
• Smart parking application to find available parking slots
• Smart Water and Energy Management, provides information regarding the quality of air, water needs
The Smart City – Most Vulnerable• Santander, Spain• New York City, USA• Aguas De Sao Pedro, Brazil• Songdo, South Korea• Tokyo, Japan• Hong Kong• Arlington County, Virginia, USA
Smart IoT devices create huge attack surfaces for potential cyber attacks, making the future of smart cities more vulnerable than today's computers and smartphones.
Cyber Attacks Leverages Internet of Things
Smart devices such as traffic and surveillance cameras, meters, street lights, traffic lights, smart pipes, and sensors are easy to implement, but are even easier to hack due to lack of stringent security measures and insecure encryption mechanisms.
These cities are implementing new technologies without first testing cyber security.
The Hacker News July 2015
IoT Hack – Smart Appliance• Gmail Integrated Refrigerator• SSL used for secure Gmail access• Devices did not validate certificates• Allowed hackers to gain access to username
and password of connected devices• According to hackers – this was easy and
there are other faults with this $2000 home appliance
Test – Principals You Use Today• Security Testing Lifecycle for IoT
– Authentication– Authorization– Network Enforced Policies– Secure Analytics: Visibility and Control
Best Practice – Stack Hardening• What is tested?
– New network devices, anything that has a protocol stack – Gateways, proxies, end servers
• How is it tested?– Fuzz testing
• Why is is Critical?– Most attacks focus on finite state machine bugs or corner case
conditions. Fuzzing automatically checks the “Hardness” of the stack, identifying a possible weak point in the design
• What can make this fail?– Fuzzing is a “weakest link” event, if you do not test all the protocols, a
failure or exposed vulnerability may be found• When / What do you test?
– Acceptance test level, when ever there is new software or a new device, you must test
• Fuzzing Value– “Spidering” fuzzing will quickly zones in on problems and test those area
more deeply as opposed to random generation of patterns.
Best Practice – Security Audit• What is tested?
– Ability of the SUT (System Under Test) to mitigate the “Newest” Attacks
• How is it tested?– Use the latest and up-to-date attack vectors– Attacks generators by comprised devices
• Why is is Critical?– As new attacks are discovered, you can test if your updated
code in your SUT is blocking traffic– Mixes Valid and attack traffic for SUT loading
• What can make this fail?– Frequency of scanning, new attacks are added weekly, or
more frequently based on severity• When / What do you test?
– On-going testing• What to look for in test environment
– Topical attack database must be very thorough
Best Practice – Blended Volumetric Attack Testing• What is tested?
– Ability to mix multiple DDoS attacks in an orchestrated fashion
• How is it tested?– Full flexibility to blend and orchestrate ‘Scenarios’
• Why is is Critical?– Test each attack with high realism under high volume
load• What can make this fail?
– Not testing critical combinations of attacks• When / What do you test?
– Weekly testing, or on demand is recommended• Value
– Be able Mix and match valid and DDoS Traffic – Very high load
Example of Spirent Blended Volumetric Attack
Best Practice – Quality of Experience Validation• What is tested?
– Measure “Tennant Happiness” over any condition• How is it tested?
– Schedule complex app scenarios - Internet enabled device traffic on network
– Measure directly Quality of Experience under Load and secure communications (SSL and Ipsec)
– Blend in attacks– Measure results
• Why is is Critical?– Tenants expect network to work through network issues
• What can make this fail?– Not testing or measuring user specific applications
• When / What do you test?– Provisioning a new tenant, troubleshooting a tenant problem,
anytime there is a network change• Value
– Ensure test emulate users traffic under elastic conditions
Application Security Testing
Summary• IoT brings new security challenges to
network equipment providers and their customers
• More elements on the network need to be managed monitored and secured
• Deeper and wider security testing can expose new weaknesses allowing you to deliver better solutions and services
Thank you.