Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding IoT Security: How to Quantify Security Risk of IoT Technologies

IoT devices are proliferating throughout corporate networks raising concerns about security risks they may introduce. However, IoT technologies differ in many ways from most enterprise-ready technologies that currently exist. Understanding the risks that IoT represents and how to best quantify that risk can be a challenge for many security leaders. This webinar provides an overview of IoT architectures, how they differ from existing infrastructure devices, and how best to measure the risk IoT devices represent. It will expose attendees to concepts like Threat Modeling for IoT and provide additional references that will help build a successful IoT security assessment program.

  • Be the first to comment

Understanding IoT Security: How to Quantify Security Risk of IoT Technologies

  1. 1. © 2018 Denim Group – All Rights Reserved Building a world where technology is trusted. Understanding IoT Security: How to Quantify Security Risks of IoT Technologies John B. Dickson, CISSP @johnbdickson Denim Group
  2. 2. © 2018 Denim Group – All Rights Reserved Overview • Overview of IoT • IoT-specific Security Challenges • IoT Threat Model • IoT Assessment Guide RFC • Questions & Answers 1
  3. 3. © 2018 Denim Group – All Rights Reserved @johnbdickson • AFCERT Analyst • 20+ Year Security Professional • Denim Group Principal • ISSA Distinguished Fellow • Security Conference Speaker • Dark Reading Columnist
  4. 4. © 2018 Denim Group – All Rights Reserved The Delivery Platform Central Resolution Hub Accelerate Remediation THREADFIX Denim Group Overview 3 Providing vastly improved application security for mission-critical enterprise applications Overview § Denim Group provides an integrated solution into development environments, integrating bug fixes into the DevOps cycle § Application testing is an invaluable mechanism for the defense of critical software § ThreadFix is a direct feed into the development environment, enabling real, runtime security fixes § Managed services help cover any gaps in terms of security experts within the organization ADVISORY SERVICES MANAGED SERVICES Continuous Testing as a Service Quantifies Risk Across the Application Portfolio DevOps & AppSec Transformation Consulting
  5. 5. © 2018 Denim Group – All Rights Reserved Three Goals for Today’s Session 1. Understand IoT and IoT security better 2. Identify your IoT security IQ and develop a learning plan 3. Ask better security questions to drive more informed IoT design and purchase decisions 4
  6. 6. © 2018 Denim Group – All Rights Reserved IoT Definition • Where network connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers • Allowing devices to generate, exchange and consume data with minimal human intervention • There is, however, no single, universal definition. • Source: The Internet Society 5
  7. 7. © 2018 Denim Group – All Rights Reserved Laypersons’ IoT Definition • Computers with sensors running applications! 6
  8. 8. © 2018 Denim Group – All Rights Reserved What is (or can be) IoT remote cameras, temperature sensors, thermostats, plugs, light bulbs, locks, security systems, hubs, toothbrushes, toasters, pet feeders, top brewers, heart rate monitors, smart cars, blenders, washing machines, holiday light controls, well monitors, pacemakers, toasters, and… 7
  9. 9. © 2018 Denim Group – All Rights Reserved Crock pots! 8
  10. 10. © 2018 Denim Group – All Rights Reserved Different IoT Connectivity Models 1. Device-to-device 2. Device-to-cloud 3. Device-to-gateway 4. Back-end data sharing 9
  11. 11. © 2018 Denim Group – All Rights Reserved Challenges for IoT Security • Physical access • Many edge devices are single purpose • Many devices not designed to be updated • Multiple ingress/egress methods • Traditional manufactures… 10
  12. 12. © 2018 Denim Group – All Rights Reserved Where do You Go from Here? 11
  13. 13. © 2018 Denim Group – All Rights Reserved IoT Threat Modeling • IoT security is not only about the code running on the device! • Web services and mobile clients is frequently where many fall down • Enumeration of components is critical given potential complexity of IoT systems 12
  14. 14. © 2018 Denim Group – All Rights Reserved IoT Threat Modeling • Components • IoT Device • Local IoT Gateway • 3rd-party web services • Mobile client • Web Client 13
  15. 15. © 2018 Denim Group – All Rights Reserved IoT Threat Model 14
  16. 16. © 2018 Denim Group – All Rights Reserved OWASP IoT Assessment Framework • A framework to provide developers guidance to consider security decisions are part of development • Includes security considerations for four IoT components • Edge devices • Gateway devices • Cloud platform • Mobile
