Versão ligeiramente atualizada da palestra "Segurança em IoT é possível !", que apresenta um resumo das principais recomendações do relatório "Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products" da Cloud Security Alliance.
Palestra apresentada no evento GTS 28, no dia 09/12/2016
Na medida em que os dispositivos e aplicações para o mundo da Internet das Coisas (IoT) se proliferam, cresce exponencialmente a necessidade de discutir e implementar boas práticas de segurança neste ambiente. SmartTVs, carros e até dispositivos médicos tem sido alvos de ciber ataques, hospedando hosts de botnets, códigos malicioso e sendo vítimas de ransomware.
A Cloud Security Alliance (CSA) criou um guia de melhores práticas de segurança que podem ser adotadas por fabricantes e usuários de dispositivos IoT no desenvolvimento e uso destas tecnologias. Tais recomendações permitem identificar rapidamente minimizar os riscos de segurança em aplicações IoT.
13. 13
Necessidade de segurança em IoT
• Privacidade e proteção
de dados
• Uso por agentes
maliciosos
• Pontos de lançamento
de ciber ataques
• Danos resultantes do
comprometimento de
sistemas físicos
14. 14
• Produtos implantados em ambientes inseguros
ou fisicamente expostos
• A segurança é nova para fabricantes de IoT
– Segurança não é prioridade de negócios
– Metodologias de desenvolvimento sem abordagem de
segurança
– Falta de padrões e arquiteturas de referência para o
desenvolvimento seguro de IoT
– Falta de desenvolvedores de IoT com habilidades de
segurança
Desafios de segurança em
dispositivos IoT
16. 16
• Altere as senhas padrão de seus dispositivos
conectados
• Desativar o recurso Universal Plug-and-Play
(UPnP)
• Revisar as restrições de Gerenciamento
Remoto
• Verifique as atualizações de software
Dicas rápidas
Fonte: The Hacker News
19. 19
"Future-proofing the
Connected World:
13 Steps to Developing
Secure IoT Products“
Cloud Security Alliance
07/outubro/2016
https://cloudsecurityalliance.org/download/
future-proofing-the-connected-world/
Guia para Segurança em IoT
20. 20
1. Metodologia de desenvolvimento seguro
2. Ambiente seguro de desenvolvimento
3. Recursos de segurança da plataforma
4. Definir proteções de Privacidade
5. Controles de segurança em hardware
6. Proteger dados
7. Proteger aplicativos e serviços associados
8. Proteger interfaces e APIs
9. Atualização segura
10. Autenticação, Autorização e Controle de
Acesso
11. Gerenciamento seguro de chaves
12. Fornecer mecanismos de Log
13. Revisões de segurança
13 passos para segurança em IoT
Picture source: http://www.freeimages.com
21. 21
1- Metodologia de
desenvolvimento seguro
Picture source: Giphy
• Modelagem de
ameaças
• Requisitos e processos
de Segurança nas
metodologias de
desenvolvimento
• Avaliação de impacto de
segurança
22. 22
• Avaliar as linguagens de programação
• Ambientes de Desenvolvimento Integrado
– Plugins e ferramentas de teste de segurança
• Testes e Qualidade do código
2- Ambiente seguro de
desenvolvimento e integração
23. 23
• Selecione o Framework de integração
3- Recursos de segurança da
plataforma e do Framework
24. 24
• Avalie as funcionalidades de segurança da
plataforma
3- Recursos de segurança da
plataforma e do Framework (cont.)
