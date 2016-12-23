Security Challenges in Emerging Technologies Praveen Joseph Vackayil CISSP, PCI QSA cert., CCNA, ISO 27001 LA, MS - Warwic...
Session Objectives • Exploratory look at emergent technologies • Identification of associated security challenges • Bottom...
Session Plan •The Evolution of Information Security •4 Emerging Areas of Technology and Associated Security Challenges
The Evolution of Information Security
C I A Quick Reminder • The fundamental objective of information security is to protect the C, I and A of data. However, it...
The Shifting Focus of Information Security • The early days of data security focused primarily on Confidentiality of Data ...
The Shifting Focus of Information Security • Military applications of cryptography were developed in the 1800s. • Cryptogr...
The Shifting Focus of Information Security • With the computing era, the way people use information in their daily lives e...
Today’s InfoSec Focals – How is Data Transmitted Accessed Shared Retained Used Stored Processed
What Does The Future Hold? Wearables Self Driving Cars 3D Printing
What This All Means • The same trend from the 60s and 70s is repeating itself. • Just like how computers spread out from a...
From Greater Pervasiveness to Greater Power • Technology’s control over a common man’s life is increasing. • Today we use ...
Shift in the Goal of Information Security • Today, the end objective of information security is mainly to protect assets l...
Example Scenario I’ve hacked into your Core Banking Database. Pay me $500,000 or I will crash it. I’ve hacked into your se...
4 Emergent Technologies and Their Security Challenges
Discussion Plan • Review of 4 Emergent Technologies Robotics 3D Printing The Internet of Things Wearables
Robotics
Robots Have Been Around A Very Long Time First Robot Ever Made: Archytas’ Bird • Steam powered wooden bird • Dates back to...
Robotics: Applications Today • Industrial Applications: • Factories – manufacture of cars, packaging material, processed f...
Military Applications of Robotics • TALON • Built by a company called Foster- Miller • Most common military robot in use •...
What Are The Security Implications? • End-Points – ie the equipment at the doctor’s end or at the patient’s end is comprom...
Types of Network Attack Intention Modification Intention Manipulation Hijacking Attack
How Bad Can It Get? • The above was just one example, but it can be extrapolated to other scenarios where robots are used....
Recent Events Ref: http://time.com/3944181/robot-kills-man-volkswagen- plant/
Security Approach • Go Back to the Basics • Strong encryption of the network link between the Operator and the Operated De...
3D Printing
What Is It? Technology that allows you to fabricate three dimensional objects using plastic, metal, ceramics, powders, liq...
You Will Need A 3D Printer and a “.stl” Template http://www.thingiverse.com 3D printing is also called Stereolithography a...
Applications • Automobile Manufacture Manufacture and testing of prototypes and auto parts/components • Medical Sector Man...
3D Printed Weapons? • Defense Distributed is an open source company that provides .stl designs for 3D printed firearms – f...
3D Printed Weapons? • Plastic 3D printed guns can actually be used to fire rounds. • Liberator 3D is a functioning 3D prin...
3D Printed ATM Skimmers • An ATM skimmer fits into an ATM card slot and can capture Track data from a swiped credit/debit ...
How About Your Car Keys? • All it takes is a few photographs of a key to create the .stl design and 3D print a duplicate s...
What’s Next? •There are 6 million parts that go into a Boeing 747. What if tomorrow one of those is a 3D printed fake? •Co...
And By The Way… • The world’s first fully 3D printed car is on its way out in 2016. • LocalMotors is working on a road-rea...
Solutions? •The technology is still evolving •Regulation and Legislation is yet to catch up with ethical, legal, privacy a...
Wearables
Recognize This? Casio CFX-400 Calculator Watch. 1995.
How Do We Understand Wearables? What’s Common to All Wearables , which are carried either of a user’s body. What’s Differe...
Most Popular Wearables Today • Smart Watches • Samsung Gear, Apple Watch, Pebble, etc. • They account for 40% of the weara...
The Security Challenge with Wearables I. For a Personal User – Data Privacy is the primary concern with Wearables II. At a...
I. Personal Users: The Privacy Challenge • Wearable technology is still evolving. • The primary design focus is more on fu...
Security vs Functionality • We all know the Google Glass story. A host of great new features… but privacy?? Eye Tracking F...
II. Organizational Context – Security Challenge The primary challenge with allowing wearables within an office workspace i...
The Next Level of Wearables •Implantables •Ingestibles
Implantables Jiya Bavishi's auditory brainstem implant is helping her hear sounds for the first time. Auditory Brain-Stem ...
Ingestibles • The Pill communicates with a wearable sensor on the skin called a Patch. • The technology will track the pat...
What are the Security Threats? • Can someone hack into your internet connected pacemaker and speed your heart up till you ...
