Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Boosting IoT protection:
An enterprise risk
imperative
Christian Beckner
Senior Director, Retail
Technology
National Retai...
2
The Problem
*Source: WhiteHat Security 2018 Application Security Statistics Report
Nearly 70% of every application is co...
3
The Risks
• Cybersecurity
• Interoperability
• Performance
• Privacy
• Safety
4
*Source: WhiteHat Security 2018 Application Security Statistics Report
5
How an Attack Works
RISK
THREAT
OPPORTUNITY VULNERABILITY
Nation States
Professional Activity
Hobbyists
Insiders/Employe...
6
UL 2900 Scope
1 Scope
1.1 This standard applies to network-connectable products that shall be
evaluated and tested for v...
7
UL 2900 Contents
INTRODUCTION
1. Scope
2. Normative References
3. Glossary
DOCUMENTATION OF PRODUCT, PRODUCT
DESIGN AND ...
8
Physical Security & Life Safety Industry Landscape
Who’s Accountable?
Everyone & No One
9
Physical Security & Life Safety Industry Landscape
Who’s Accountable?
Vendors
• Cybersecurity is a significant investmen...
10
Physical Security & Life Safety Industry Landscape
Who’s Accountable?
Resellers/Integrators
• Need to seek out, underst...
11
Physical Security & Life Safety Industry Landscape
Who’s Accountable?
End User
• Needs to be educated
• Know what quest...
12
Some Questions Integrators, Installers, End-Users
Should be Asking About IoT Security:
1.) Are penetration tests perfor...
Boosting IoT Protection: An Enterprise Risk Imperative
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Boosting IoT Protection: An Enterprise Risk Imperative

Download to read offline

Presentation from NRF Protect 2019: Retail's Loss Prevention and Cyber Risk Event.
Neil Lakomiak, Business Development Director, Underwriters Laboratories Inc.
Steve Welk, Senior Director, Loss Prevention, Barnes & Noble College Bookstores Inc.
Bernell Zorn, Manager of Program Management, Nordstrom

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Boosting IoT Protection: An Enterprise Risk Imperative

  1. 1. Boosting IoT protection: An enterprise risk imperative Christian Beckner Senior Director, Retail Technology National Retail Federation Moderator Neil Lakomiak Business Development Director Underwriters Laboratories Inc. Steve Welk Senior Director, Loss Prevention Barnes & Noble College Bookstores Inc. Bernell Zorn Manager of Program Management Nordstrom
  2. 2. 2 The Problem *Source: WhiteHat Security 2018 Application Security Statistics Report Nearly 70% of every application is comprised of reusable software components, resulting in “inherited vulnerabilities” 85% of mobile apps violated one or more of the OWASP Mobile Top 10. As more organizations embrace agile DevOps processes, more applications are being released faster than ever. The quicker applications are released, particularly those that are comprised of reusable components, the faster more vulnerabilities are introduced. Software development is as much about developing new code as it is embedding third-party components and leveraging existing APIs.
  3. 3. 3 The Risks • Cybersecurity • Interoperability • Performance • Privacy • Safety
  4. 4. 4 *Source: WhiteHat Security 2018 Application Security Statistics Report
  5. 5. 5 How an Attack Works RISK THREAT OPPORTUNITY VULNERABILITY Nation States Professional Activity Hobbyists Insiders/Employees Inadequate Security Attributes Hard Coded Passwords Improper Installation Poorly Written Code Building Access Control Control Center Control The Attacker: A Flaw: The Asset to be Appropriated:
  6. 6. 6 UL 2900 Scope 1 Scope 1.1 This standard applies to network-connectable products that shall be evaluated and tested for vulnerabilities, software weaknesses, and malware. 1.2 This standard describes: a) Requirements regarding the vendor's risk management process for their product. b) Methods by which a product shall be evaluated and tested for the presence of vulnerabilities, software weaknesses, and malware. c) Requirements regarding the presence of security risk controls in the architecture and design of a product.
  7. 7. 7 UL 2900 Contents INTRODUCTION 1. Scope 2. Normative References 3. Glossary DOCUMENTATION OF PRODUCT, PRODUCT DESIGN AND PRODUCT USE 4. Product Documentation 5. Product Design Documentation 6. Documentation for Product Use RISK CONTROLS & RISK MANAGEMENT 7. General 8. Access Control, User Authentication and User Authorization 9. Remote Communication 10. Cryptography 11. Product Management 12. Vendor Product Risk Management Process VULNERABILITIES AND EXPLOITS 13. Known Vulnerability Testing 14. Malware Testing 15. Malformed Input Testing (Fuzz Testing) 16. Structured Penetration Testing SOFTWARE WEAKNESSES 17. Software Weakness Analysis 18. Static Source Code Analysis 19. Static Binary and Byte Code Analysis APPENDICES A1. Sources for Software Weaknesses B1. Requirements for Secure Mechanisms for Storing Sensitive Data and Personally Identifiable Data C1. Requirements for Security Functions
  8. 8. 8 Physical Security & Life Safety Industry Landscape Who’s Accountable? Everyone & No One
  9. 9. 9 Physical Security & Life Safety Industry Landscape Who’s Accountable? Vendors • Cybersecurity is a significant investment – how will costs be offset – are customers willing to pay higher prices? • How are you managing cyber risk, while using open source code? • Vendors don’t control the whole ecosystem in which their products are deployed. Where does accountability start and stop? • What do vendors have to lose?: Brand reputation, credibility, financial loss from potential recalls/penalties, C-level positions. • What do vendors have to gain?: differentiation, brand value, risk mitigation, avoid being forced by overly-burdensome regulation, ability to benefit from emerging business models
  10. 10. 10 Physical Security & Life Safety Industry Landscape Who’s Accountable? Resellers/Integrators • Need to seek out, understand, be educated on cybersecurity and responsible to the end-user • Avoid integrating/selling technology that has not been vetted
  11. 11. 11 Physical Security & Life Safety Industry Landscape Who’s Accountable? End User • Needs to be educated • Know what questions to ask of vendors and integrators • Be prepared to pay for cybersecurity • Develop and follow a robust security maintenance process
  12. 12. 12 Some Questions Integrators, Installers, End-Users Should be Asking About IoT Security: 1.) Are penetration tests performed by a third party? How often? Most recent? 2.) Is a formal security program in place? How is security addressed as part of the product development lifecycle? 3.) How is access control, authentication and authorization handled? 4.) How is data protected at rest and in transit? 5.) Are there suggested prevention measures for the end-user? What are the expectations of the integrator and end-user for security? 6.) What is your process for addressing discovered vulnerabilities?

Presentation from NRF Protect 2019: Retail's Loss Prevention and Cyber Risk Event. Neil Lakomiak, Business Development Director, Underwriters Laboratories Inc. Steve Welk, Senior Director, Loss Prevention, Barnes & Noble College Bookstores Inc. Bernell Zorn, Manager of Program Management, Nordstrom

Views

Total views

314

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

8

Shares

0

Comments

0

Likes

0

×