25. 25
4- Definir proteções de Privacidade
Picture source: Giphy
• Reduzir a coleta de
dados ao mínimo
necessário
• Suportar anonimato
quando possível
• Verificar
regulamentações de
proteções de dados
26. 26
5- Controles de segurança em
hardware
Picture source: Giphy
• Segurança do
Microcontrolador
• Trusted Platform Modules
• Proteção de Memória
• Chips especializados em
segurança
• Módulos criptográficos
• Proteção física
• Supply chain (fornecedores)
27. 27
6- Proteger os dados
Picture source: Giphy
• Escolha dos protocolos
de comunicação
– Varredura de redes
– Escuta de tráfego
– Spoofing e
masquerading
– Negação de serviço e
jamming
– Pareamento de
dispositivos
28. 28
7. Proteger aplicativos e serviços
associados
Picture source: Giphy
• Pontos de integração,
apps e serviços
• Privilégios de acesso
entre dispositivo e
aplicações
• Uso de serviços em
nuvem
29. 29
8- Proteger interfaces e APIs
Picture source: Giphy
• Validação de mensagens
• Tratamento de erros
• Proteção contra ataques
de replay
• Proteja a comunicação via
API
– Criptografia, autenticação
• Certificate Pinning
30. 30
9- Atualização segura
Picture source: Pinterest
• Updates de firmware e
de software
• Considerar todo o ciclo
de instalação e
atualização
• Proteger contra
modificações não
autorizadas
31. 31
10- Autenticação, Autorização e
Controle de Acesso
Picture source: Giphy
• Comunicação entre
dispositivos
• Autenticação fim-a-fim
• Uso de TLS e de
certificados para
autenticação
• OAuth 2.0 para
autorização
32. 32
• Interação com PKI
• Provisionamento de
chaves
• Características das
chaves
• Armazenamento seguro
• Validação do certificado
• Boot seguro
Key
Generation
Key Derivation
Key
Establishment
Key
Agreement
Key Transport
Key Storage Key Lifetime
Key
Zeroization
Accounting
11- Gerenciamento seguro de
chaves criptográficas
33. 33
12- Mecanismos de Log
Picture source: Giphy
• Visibilidade das ações que
ocorrem no dispositivo, ex:
– Solicitação de Conexão
– Autenticação (falha / sucesso)
– Tentativas de abuso e
elevação de privilégios
– Mensagens malformadas
– Atualizações de firmware e
software
– Tentativas de acesso
– Mudanças de configuração
– Acesso à memória protegida
– Acesso físico indevido
35. 35
Metodologia de
desenvolvimento
seguro
Ambiente seguro
de
desenvolvimento
Rrecursos de
segurança da
plataforma
Definir proteções
de Privacidade
Controles de
segurança em
hardware
Proteger os
dados
Proteger
aplicativos e
serviços
associados
Proteger interfaces
e APIs
Atualização
segura
Autenticação,
Autorização e
Controle de Acesso
Gerenciamento
seguro de chaves
Fornecer
mecanismos de
Log
Revisões de
segurança
Relembrando...
36. 36
Internet of Things Working Group
https://cloudsecurityalliance.org/group/internet-of-things/
“Security Guidance for Early Adopters of the IoT”
https://cloudsecurityalliance.org/download/new-security-
guidance-for-early-adopters-of-the-iot/
Para saber mais
37. 37
Cloud Security Alliance (CSA)
– Associação sem fins lucrativos
– Reúne pessoas físicas e Empresas
– Oficializada em Dezembro de 2008
– +65mil Membros, +190 membros corporativos
– Presente em +40 países através de +70 Chapters
locais
Quem é a CSA?
38. 38
• Segundo Chapter oficial
da CSA
– Oficializado em 27 de
Maio de 2010
• Segue Missão e
Objetivos da CSA Global
– Promover a Segurança
em Cloud Computing
– Promover pesquisas e
iniciativas locais
CSA Brasil
39. 39
“Promover a utilização
das melhores práticas
para fornecer garantia
de segurança dentro de
Cloud Computing, e
oferecer educação
sobre os usos de Cloud
Computing para ajudar
a proteger todas as
outras formas de
computação.”