Securing Wearable Technology Manufacturers of Wearable Technology • Manufacturers are being pushed by security researchers...
The Internet of Things
What Is It? Technology today consists of a number of devices of different kinds, each with a certain level of computing po...
The IoT is a ecosystem of hardware and embedded within which data can be and How Do We Define the IoT?
Interesting Statistic • The IoT s is projected to consist of 30 billion connected “things” by 2020. Ref: IDC The world’s h...
What This Means
The Big Challenge – Securing the IoT • BMW patches security flaw on their ConnectedDrive software, that would have allowed...
The Big Challenge – Securing the IoT Jul 22, 2015: Hack moving Jeep. Switch off engine. Ref: http://www.cbc.ca/news/techno...
The Challenges are Many • Complexity A heterogeneous network means devices on the IoT are different, with unique designs, ...
IBM Model for the IoT
Each Layer Is Susceptible to a Variety of Attacks
• Recommends a holistic approach • Focus not only on securing the Device, but also, • The IoT Environment it operates in •...
THANK YOU & STAY IN TOUCH Linkedin.com/in/vackayil Praveen.jvc@gmail.com
Security Challenges in Emerging Technologies

Presented at INCYCON, 2015 (NCDRC) by Praveen Joseph Vackayil

    • Security Challenges in Emerging Technologies

    1. 1. Security Challenges in Emerging Technologies Praveen Joseph Vackayil CISSP, PCI QSA cert., CCNA, ISO 27001 LA, MS - Warwick, BE
    2. 2. DISCLAIMER
    3. 3. Ground Rules • Questions are welcome • Share your knowledge • Mobile phones – you know what to do
    4. 4. Session Objectives • Exploratory look at emergent technologies • Identification of associated security challenges • Bottom-line: Incite the thought process on upcoming challenges and opportunities in information security.
    5. 5. Session Plan •The Evolution of Information Security •4 Emerging Areas of Technology and Associated Security Challenges
    6. 6. So Let’s Go
    7. 7. The Evolution of Information Security
    8. 8. C I A Quick Reminder • The fundamental objective of information security is to protect the C, I and A of data. However, it wasn’t always this way.
    9. 9. The Shifting Focus of Information Security • The early days of data security focused primarily on Confidentiality of Data • Cryptography dates back to around 2000 B.C. in Egypt when encrypted hieroglyphic messages were etched on tombs
    10. 10. The Shifting Focus of Information Security • Military applications of cryptography were developed in the 1800s. • Cryptography was extensively used to encrypt tactical communications during World Wars I and II. Can you Identify This Machine?
    11. 11. The Shifting Focus of Information Security • With the computing era, the way people use information in their daily lives evolved. And with it, so did information security. 1944 Today
    12. 12. Today’s InfoSec Focals – How is Data Transmitted Accessed Shared Retained Used Stored Processed
    13. 13. What Does The Future Hold? Wearables Self Driving Cars 3D Printing
    14. 14. What This All Means • The same trend from the 60s and 70s is repeating itself. • Just like how computers spread out from a few offices to the common man, advanced technology is becoming cheaper and easily available.
    15. 15. From Greater Pervasiveness to Greater Power • Technology’s control over a common man’s life is increasing. • Today we use mobile phones to keep us connected, and process information. • Tomorrow, we will use technology to drive our cars to work.
    16. 16. Shift in the Goal of Information Security • Today, the end objective of information security is mainly to protect assets like • money • trade secrets • business productivity • organizations’ reputations, etc. In future, the end objective will shift towards the protection of • Human Life
    17. 17. Example Scenario I’ve hacked into your Core Banking Database. Pay me $500,000 or I will crash it. I’ve hacked into your self-driven car. All I ask is $10 million. I’ve texted you my Account Number. Choose not to comply and I WILL crash your car. Cyber extortion TODAY Cyber extortion of the FUTURE
    18. 18. 4 Emergent Technologies and Their Security Challenges
    19. 19. Discussion Plan • Review of 4 Emergent Technologies Robotics 3D Printing The Internet of Things Wearables
    20. 20. Robotics
    21. 21. Robots Have Been Around A Very Long Time First Robot Ever Made: Archytas’ Bird • Steam powered wooden bird • Dates back to 360 BC • First known attempt at automation First Industrial Robot • 1961 – General Motors developed a robot to move hot car parts into a cooling liquid
    22. 22. Robotics: Applications Today • Industrial Applications: • Factories – manufacture of cars, packaging material, processed foods, etc. • Automation of repetitive tasks with high precision • Medical Applications: • Robotic surgery allows doctors to control and automate complex procedures with high precision, sometimes even remotely.
