Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Emerging Trends in Cybersecurity by Amar Prusty

183 views

Published on

Emerging Trends in Cybersecurity by Amar Prusty

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Emerging Trends in Cybersecurity by Amar Prusty

  1. 1. Emerging Security Trends Name of the Speaker : Amar Prusty Company Name : DXC Technology Place: Bangalore Confidential – For Training Purposes Only
  2. 2. Speaker Experience ◆ Cloud & Data Center Architect ◆ Worked for Global Clients across Industry Verticals ◆ Been in IT 17+ years ◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC ◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics ◆ Hobbies– Cooking, Cycling, Reading, Travelling ◆ https://www.linkedin.com/in/amar-prusty-07913028/ Confidential – For Training Purposes Only
  3. 3. Education – Partnership – Solutions Information Security Office of Budget and Finance
  4. 4. Education – Partnership – Solutions Information Security Office of Budget and Finance
  5. 5. Education – Partnership – Solutions Information Security Office of Budget and Finance
  6. 6. Smart Appliances Healthcare Education – Partnership – Solutions Information Security Office of Budget and Finance Wearable Tech
  7. 7. Education – Partnership – Solutions Information Security Office of Budget and Finance
  8. 8. Education – Partnership – Solutions Information Security Office of Budget and Finance
  9. 9. Education – Partnership – Solutions Information Security Office of Budget and Finance
  10. 10. Education – Partnership – Solutions Information Security Office of Budget and Finance
  11. 11. Education – Partnership – Solutions Information Security Office of Budget and Finance
  12. 12. Education – Partnership – Solutions Information Security Office of Budget and Finance
  13. 13. Education – Partnership – Solutions Information Security Office of Budget and Finance
  14. 14. Education – Partnership – Solutions Information Security Office of Budget and Finance
  15. 15. Education – Partnership – Solutions Information Security Office of Budget and Finance
  16. 16. Education – Partnership – Solutions Information Security Office of Budget and Finance
  17. 17. Education – Partnership – Solutions Information Security Office of Budget and Finance
  18. 18. Education – Partnership – Solutions Information Security Office of Budget and Finance
  19. 19. Education – Partnership – Solutions Information Security Office of Budget and Finance
  20. 20. Education – Partnership – Solutions Information Security Office of Budget and Finance
  21. 21. Education – Partnership – Solutions Information Security Office of Budget and Finance
  22. 22. Education – Partnership – Solutions Information Security Office of Budget and Finance
  23. 23. Education – Partnership – Solutions Information Security Office of Budget and Finance
  24. 24. Education – Partnership – Solutions Information Security Office of Budget and Finance
  25. 25. Education – Partnership – Solutions Information Security Office of Budget and Finance
  26. 26. Education – Partnership – Solutions Information Security Office of Budget and Finance
  27. 27. Education – Partnership – Solutions Information Security Office of Budget and Finance
  28. 28. Education – Partnership – Solutions Information Security Office of Budget and Finance
  29. 29. Education – Partnership – Solutions Information Security Office of Budget and Finance
  30. 30. Education – Partnership – Solutions Information Security Office of Budget and Finance
  31. 31. Education – Partnership – Solutions Information Security Office of Budget and Finance
  32. 32. Education – Partnership – Solutions Information Security Office of Budget and Finance
  33. 33. Education – Partnership – Solutions Information Security Office of Budget and Finance
  34. 34. Education – Partnership – Solutions Information Security Office of Budget and Finance
  35. 35. Why it Looks so Bad • Breakers have a long history and robust tools – Automated network attack tools – Exploits for most segments of IoT stack – Physical access and hardware hacking • Builders are still searching for – Secure toolkits – Proven methodologies – Successful models • Result: – Builders cobble together components – Build very fragile full stack solutions – No visibility into security or attack surface – Attackers have a field day
  36. 36. Education – Partnership – Solutions Information Security Office of Budget and Finance
  37. 37. OWASP IoT Project • An overall IoT security effort – Attack surfaces (present) – Vulnerability lists (working) – Reference solutions (coming) • Aggregates community resources • Guidance for developers • IoT specific security principles • IoT framework assessment
  38. 38. OWASP IoT Top 10 Category IoT Security Consideration Recommendations I1: Insecure Web Interface •Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization •Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services •Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption •Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns •Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface •Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability •Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware •Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security •Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands...
  39. 39. Principles of IoT Security • Assume a hostile edge • Test for scale • Internet of lies • Exploit autonomy • Expect isolation • Protect uniformly • Encryption is tricky • System hardening • Limit what you can • Lifecycle support • Data in aggregate is unpredictable • Plan for the worst • The long haul • Attackers target weakness • Transitive ownership • N:N Authentication
  40. 40. Framework assessment • Based on a prototypical IoT deployment model • Designed like a checklist or benchmark