Missão
Picturesource:sxc.hu
42. 42
• Certificação “Certificate
of Cloud Security
Knowledge (CCSK)”
– Exame online
• Treinamento
– CCSK training
(Basic / Plus)
– PCI Cloud training
– GRC Stack training
Educação
https://cloudsecurityalliance.org/education
https://ccsk.cloudsecurityalliance.org
43. 43
• CSA Security, Trust & Assurance Registry
(STAR) Program
– Avaliação da segurança e maturidade dos
provedores de Cloud Computing
– Baseado nas
melhores
práticas da CSA
– Registro e
acesso público
gratuitos
Outras Iniciativas
https://cloudsecurityalliance.org/star
44. 44
• Pessoa Física
– Participação no grupo do LinkedIn
– Participação na lista de discussões dos projetos
(http://br.groups.yahoo.com/group/csabrasil)
– Sem custo
• Pessoa Jurídica
– Contato diretamente com a CSA Internacional
– Taxa anual
Como se Associar
47. 47
LEI Nº 9.610, DE 19 DE FEVEREIRO DE 1998.
Altera, atualiza e consolida a legislação sobre direitos autorais e dá
outras providências.
https://www.planalto.gov.br/ccivil_03/leis/L9610.htm
• Art. 44. O prazo de proteção aos direitos patrimoniais sobre obras
audiovisuais e fotográficas será de setenta anos, a contar de 1° de
janeiro do ano subseqüente ao de sua divulgação.
• Art. 46. Não constitui ofensa aos direitos autorais:
• VIII - a reprodução, em quaisquer obras, de pequenos trechos de
obras preexistentes, de qualquer natureza, ou de obra integral,
quando de artes plásticas, sempre que a reprodução em si não seja
o objetivo principal da obra nova e que não prejudique a exploração
normal da obra reproduzida nem cause um prejuízo injustificado
aos legítimos interesses dos autores.
Nota sobre o uso de imagens
Editor's Notes
Picture source: http://www.sxc.hu
Na medida em que os dispositivos e aplicações para o mundo da Internet das Coisas (IoT) se proliferam, cresce exponencialmente a necessidade de discutir e implementar boas práticas de segurança neste ambiente. SmartTVs, carros e até dispositivos médicos tem sido alvos de ciber ataques, hospedando hosts de botnets, códigos malicioso e sendo vítimas de ransomware.
A Cloud Security Alliance (CSA) criou um guia de melhores práticas de segurança que podem ser adotadas por fabricantes e usuários de dispositivos IoT no desenvolvimento e uso destas tecnologias. Tais recomendações permitem identificar rapidamente minimizar os riscos de segurança em aplicações IoT.
Fonte: “Security Guidance for Early Adopters of the Internet of Things (IoT)”, CSA
Fonte: “Security Guidance for Early Adopters of the Internet of Things (IoT)”, CSA
Fonte: http://www.businessinsider.com/how-the-internet-of-things-market-will-grow-2014-10
http://www.worldometers.info/world-population/
In total, we forecast there will be 34 billion devices connected to the internet by 2020, up from 10 billion in 2015. IoT devices will account for 24 billion, while traditional computing devices (e.g. smartphones, tablets, smartwatches, etc.) will comprise 10 billion.
2020 World Population Forecast: 7,758,156,792
Fonte: “Security Guidance for Early Adopters of the Internet of Things (IoT)”, CSA
Fonte: http://www.businessinsider.com/internet-of-things-cloud-computing-2016-10
The Internet of Things, meanwhile, refers to the connection of devices (other than the usual examples such as computers and smartphones) to the Internet. Cars, kitchen appliances, and even heart monitors can all be connected through the IoT. And as the Internet of Things surges in the coming years, more devices will join that list.
Cloud computing and the IoT both serve to increase efficiency in our everyday tasks, and the two have a complimentary relationship. The IoT generates massive amounts of data, and cloud computing provides a pathway for that data to travel to its destination.