    23. 23. Military Applications of Robotics • TALON • Built by a company called Foster- Miller • Most common military robot in use • Can travel through sand, water, and snow. • Has Audio-visual listening devices and a mechanical arm • Primarily used in search and rescue operations. Was used in 911. • Controlled remotely by a human. Upcoming versions of TALON will include a weapons system holding guns and grenade launchers.
    24. 24. What Are The Security Implications? • End-Points – ie the equipment at the doctor’s end or at the patient’s end is compromised. This is less common since the end-points are usually physically guarded. • Network Attacks – the channel of communication between the doctor and patient is compromised. This is more common. Ref: http://arxiv.org/pdf/1504.04339v2.pdf Consider a Tele-Robotic Surgery. How can it be attacked?
    25. 25. Types of Network Attack Intention Modification Intention Manipulation Hijacking Attack
    26. 26. How Bad Can It Get? • The above was just one example, but it can be extrapolated to other scenarios where robots are used. • Most robots today are not entirely autonomous – ie. they must be instructed by a human entity over a communication channel. • If this process is compromised, the impact can be death and/or serious physical damage.
    27. 27. Recent Events Ref: http://time.com/3944181/robot-kills-man-volkswagen- plant/
    28. 28. Security Approach • Go Back to the Basics • Strong encryption of the network link between the Operator and the Operated Device. • Use secure communication protocols like TLS v1.3 and above, SSH, WPA2, etc. • Strong authentication of source and destination IPs • Harden the end-point devices • Perform network and app level pen-testing
    29. 29. 3D Printing
    30. 30. What Is It? Technology that allows you to fabricate three dimensional objects using plastic, metal, ceramics, powders, liquids, or even living cells provided you have a blueprint of the object created with CAD software. 3D Printing has been around since the late 80s. Since 2006, the technology has started to become cheaper and more accessible.
    31. 31. You Will Need A 3D Printer and a “.stl” Template http://www.thingiverse.com 3D printing is also called Stereolithography and the CAD templates are created in the .stl format.
    32. 32. Applications • Automobile Manufacture Manufacture and testing of prototypes and auto parts/components • Medical Sector Manufacture of low cost prosthetic limbs, dental implants and even living tissue. • Defence, Education, etc.
    33. 33. 3D Printed Weapons? • Defense Distributed is an open source company that provides .stl designs for 3D printed firearms – for FREE.
    34. 34. 3D Printed Weapons? • Plastic 3D printed guns can actually be used to fire rounds. • Liberator 3D is a functioning 3D printed gun developed by Defense Distributed. • Plastic guns – don’t show up under a metal detector scan. So this means everyone with a 3D Printer can create and own an invisible weapon. Ref: https://www.youtube.com/watch?feature=player_embedded&v=drPz6n6UXQY
    35. 35. 3D Printed ATM Skimmers • An ATM skimmer fits into an ATM card slot and can capture Track data from a swiped credit/debit card. • A pinhole camera/ keypad overlay captures the PIN as it is keyed in by the cardholder • This is transmitted wirelessly to criminals located within a 100m range of the ATM. • Unless cardholders are alert, the skimmer will pass off as a genuine part of the ATM itself. • 3D printing allows ATM skimmer devices to be made faster, more accurately and efficiently by crooks.
    36. 36. How About Your Car Keys? • All it takes is a few photographs of a key to create the .stl design and 3D print a duplicate set. • Burglars, car thieves, etc. are jumping at the opportunities.
    37. 37. What’s Next? •There are 6 million parts that go into a Boeing 747. What if tomorrow one of those is a 3D printed fake? •Counterfeit coins •Fake ID Cards ???
    38. 38. And By The Way… • The world’s first fully 3D printed car is on its way out in 2016. • LocalMotors is working on a road-ready model.
    39. 39. Solutions? •The technology is still evolving •Regulation and Legislation is yet to catch up with ethical, legal, privacy and security challenges. •It is going to be difficult to predict, let alone prevent the mis-use of this technology.
    40. 40. Wearables
    41. 41. Recognize This? Casio CFX-400 Calculator Watch. 1995.
    42. 42. How Do We Understand Wearables? What’s Common to All Wearables , which are carried either of a user’s body. What’s Different Primary Function of the device • Smart Glasses- Augmented Reality Device • Smart Watch - Makes calls, plays music, etc. • Smart Pills – monitor health stats Device Capability • Does it have a camera? • Can it make calls? • Is it online? • Does it keep you alive?
    43. 43. Most Popular Wearables Today • Smart Watches • Samsung Gear, Apple Watch, Pebble, etc. • They account for 40% of the wearables market • Fitness Bands • FitBit, Garmin, etc. • Smart Glasses • Vuzix, Google Glass Ref: http://www.gartner.com/document/2847117
    44. 44. The Security Challenge with Wearables I. For a Personal User – Data Privacy is the primary concern with Wearables II. At an Organizational Level – Data Security is the key concern
    45. 45. I. Personal Users: The Privacy Challenge • Wearable technology is still evolving. • The primary design focus is more on functionality and less on privacy. • Imagine the data available to a stalker who has hacked into your fitness band: • Location of your house • Places you frequent the most • Your sleep patterns • Your food habits • Your exercise habits • Your health data: heart rate, BP, etc.
