Michael curry security


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Zurich Insurance Risk Nexus Report April 2014 – threats will soon outpace our ability to deal with them
    , and 20% targeted manufacturing
    50% of US Broadband homes will have an Internet connected device by 2020 – Parks assocates
  • Not just machine data – its remote control - What would happen if a DoS attack were launched against a city’s traffic controls or energy supply?
    In fact - According to US DHS, in the last 3 months 59% of reported cyber attacks against critical infrastructure targeted energy
    Let me give you a simpler example to show you the hidden risk even on data - Energy example – nobody’s home
    Privacy – medical records worth more on black market than CC data – and by its nature IoT has the potential to collect (and expose) even more personal information about individuals than we’ve ever seen before
  • Biggest problem – IoT greatly expands the attack surface that must be secured
    We often have a hard enough time simply preventing attacks on traditional infrastructure – throw in potentially thousands of remote points of attack, many of which cannot feasibly be physically protected, and now you have a much more complex security equation
    susceptible physical tampering
    Processing power of devices
    Distributed, remote, physically accessible
    Huge number of devices, vendors, protocols
    Potential for remote actuation
  • Design systems that assume everything can be compromised
    zero trust at all points of the system
    Firewall approach of simply controlling the ports of entry insufficient
    Need to recognize breaches when they occur and stop them before they can do more damage
  • DoS on both the devices and on the server
  • Can often be the weakest link – even a simple sensor can be an attack point.
    Device key management - Managing all those devices can be daunting – call home bootstrapping
    Unique hardware signatures for key generation
    Use internet technologies – no reason you can’t use Open ID for devices
    www.kurzweilai.net UCSD hardware tool for testing security
  • Data has both security and privacy concerns, so it deserves special focus
    Data governance policy – not all data has the same sensitivity – know what your data is and protect it accordingly
    TLS – table stakes, but not enough
    Encrypt from ingress to target (data increasingly cached on the local device)
    Application layer – structure and content to ensure it is what is expected
  • After all, with the IoT we are exposing data and control interfaces over the network – typically the open Internet
  • Impossible to eliminate breaches – this is where most implementations fail
    Analytics - Must be able to recognize what threats & breaches look like, constantly evolving
    Isolation – client devices cut off (and preferably wiped), servers taken offline
    IBM design goal: 30 seconds
  • Opt in – most consumers have no idea what information is being collected and shared about them – look at facebook
    Data anonymization
    Reduce context on the device – add context in the Cloud
  • Zero trust – expect breaches, simulate breaches (Chaos monkey approach), test test test
    Edges – all the way up to the application layer
  • Michael curry security

    1. 1. ©2012 MASSTLC ALL RIGHTS RESERVED. How Security Shifts in the World of IoT Michael Curry IBM Andy Thurai Intel
    2. 2. © 2014 IBM Corporation Security in a World of Connected Things Michael Curry IBM SWG Product Management @mikecurr55 mikecurr55.wordpress.com
    3. 3. © 2014 IBM Corporation The Internet of Things Creates New Concerns for Security Zurich Insurance Risk Nexus April 2014 • Law 1: • Everything that is connected to the Internet can be hacked • Law 2: • Everything is being connected to the Internet http://www.zurich.com/internet/main/SiteCollectionDocuments/insight/risk-nexus-april-2014-en.pdf
    4. 4. © 2014 IBM Corporation If it is just machine data... how important is security? Image Credit: SmartPlanet.com
    5. 5. © 2014 IBM Corporation What is Different About the Internet of Things? • Attack surface • Processing power • Remote, accessible • Lack of standards • Threat to the physical world Image Credit: Gill Sensors
    6. 6. © 2014 IBM Corporation Let’s face it – We won’t be able to secure it 100% Image Credit: Spero News
    7. 7. © 2014 IBM Corporation Most Common Attacks • Denial of Service • Hijacking • Spoofing • Injection • Sniffing/Data theft • Viruses
    8. 8. © 2014 IBM Corporation Four Elements of IoT Security 1.Physical Device 2.Data 3.Network 4.Incident Monitoring & Response
    9. 9. © 2014 IBM Corporation 1. Physical Device Security Tamper-proofing Secure boot Authorization controls & geofencing Remote software management Device key management
    10. 10. © 2014 IBM Corporation 2. Data Security Data governance policy TLS End-to-end encryption Application layer policies Data masking
    11. 11. © 2014 IBM Corporation 3. Network Security Authentication Authorization policy Attack signature recognition DoS defense
    12. 12. © 2014 IBM Corporation 4. Incident Monitoring & Response Constant real-time monitoring Cross-device event correlation Security analytics Real-time isolation
    13. 13. © 2014 IBM Corporation A Moment on Privacy Image Credit: Outside the Beltway
    14. 14. © 2014 IBM Corporation Six Tips for IoT Security 1. Design for zero trust 2. Focus on detection and isolation 3. Control the edges 4. Know your data 5. Encrypt end-to-end 6. Strip out PII & Design for Opt In
    15. 15. © 2014 IBM Corporation