Fog computing is more than just a clever name. Also known as edge computing, provides a way to gather and process data at local computing devices instead of in the cloud or at a remote data center. Under this model, sensors and other connected devices send data to a nearby edge computing device. This could be a gateway device, such as a switch or router, that processors and analyzes this data.
IoT Device Security Challenges
IoT products may be deployed in insecure or physically exposed environments
Security is new to many manufacturers and there is limited security planning in development methodologies
Security is not a business driver and there is limited security sponsorship and management support in development of IoT products
There is a lack of defined standards and reference architecture for secure IoT development
There are difficulties recruiting and retaining requisite security skills for IoT development teams including architects, secure software engineers, hardware security engineers, and security testing staff
More info:
https://cloudsecurityalliance.org/media/news/csa-internet-of-things-working-group-releases-industrys-first-guidance-for-securing-iot-product-ecosystem/
https://cloudsecurityalliance.org/group/internet-of-things
The full report is freely available at https://cloudsecurityalliance.org/download/future-proofing-the-connected-world/
Threat modeling is a core component of a secure development methodology. The emergence of IoT technologies and products is a constantly changing landscape. It is hence important to ensure the reference to a set of threats and issues to help ensure they are addressed appropriately. As part of the secure development process Threat modelling must be conducted on the software or hardware to identify the potential threats and appropriate mitigation controls must be put in place to mitigate the identified threats. General software threat modelling techniques would still apply for IoT.
The concept of defining security requirements for your product should also be explored and implemented. A secure development methodology should focus on
more than just development however. Developers should take responsibility for building secure processes into their products as well.
A unique differentiator of the IoT is the blending of physical and electronic worlds. This means that breaking into an IoT device or service can cause a physical reaction. Consider the safety impacts of a product or service compromise. Given the intended usage of the product, is there anything harmful that could happen if the device stopped working altogether (e.g., denial of service)?
PIC Source: http://giphy.com/gifs/hoppip-charlie-chaplin-film-hoppip-S7i2sED2yfDGg
Security guidance for the appropriate programming language should be reviewed and IoT product developers should familiarize themselves with the appropriate security guidance.
While hardware components are assembled and tested, developers work on the firmware/software features of the product. All of these technologies are brought together during development. Therefore, the need to employ a methodical process for the development, integration, test and deployment of these products is required. Integrated Development Environments (IDEs) are often used by software developers and can offer some set of security services.
The most important part of developing using an Agile approach is the feedback loop between making and observing change. Another important part of the secure development
environment is the need for code quality dashboards. An IoT device should be backed with reports that provide information about software quality.
From a security perspective, you want to make sure that you select a framework that provides your developers with the tools needed to implement this interoperability securely. This begins with the concept of secure onboarding and extends to the ability to support proactive management of the device and secure communications.
As you begin to design the technology architecture of your device, consider the various security features offered by each hardware and software component. Figure 2 provides a view into the technology layers of a typical IoT product. There are opportunities to evaluate the security features at each of these layers in order to create a defense-in-depth based architecture to secure your product.
IoT device manufacturers should review data models with an eye towards privacy. To this end they should: Reduce at minimum the stored data, Avoid data leakages
Also, Design IoT devices, services and systems to support anonymity when possible. Information that can tie back to an individual or entity should be closely evaluated for potential anonymization approaches.
Picture source: http://giphy.com/gifs/charles-chaplin-mBHskxHCmykg0
the selection of the MCU/SoC foundation for your IoT device development is a crucial security consideration - hardware security mechanisms. The leading architectures for IoT today are ARM, MIPS and x86.
A TPM can be used to extend the zone of trust to other portions of the design to insure they are not compromised. The TPM does this by authenticating and authorizing transmissions to and from the system using known standards for encryption, decryption and authentication
Some MCU developers include optional memory protection units (MPUs) that can be integrated with the MCU. MPUs provide access rules to memory locations, allowing IoT products that incorporate an MPU to control what memory can be read, written and executed.