  17. 17. © 2018 Denim Group – All Rights Reserved OWASP IoT Assessment Framework – Edge Devices • Edge device considerations • Communications encryption • Storage encryption • Strong logging • Automatic updates • Update verification • No default passwords • Offline security features • Defensive capabilities • Secure web interface • Does not employ secrets in code
  18. 18. © 2018 Denim Group – All Rights Reserved OWASP IoT Assessment Framework – Gateway Devices • Gateway device considerations • Multi-directional encrypted communications • Strong authentication of components (edge, platform, user) • Secure storage • Denial of service and replay attack mitigation • Logging and alerting • Anomaly detection and reporting capabilities • Use latest, up to date third party components • Automatic updates and/or version reporting
  19. 19. © 2018 Denim Group – All Rights Reserved OWASP IoT Assessment Framework – Cloud • Cloud considerations • Encrypted communications • Secure web interface • Authentication • Secure Authentication Credentials • Encrypted storage • Capability to utilize encrypted communications to storage layer • Data classification capabilities and segregation • Security event reporting and alerting • Automatic updates and update verification • Use latest, up to date third party components
  20. 20. © 2018 Denim Group – All Rights Reserved OWASP IoT Assessment Framework – Mobile • Mobile platform considerations • Ensure mobile component enforces authentication requirements equal or greater to other components • Local storage security considerations • Capabilities to disable or revoke mobile components in the case of theft or loss • Strong audit trail of mobile interactions • Mobile application should perform cryptographic verification and validation of other components • Encrypted communications channels • Multi-factor authentication • Capability to utilize mobile component to enhance authentication and alerting for other components
  21. 21. © 2018 Denim Group – All Rights Reserved IoT Threat Model – Security Testing Approach 20
  22. 22. © 2018 Denim Group – All Rights Reserved Request for Comment – IoT Assessment Guide • Designed for organizations building or buying IoT systems • 2nd draft – would appreciate in and ally feedback • Written in business English for non-technical product development teams • Key Thoughts • Automated test tool coverage might be sketchy • Focus on privacy controls along with security protections • If Outsourcing, it might be difficult to make an apples-to apples comparison • Understand what software and hardware components are included in your product • Conduct a simple “who, what, where, when” inventory that will feed into any threat modeling exercise • DM me at @johnbdickson
  23. 23. © 2018 Denim Group – All Rights Reserved Consumer & Public Policy Environment • National Telecommunications and Information Administration (NTIA) • Federal Trade Commission • Consumer Financial Protection Bureau • Consumer Reports • State regulatory agencies
  24. 24. © 2018 Denim Group – All Rights Reserved References • The Internet of Things (IoT): An Overview, The Internet Society (https://www.internetsociety.org/resources/doc/2015/iot-overview) • OWASP IoT Framework Assessment (https://www.owasp.org/index.php/IoT_Framework_Assessment) • Communicating IoT Device Security Update Capability to Improve Transparency for Consumers (https://www.ntia.doc.gov/files/ntia/publications/communicating_iot_se curity_update_capability_for_consumers_-_jul_2017.pdf)
  25. 25. © 2018 Denim Group – All Rights Reserved Building a world where technology is trusted. @denimgroup www.denimgroup.com 24 @johnbdickson john@denimgroup.com 210-572-4400

    Be the first to comment

    Login to see the comments

  • BryanGuinn

    May. 3, 2018
  • vbrown2819

    May. 7, 2019
  • JonathanLoo3

    Apr. 6, 2021

IoT devices are proliferating throughout corporate networks raising concerns about security risks they may introduce. However, IoT technologies differ in many ways from most enterprise-ready technologies that currently exist. Understanding the risks that IoT represents and how to best quantify that risk can be a challenge for many security leaders. This webinar provides an overview of IoT architectures, how they differ from existing infrastructure devices, and how best to measure the risk IoT devices represent. It will expose attendees to concepts like Threat Modeling for IoT and provide additional references that will help build a successful IoT security assessment program.

Views

Total views

648

On Slideshare

0

From embeds

0

Number of embeds

164

Actions

Downloads

22

Shares

0

Comments

0

Likes

3

×