0
1111
Great – Now We Have to Secure an
“Internet of Things”
John Pescatore
Director, Emerging Security Trends
jpescatore@sa...
What the Heck is That??
2
Different Views of the Internet of Things
3
Venture Capital Definition
4
Rapid Penetration
5
Simple View of the Internet of Things
6
Information
Technology
Personal
Technology
Operational
Technology
PCs
Servers
Virt...
Mobility, Smart Buildings/ICS, Medical
Devices Are Main IoT Issues
0%
10%
20%
30%
40%
50%
60%
70%
80%
Consumerdevices(set
...
Partly Cloudy or Partly Sunny?
17.2%
48.8%
21.4%
12.6%
Which statement best captures your feelings about the IoT and
secur...
Major Differences
Old Things
• General purpose OS
• Fixed, wired
• TCP/IP, 802.11, HTML5
• Layered apps
• Homogeneous
• En...
Enhancement and Augmentation of
Existing Security Controls
0%
10%
20%
30%
40%
50%
60%
70%
80%
Authentication/authorization...
The Critical Security Controls
11
1 2
3
4
5
6
7
8
9
1011
12
13
14
15
16
17
18
19
20
1) Inventory of
Authorized and
Unautho...
Evolving Critical Security Controls to
the Internet of Things
• What will be the connectivity and governance
model? (CSC 6...
Requiring Secure Products from IoT
Manufacturers
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
OurITsecurity
group
TheThing
manuf...
Learn From Mistakes of the Past
1. More defendable endpoints
1. Hardware security
2. White list
3. Sandbox
4. Auto update
...
Government Efforts
• Stuxnet?
• NSTAC – “Industrial Internet”
• FTC – “Internet of Things - Privacy and
Security in a Conn...
Summary
• The IoT is an opportunity to not repeat the
mistakes of the past
– IPSEC, DNSSEC, etc
– New device capabilities
...
Upcoming SlideShare
Loading in...5
×

Great - Now We Have to Secure an "Internet of Things"

963

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
963
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Will solicit comments from Norse and Codenomicon on what they have seen as near term customer IoT drivers.
  • I’l ask Codenomicon and Norse to weigh on the results and what they think are key areas for upgrade of security controls.
  • Transcript of "Great - Now We Have to Secure an "Internet of Things""

    1. 1. 1111 Great – Now We Have to Secure an “Internet of Things” John Pescatore Director, Emerging Security Trends jpescatore@sans.org @John_Pescatore
    2. 2. What the Heck is That?? 2
    3. 3. Different Views of the Internet of Things 3
    4. 4. Venture Capital Definition 4
    5. 5. Rapid Penetration 5
    6. 6. Simple View of the Internet of Things 6 Information Technology Personal Technology Operational Technology PCs Servers Virtualization Routers Switches Tablets Smartphones MiFi Home energy Medical wearables Medical implants Home entertainment Home control ICS/SCADA Medical Machines Kiosks Manufacturing Cloud Service Infra. Env. monitoring
    7. 7. Mobility, Smart Buildings/ICS, Medical Devices Are Main IoT Issues 0% 10% 20% 30% 40% 50% 60% 70% 80% Consumerdevices(set tops,security/camera,etc.) Smartbuilding/HVAC automation/commercial buildingmanagement Electrical,water,gas production,utilities Medicaldevices Othertransportationsmart systems Automotivesmartsystems Manufacturingsystems (notelectrical,water,gas) Foodproduction systems/refrigeration What types of IoT applications is your organization involved in or planning to be involved in? Producing Operating/ Managing Source: SANS 2013
    8. 8. Partly Cloudy or Partly Sunny? 17.2% 48.8% 21.4% 12.6% Which statement best captures your feelings about the IoT and security? The IoT will be a security disaster. The IoT will have the same level of security problems we have today with other applications and systems. The IoT will provide an opportunity to increase security over today. Other Source: SANS 2013
    9. 9. Major Differences Old Things • General purpose OS • Fixed, wired • TCP/IP, 802.11, HTML5 • Layered apps • Homogeneous • Enterprise-driven • 2-3 year life cycle • Impact data New Things • Embedded OS • Mobile, wireless • Zigbee, IoT6, WebHooks • Embedded apps • Heterogeneous • Consumer-driven • .2 to 20 year life cycle • Impact health/safety 9
    10. 10. Enhancement and Augmentation of Existing Security Controls 0% 10% 20% 30% 40% 50% 60% 70% 80% Authentication/authorization Systemmonitoring Encryptionof communications Securityevaluationandtest ofnewThingspriorto… Segmentation NewITsecuritycontrols Newphysicalsecurity controls SecureAPIs TPMsforhardware encryptionandattestation Geo-locationservices Other What controls are you using currently to protect against the risks imposed by new “Things” on your network? What controls do you plan on deploying in the next 2 years to address these issues? Current Next 2 years
    11. 11. The Critical Security Controls 11 1 2 3 4 5 6 7 8 9 1011 12 13 14 15 16 17 18 19 20 1) Inventory of Authorized and Unauthorized Devices 11) Limitation and Control of Network Ports, Protocols and 2) Inventory of Authorized and Unauthorized Software 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4) Continuous Vulnerability Assessment and Remediation 5) Malware Defense 6) Application Software Security 7) Wireless Device Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 17) Data Loss Prevention 15) Controlled Access Based on Need to Know 14) Maintenance, Monitoring and Analysis of Audit Logs 13) Boundary Defense 12) Controlled Use of Administrative Privileges 16) Account Monitoring and Control
    12. 12. Evolving Critical Security Controls to the Internet of Things • What will be the connectivity and governance model? (CSC 6, 7, 9, 19) • What is mine, what’s running on it, where is it? (CSC 1-4) • How do I protect from attack? (CSC 5, 10- 13, 15, 16) • How do I detect and recover from compromise? (CSC 8, 14, 17, 18, 20 12
    13. 13. Requiring Secure Products from IoT Manufacturers 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% OurITsecurity group TheThing manufacturer OurIToperations group Department managers Ourphysical securitygroup Other In your opinion, who should take responsibility for managing the risk imposed by new “Things” connecting to the Internet and your network?
    14. 14. Learn From Mistakes of the Past 1. More defendable endpoints 1. Hardware security 2. White list 3. Sandbox 4. Auto update 2. Smarter Internet 1. Endpoint Validation/Network Access Control 2. Filter Known Bad 3. Assume hostility (IPSEC, DNSSEC, better CA, etc) 14
    15. 15. Government Efforts • Stuxnet? • NSTAC – “Industrial Internet” • FTC – “Internet of Things - Privacy and Security in a Connected World” • DoE – Smart Grid Task Force • DoT/NHTSA – Autonomous Vehicles • FAA – Drones • FCC – Baby monitors, M2M, … 15
    16. 16. Summary • The IoT is an opportunity to not repeat the mistakes of the past – IPSEC, DNSSEC, etc – New device capabilities – Building security in, extending the perimeter • Basic hygiene is Job 1 • Drive suppliers to higher quality/security • How can the security community raise the bar? 16
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×