Pic Source: http://giphy.com/gifs/maudit-maudit-charlie-chaplin-everytime-ZE6dnP8Yw6X16
More: https://commons.wikimedia.org/wiki/File:Chaplin_-_Modern_Times.jpg
IoT product developers should take time to gain an`understanding of the various protocols available to them. One of the key security considerations that should be examined for any protocol is the join or pairing process.
Pic source: http://giphy.com/gifs/movie-black-and-white-6IcwJKMNlDDCU
IoT devices operate as part of a larger ecosystem. Each integration point represents a potential new pathway into the systems that can be used to gain unauthorized access to information or control systems.
In some instances, developers should consider implementing Certificate Pinning to prevent Man-in-the-Middle attacks occurring within untrusted networks.
IoT product developers must also consider limitations on the privileges afforded to mobile apps. Privilege access capabilities need to be considered for both the configuring of the IoT device and the applications interacting with them.
Developers for cloud services or those using cloud services should leverage standards processes and frameworks for securing internal and third-party services such as the CSA Cloud Controls Matrix (CCM).
Pic source: http://giphy.com/gifs/modern-124YsftgAfN8mA
Gateways should check for proper format of messages as well as verify that only allowed data types are passed. This will guard against the potential to insert malicious code into the API communications that could result in the compromise of an IoT cloud service. It is also important to validate schema.
Error handling should also be considered. Be careful not to provide responses that are too detailed.
Guard against replay attacks through techniques such as embedding timestamps and/or counters into messaging structures.
Do not rely on the use of API key for your program/device as a primary means of security. Implement more robust authentication and authorization controls whenever possible. Also, keep API keys secure by limiting their exposure. Additionally, encrypt all API communications.
Certificate pinning within IoT firmware and mobile applications provide protections against attacks where the IoT device is configured to interface with a malicious server or proxy (Man-in-the-middle).
Pic Source: https://www.pinterest.com/mauroorihuela1/charles-chaplin/
Insufficient security of firmware updates may allow a malicious person to modify legitimate firmware and upload new malicious firmware into the product.
Firmware must be protected end-to-end and the entire life-cycle must be considered. For example, does the initial firmware load happen at a secure facility, using secure processes. Understand what permissions need to be associated with the update process as well.
Also don’t forget to write-protect the product to guard against unauthorized firmware modifications.
Pic source: http://giphy.com/gifs/maudit-maudit-charlie-chaplin-modern-times-VP5UwVic0l7W0
When considering authentication, authorization and access control features, you must understand how your IoT products are used and managed. For consumer products,
there is often a direct trust relationship between a user’s smart phone and the device. The power of the IoT is that devices can communicate with each other, preferably in an automated manner.
Many of the IoT protocols that support device-to-device communication come with the ability to configure secure connections.
It is good to remember that authentication protections are best when they are end-to-end (E2E). The IoT often relies upon gateways that break up direct connections,
so achieving E2E authentication protection is not always possible. Designing multiple authentication options, layered within each other such as the TLS certificate-based authentication in addition to native protocol authentication, can offer end-to-end protections for your data.
Instantiation of TLS for protocols such as MQTT and REST communications, which can often implement two-way certificate-based authentication.
Consider implementing two-way certificate authentication when possible. Two-way certificate authentication allows the IoT product to pass its certificate for validation by the service or peer device/gateway it is communicating with.
OAuth 2.0 requires an authorization server that verifies user/device identity and then issues tokens for access. This is a centralized mechanism and requires that the environment the IoT product will operate within has access to an authorization server. This also means that the server must be protected from compromise.