    46. 46. Security vs Functionality • We all know the Google Glass story. A host of great new features… but privacy?? Eye Tracking Feature Recording Feature What you see – Glass sees. People that you see – Glass sees (and can record). Ref: https://www.youtube.com/watch?t=85&v=9c6W4CCU9M4 Come Jan 2015, Google eventually had to pull the plug on Glass
    47. 47. II. Organizational Context – Security Challenge The primary challenge with allowing wearables within an office workspace is Data Security Mobile phones have already changed the security landscape within organizations. How hard is it to take pictures of your screen using a mobile camera? The main issue with wearables is they make it difficult to find out when they are used to steal data - taking pictures at the blink of an eye, for instance.
    48. 48. The Next Level of Wearables •Implantables •Ingestibles
    49. 49. Implantables Jiya Bavishi's auditory brainstem implant is helping her hear sounds for the first time. Auditory Brain-Stem Implant consists of a i. mic attached to the ear and ii. a sensor implanted in the brain to process sound signals in hearing impaired patients. Ref: http://www.npr.org/sections/health-shots/2015/06/01/410065053/new-hearing-technology-brings-sound-to-a-litte- girl
    50. 50. Ingestibles • The Pill communicates with a wearable sensor on the skin called a Patch. • The technology will track the patient’s physiological stats about medication ingestion, heart rate, activity, rest, and skin temperature • The digital health information can be viewed on a synced Mobile/Tablet. Ref: proteus.com Proteus, a company specializing in Digital Medicine, has received FDA approval for its Digital Pills – sensors which can be swallowed by a patient.
    51. 51. What are the Security Threats? • Can someone hack into your internet connected pacemaker and speed your heart up till you die? According to the former US Vice President’s advisors… Ref: https://www.washingtonpost.com/news/the- switch/wp/2013/10/21/yes-terrorists-could- have-hacked-dick-cheneys-heart/
    52. 52. Securing Wearable Technology Manufacturers of Wearable Technology • Manufacturers are being pushed by security researchers to look at security and privacy at the design stage of their devices. • Devices must anticipate and inform users of privacy compromises they will make at every stage of using a device Organizations/Work Places • Organizations must understand the risks introduced by allowing wearables within their premises. • A risk assessment must be done to identify controls ranging from restricted permission to use these devices to fully denying access End-Users: • Users must be aware that privacy will be compromised when they use a wearable device. • Children and senior citizens are more vulnerable.
    53. 53. The Internet of Things
    54. 54. What Is It? Technology today consists of a number of devices of different kinds, each with a certain level of computing power and memory.
    55. 55. The IoT is a ecosystem of hardware and embedded within which data can be and How Do We Define the IoT?
    56. 56. Interesting Statistic • The IoT s is projected to consist of 30 billion connected “things” by 2020. Ref: IDC The world’s human population is projected to be almost 8 billion by 2020. Ref: United Nations Population Fund
    57. 57. What This Means
    58. 58. The Big Challenge – Securing the IoT • BMW patches security flaw on their ConnectedDrive software, that would have allowed a hacker to unlock car doors Ref: http://www.bmw.com/com/en/insights/technology/connecteddrive/2013/
    59. 59. The Big Challenge – Securing the IoT Jul 22, 2015: Hack moving Jeep. Switch off engine. Ref: http://www.cbc.ca/news/technology/hackers-kill-engine-of-moving-jeep-on-highway-in-security-demo- 1.3162944
    60. 60. The Challenges are Many • Complexity A heterogeneous network means devices on the IoT are different, with unique designs, software, operating protocols, etc. Where does a security attempt even begin? • Uniform Standards On the IoT, we will need to develop a uniform standard for devices to communicate. A uniform standard/protocol makes the IoT that much easier to hack into. • Monitoring Currently, organizations have SOCs with IPS/DLP, etc. Who will monitor the IoT network?
    61. 61. IBM Model for the IoT
    62. 62. Each Layer Is Susceptible to a Variety of Attacks
    63. 63. • Recommends a holistic approach • Focus not only on securing the Device, but also, • The IoT Environment it operates in • It looks at: • The Device • The Cloud • The Mobile Application • Network Interfaces • Software • Use of Encryption • Use of Authentication • Physical Security • USB Ports Ref: OWASP Internet of Things Top Ten OWASP – Internet of Things Top Ten
    64. 64. THANK YOU & STAY IN TOUCH Linkedin.com/in/vackayil Praveen.jvc@gmail.com

