Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Kid Proofing the Internet of Things
This presentation is intended to address the unique challenges parents face in securing their home networks both against their kids and in order to protect their kids from the evils of the Internet. It is particularly focused on the problems the Internet of Things brings to us as parents.
2. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 2
• As Information Security (IS) professionals (or students),
we regularly defend enterprise networks
• General Internet threats
- Malware, hackers, identity thieves
• Threats to and from our kids
- The threats our kids bring in
Malware, spyware, etc.
- The threats against our kids
Objectionable content, predators
Why We Want To Lock Down Our Home Networks
What is important in your Network Castle?
3. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 3
• General Controls
- Firewalls
Perimeter firewall (wireless router)
Host-based firewall
- Anti-Virus
- User Account Controls (UAC)
• Kid-Specific Controls
- Parental controls / Google controls
- “Kid Safe” browsers
- “Deep Freeze”
The Usual Solutions People Use To Do It (PCs)
Securing a desktop is easier (but not easy)
4. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 4
• The real problem is all the other devices on your network
- With the Internet of Things have you really thought
about how these affect the security of your home
network?
- Were these devices built with security in mind?
• Devices you or your kids likely have on the network
- Tablets (IOS, Android, Chrome, other Linux variants)
- Game Systems (Playstation, Wii, Nintendo DS, etc.)
- TVs (Linux, Windows, Netflix, Hulu, YouTube, etc.)
- Phones (IOS, Android)
All The Other Devices On Your Network
The Internet of Things is a different matter…
5. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 5
• Hard lesson learned about these devices
- They don’t care about your security concerns…
- At best they have VERY limited content controls
- All connected, but no control over Internet content
• Game systems / TVs
- Ratings Controls
• Android / Linux / IOS
- Limited Parental Controls – can control purchases
- Apple’s “Restriction” Controls (slightly better)
- “Kid Safe” Apps and Browsers
Device Lockdowns
6. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 6
• Apple has some decent controls via their “Restrictions”
settings to make the IOS “kid safe” on any network…
• Some strategies I use / have used
- Don’t let the kids install / delete Apps (they hate this)
- Disable iCloud and Messages (they hate this more)
- Disable Safari / YouTube / remove “problem” apps
- Install a “kid safe” browser
- Configure Google parental controls
• Hacking IOS opens additional opportunities / risks
Locking Down The IOS
Making IOS “kid safe” is reasonably doable
7. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 7
• What do all these devices have in common?
- The home network and Internet Gateway…
• Conventional Router Controls
- Basics
Encrypt wireless traffic (devices may limit strength)
MAC address restrictions
Guest network (if available)
- Good ingress screening
- May have limited egress screening
Limit sites and times for some / all users
Generally these are hard to manage
So What Does That Leave Us?
8. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 8
• Segment your LAN into security zones
- Move “high risk / value” devices to their own zone
- Allows you to apply different access policies
• Some security zones to consider…
- Adult Household Member Zone
- Hardwired Zone / Finance Zone
Consider moving Finance into a VM
- Adult Guest Zone
- Kid Zone (Household Member and Guests)
- Entertainment Device Zone (May be Kid Zone)
Advanced Strategies For More Security
Adult, Visitor, and Kid Zones are my minimums
9. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 9
• One Router to rule them all…
- There are MANY possible variants of this
• Use the existing router as a master device
- Leave the DNS the same or use unfiltered OpenDNS
- With a dual wireless router this can be Adult + Visitor
• Add a new wireless router per zone
- Connect Wireless APs via wire to master device
- If this is to be a filtered network (Kids) then
reconfigure the DNS to use filtered OpenDNS
How To Implement Security Zones
Shared network devices like printers are issues…
10. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 10
• Advanced Internet Access Control is a difficult problem
- Devices have very limited controls
- Wireless routers are marginally better
- Is there another way to provide this filtering?
• OpenDNS to the rescue (almost)
- If you control DNS, you control the Internet*
- OpenDNS is a free (and paid) service that provides a
filtered / controlled Internet experience via DNS
Free has a bunch of stock settings
Paid has the ability to customize these + add
custom site rules
Advanced Internet Controls At The Network Layer
11. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 11
• OpenDNS does not protect mobile devices when they
leave your network (tablets, phones, laptops, etc.)
- Sorry but I do not think there is a good solution for this
- Auditing the device is probably the best work around
• OpenDNS (paid) can only be used on one “Zone” unless
you have more than one public IP
- It keys off the source IP to decide how things resolve
- You can use OpenDNS (free) on other zones…
- This may affect how you implement your zoning
strategy
OpenDNS - Living With An Imperfect Solution (1)
Controlling devices off your network is very hard…
12. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 12
• OpenDNS does not stop direct access via an IP
- Kids that understand what an IP can be a problem
- Kids that know what a hosts file is can still have DNS
• OpenDNS works great for devices using DHCP…
- But if the device lets you change the DNS settings –
OpenDNS can be bypassed at the host
• If your kids are more computer and network savvy than
you, this will not work for long…
OpenDNS - Living With An Imperfect Solution (2)
Its not a perfect solution, but works for me…
14. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 14
Presenter Bio
Monty D. McDougal is a Raytheon Intelligence, Information and
Services (IIS) Cyber Engineering Fellow. He has worked for
Raytheon for the last 16+ years performing tasks ranging from
programming to system administration and has an extensive web
development / programming background spanning 18+ years. His
work has included development/integration / architecture /
accreditation work on numerous security projects for multiple
government programs, internal and external security / wireless
assessments, DCID 6/3 compliant web-based single sign-on
solutions, PL-4 Controlled Interfaces (guards), reliable human
review processes, audit log reduction tools, mail bannering
solutions, and several advanced anti-malware IRADs / products /
patents.
Monty holds the following major degrees and certifications: BBA
in Computer Science / Management (double major) from Angelo
State University, MS in Network Security from Capitol College,
CISSP, ISSEP, ISSAP, GCFE, GAWN-C, GSEC, and serves on
the SANS Advisory Board. Monty has previously held the GCIH,
GCFA, GREM, GCUX, and GCWN certifications. Monty is also
the author of the Windows Forensic Toolchest (WFT).
E-mail: Monty_D_McDougal@raytheon.com
<mug shot>
15. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 15
Abstract
Kid Proofing the Internet of Things
This presentation is intended to address the unique challenges parents face in securing their
home networks both against their kids and in order to protect their kids from the evils of the
Internet. It is particularly focused on the problems the Internet of Things brings to us as
parents.
-Why we want to lock down our networks
-The usual tools we would attempt to do it with (PC Solutions)
-What about all those other devices on your network… the real issue
-Device lockdowns
-Wireless Router / security zoning
-OpenDNS and why it may be your best friend in this fight
-Living with an imperfect solution…