Pic source: http://giphy.com/gifs/charlie-doors-chaplin-i5122m6rzSAwg
it is important that IoT products supporting enterprise
users providing sufficient visibility into actions occurring
on the device. This includes at a minimum:
•• Connection Requests
•• Authentications (failed / successful)
•• Privilege abuse attempts / elevation of privilege
attempts
•• Receipt of malformed messages
•• Successful / failed Firmware/software updates
•• Local log-in attempts
•• Configuration changes
•• Account updates
•• Protected memory access
•• Physical tamper
http://giphy.com/gifs/3reGZ5XDFWPte
Feedback loops allow for design updates
need for continuous feedback and optimization across an IoT product’s lifecycle. Defects /vulnerabilities that are identified must be fed back into the design and threat modeling process, resulting in updates to hardware and software baselines
There are many types of tests that can be employed for IoT device developments and each plays a critical role in maintaining the security posture of the device:
1. Static Application Security Testing (SAST)
2. Dynamic Application Security Testing (DAST)
3. Interactive Application Security Testing (IAST)
4. Attack Surface and Vectors
5. 3rd Party Library
6. Fuzzing
7. Customized per threat vector
IoT product developers should also
Dados de Dez2014
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at https://cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
O Objetivo principal do capítulo brasileiro é promover o conhecimento em Segurança para Cloud Computing, através da divulgação das iniciativas da CSA (incluindo a tradução do material produzido pela CSA ) e promover iniciativas locais e a produção de conteúdo original, como pesquisas e artigos.
Neste slide estão listadas as diversas iniciativas de pesquisa existentes atualmente na CSA.
O principal destaque é o CSA Security Guidance, uma das iniciativas pioneiras no mercado de desenvolver um guia específico sobre segurança em Cloud Computing, que está na terceira edição.
Neste slide estão alguns papers, resultado dos trabalhos dos grupos de pesquisa existentes atualmente na CSA.
O principal destaque é o CSA Security Guidance, uma das iniciativas pioneiras no mercado de desenvolver um guia específico sobre segurança em Cloud Computing, que está na terceira edição.
A CSA fornece a Certificação “Certificate of Cloud Security Knowledge (CCSK)” baseada nos relatórios "Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1” da CSA e "Cloud Computing: Benefits, Risks and Recommendations for Information Security" da ENISA (European Network and Information Security Agency)
O Exame é feito online. Mais informações em https://ccsk.cloudsecurityalliance.org
The CSA Security, Trust and Assurance Registry (STAR) Program is a comprehensive set of offerings for cloud provider trust and assurance. The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world.
STAR consists of 3 levels of assurance, which currently cover 4 unique offerings. All offerings are based upon our succinct yet comprehensive list of cloud-centric control objectives in our Cloud Controls Matrix (CCM).
LEI Nº 9.610, DE 19 DE FEVEREIRO DE 1998.
Altera, atualiza e consolida a legislação sobre direitos autorais e dá outras providências.
https://www.planalto.gov.br/ccivil_03/leis/L9610.htm
Art. 44. O prazo de proteção aos direitos patrimoniais sobre obras audiovisuais e fotográficas será de setenta anos, a contar de 1° de janeiro do ano subseqüente ao de sua divulgação.
Art. 46. Não constitui ofensa aos direitos autorais:
VIII - a reprodução, em quaisquer obras, de pequenos trechos de obras preexistentes, de qualquer natureza, ou de obra integral, quando de artes plásticas, sempre que a reprodução em si não seja o objetivo principal da obra nova e que não prejudique a exploração normal da obra reproduzida nem cause um prejuízo injustificado aos legítimos interesses dos autores.
OBS: As imagens de filmes do Charlie Chaplin utilizadas nesta apresentação são anteriores a 70 anos atrás.
FILMES
A Dog’s Life 1918
Shoulder Arms 1918
Sunnyside 1919
A Day’s Pleasure 1919
The Kid 1921
The Idle Class 1921
Pay Day 1922
The Pilgrim 1923
A Woman of Paris 1923
The Gold Rush 1925 and 1942
The Circus 1928
City Lights 1931
Modern Times 1936
The Great Dictator 1940