Great - Now We Have to Secure an "Internet of Things"
Upcoming SlideShare
Loading in...5
×
 

Great - Now We Have to Secure an "Internet of Things"

on

  • 758 views

 

Statistics

Views

Total Views
758
Views on SlideShare
365
Embed Views
393

Actions

Likes
0
Downloads
20
Comments
0

1 Embed 393

http://symantecgovsymposium.com 393

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Will solicit comments from Norse and Codenomicon on what they have seen as near term customer IoT drivers.
  • I’l ask Codenomicon and Norse to weigh on the results and what they think are key areas for upgrade of security controls.

Great - Now We Have to Secure an "Internet of Things" Great - Now We Have to Secure an "Internet of Things" Presentation Transcript

  • 1111 Great – Now We Have to Secure an “Internet of Things” John Pescatore Director, Emerging Security Trends jpescatore@sans.org @John_Pescatore
  • What the Heck is That?? 2
  • Different Views of the Internet of Things 3
  • Venture Capital Definition 4
  • Rapid Penetration 5
  • Simple View of the Internet of Things 6 Information Technology Personal Technology Operational Technology PCs Servers Virtualization Routers Switches Tablets Smartphones MiFi Home energy Medical wearables Medical implants Home entertainment Home control ICS/SCADA Medical Machines Kiosks Manufacturing Cloud Service Infra. Env. monitoring
  • Mobility, Smart Buildings/ICS, Medical Devices Are Main IoT Issues 0% 10% 20% 30% 40% 50% 60% 70% 80% Consumerdevices(set tops,security/camera,etc.) Smartbuilding/HVAC automation/commercial buildingmanagement Electrical,water,gas production,utilities Medicaldevices Othertransportationsmart systems Automotivesmartsystems Manufacturingsystems (notelectrical,water,gas) Foodproduction systems/refrigeration What types of IoT applications is your organization involved in or planning to be involved in? Producing Operating/ Managing Source: SANS 2013
  • Partly Cloudy or Partly Sunny? 17.2% 48.8% 21.4% 12.6% Which statement best captures your feelings about the IoT and security? The IoT will be a security disaster. The IoT will have the same level of security problems we have today with other applications and systems. The IoT will provide an opportunity to increase security over today. Other Source: SANS 2013
  • Major Differences Old Things • General purpose OS • Fixed, wired • TCP/IP, 802.11, HTML5 • Layered apps • Homogeneous • Enterprise-driven • 2-3 year life cycle • Impact data New Things • Embedded OS • Mobile, wireless • Zigbee, IoT6, WebHooks • Embedded apps • Heterogeneous • Consumer-driven • .2 to 20 year life cycle • Impact health/safety 9
  • Enhancement and Augmentation of Existing Security Controls 0% 10% 20% 30% 40% 50% 60% 70% 80% Authentication/authorization Systemmonitoring Encryptionof communications Securityevaluationandtest ofnewThingspriorto… Segmentation NewITsecuritycontrols Newphysicalsecurity controls SecureAPIs TPMsforhardware encryptionandattestation Geo-locationservices Other What controls are you using currently to protect against the risks imposed by new “Things” on your network? What controls do you plan on deploying in the next 2 years to address these issues? Current Next 2 years
  • The Critical Security Controls 11 1 2 3 4 5 6 7 8 9 1011 12 13 14 15 16 17 18 19 20 1) Inventory of Authorized and Unauthorized Devices 11) Limitation and Control of Network Ports, Protocols and 2) Inventory of Authorized and Unauthorized Software 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4) Continuous Vulnerability Assessment and Remediation 5) Malware Defense 6) Application Software Security 7) Wireless Device Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 17) Data Loss Prevention 15) Controlled Access Based on Need to Know 14) Maintenance, Monitoring and Analysis of Audit Logs 13) Boundary Defense 12) Controlled Use of Administrative Privileges 16) Account Monitoring and Control
  • Evolving Critical Security Controls to the Internet of Things • What will be the connectivity and governance model? (CSC 6, 7, 9, 19) • What is mine, what’s running on it, where is it? (CSC 1-4) • How do I protect from attack? (CSC 5, 10- 13, 15, 16) • How do I detect and recover from compromise? (CSC 8, 14, 17, 18, 20 12
  • Requiring Secure Products from IoT Manufacturers 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% OurITsecurity group TheThing manufacturer OurIToperations group Department managers Ourphysical securitygroup Other In your opinion, who should take responsibility for managing the risk imposed by new “Things” connecting to the Internet and your network?
  • Learn From Mistakes of the Past 1. More defendable endpoints 1. Hardware security 2. White list 3. Sandbox 4. Auto update 2. Smarter Internet 1. Endpoint Validation/Network Access Control 2. Filter Known Bad 3. Assume hostility (IPSEC, DNSSEC, better CA, etc) 14
  • Government Efforts • Stuxnet? • NSTAC – “Industrial Internet” • FTC – “Internet of Things - Privacy and Security in a Connected World” • DoE – Smart Grid Task Force • DoT/NHTSA – Autonomous Vehicles • FAA – Drones • FCC – Baby monitors, M2M, … 15
  • Summary • The IoT is an opportunity to not repeat the mistakes of the past – IPSEC, DNSSEC, etc – New device capabilities – Building security in, extending the perimeter • Basic hygiene is Job 1 • Drive suppliers to higher quality/security • How can the security community raise the bar? 16