  41. 41. Example Edge Considerations • Are communications encrypted? • Is storage encrypted? • How is logging performed? • Is there an updating mechanism? • Are there default passwords? • What are the offline security features? • Is transitive ownership addressed?
  42. 42. Education – Partnership – Solutions Information Security Office of Budget and Finance
  43. 43. Example Gateway Considerations • Is encryption interrupted? • Is there replay and denial of service defensive capabilities? • Is there local storage? Is it encrypted? • Is there anomaly detection capability? • Is there logging and alerting?
  44. 44. Example Cloud Considerations • Is there a secure web interface? • Is there data classification and segregation? • Is there security event reporting? • How are 3rd party components tracked/updated? • Is there an audit capability? • Is there interface segregation? • Is there complex, multifactor authentication allowed?
  45. 45. Example Mobile Considerations • What countermeasures are in place for theft or loss of device? • Does the mobile authentication degrade other component security? • Is local storage done securely? • Is there an audit trail of mobile interactions? • Can mobile be used to enhance authentication for other components?
  46. 46. Education – Partnership – Solutions Information Security Office of Budget and Finance
  47. 47. Education – Partnership – Solutions Information Security Office of Budget and Finance
  48. 48. Education – Partnership – Solutions Information Security Office of Budget and Finance
  49. 49. Education – Partnership – Solutions Information Security Office of Budget and Finance
  50. 50. Potential Points of Vulnerability ● Coffee makers ● Crock pots ● Refrigerators ● Dishwashers ● Thermostats ● Garage door openers ● Webcams ● Baby monitors ● Smart TVs ● Adjustable beds ● Heart monitors ● Breathing ventilators
  51. 51. ...Additional Unique Risk Factors... This market is driven by consumers who DO NOT associate IT risk with their purchases Susceptible device vendors are led by executives focused on sales, profit margin, and market share – NOT IT Security This market sector has little or no experience with, knowledge of, or sensitivity to... IT Security
  52. 52. Potential Damage Theft and exploitation of banking and credit card account numbers and logins Theft and exploitation of business information, including information corruption Utilization of access and credentials to proliferate spam & DoS attacks via home appliance botnets Utilization of access to alter IoT device settings, including medical devices Violation of user privacy, including access to baby monitors
  53. 53. Add'l Threat Information Per “Massive Media” 10/31/16 – Other Mirai exploits have since been identified Universal Plug & Play (UPnP) poses a security risk: - NO form of user authentification is required - ANY app can ask the router to forward a port over UPnP – probably NOT secure... Firmware updates delivered through WeMo- paired devices commonly use non-encrypted channels
  54. 54. So, Where Do We Stand? NO federal laws, policies, or guidelines exist Vendor efforts are focused primarily on providing “legalese” disclaimers...protecting THEM Third-party components in products may constitute a significant – and HIDDEN – threat It may NOT BE POSSIBLE to change passwords in some products OR disable the IoT features IoT capable devices CAN BE SUSCEPTIBLE to tampering, return, re-sale, and exploitation by hackers
  55. 55. What Can We Do? VERIFY the IoT capabilities and associated risks with ALL existing ...and new...products Consider MOVING AWAY from devices which CANNOT be readily or practically secured MONITOR THE MEDIA for information about IoT exploits and risks Investigate products such as “Dojo” to block access and “Shodan” to monitor devices Be careful DISPOSING OF IoT appliances – Remember what we all learned about printers ???
  56. 56. ...Worst Case Scenario... ● Your “smart” bed folds up and traps you... ● The thermostat drives up the temperature... ● The IoT vacuum cleaner blocks the door... ● Your SmartPhone answers that you are “out”... ● Your webcam broadcasts the whole thing while the coffee pot, the crock pot, and the microwave bubble over and celebrate in the kitchen while the garage door happily opens and closes...
  57. 57. Recommendations Accommodate IoT with existing practices: – Policies, Procedures, & Standards – Awareness Training – Risk Management – Vulnerability Management – Forensics Education – Partnership – Solutions Information Security Office of Budget and Finance
  58. 58. Recommendations • Plan for IoT growth: – Additional types of logging, log storage: Can you find the needle in the haystack? – Increased network traffic: will your firewall / IDS / IPS be compatible and keep up? – Increased demand for IP addresses both IPv4 and IPv6 – Increased network complexity – should these devices be isolated or segmented? Education – Partnership – Solutions Information Security Office of Budget and Finance
  59. 59. Recommendations • Strengthen partnerships with researchers, vendors, and procurement department Education – Partnership – Solutions Information Security Office of Budget and Finance
  60. 60. Threat vs. Opportunity • If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety • If understood and secured, IoT will enhance communications, lifestyle, and delivery of services Education – Partnership – Solutions Information Security Office of Budget and Finance
  61. 61. Final Thoughts • Privacy in realms of big data is a problem – No real technical solution to this one • Regulation is probably coming – FTC set to release guidelines next year • Consumers may eschew security but business won’t • Security can be a differentiator
  62. 62. ...Other Options.. Buy a Dumb Car... Learn to cook over a campfire... Learn to love “dumb” devices - some of us can relate to them pretty easily... NEVER leave your IoT devices together in the dark where they can conspire against you!
  63. 63. Questions and Discussion Education – Partnership – Solutions Information Security Office of Budget and Finance

×