Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)

139 views

Published on

Have you ever thought the perils of smart home devices? In this presentation we discuss the Internet of Things (IoT) and the concept of Bring Your Own Device (BYOD) and the security challenges and risks they can be to companies, systems, and ultimately to the mainframe.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)

  1. 1. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training. Hack All The Way Through from Fridge To Mainframe World Leading z Security Specialists
  2. 2. What to do Summary and Conclusions Exposing the mainframeBYOD IOT Introduction and Objectives AGENDA
  3. 3. Who am I? A quick introduction… RUI MIGUEL FEIO • Senior Technical Lead at RSM Partners • Based in the UK but travels all over the world • 20 years experience working with mainframes • Started with IBM as an MVS Sys Programmer • Specialist in mainframe security
  4. 4. The Internet of Things
  5. 5. IoT – What is it? • IoT stands for Internet of Things • Term used to describe physical objects that can communicate with each other and complete tasks without any human involvement having to take place. • Examples: – Vehicles, appliances, buildings, … – Any item embedded with electronics, software, sensors, and network connectivity
  6. 6. IoT – Some numbers • A study conduct by the Gartner says: – More than 4.9 billion IoT connected devices in 2015 – 6.4 billion IoT connected devices in 2016 – More than 20 billion IoT connected devices in 2020 • A CISCO report predicts there will be 50 billion IoT connected devices in 2020!
  7. 7. IoT – It’s here to stay
  8. 8. IoT – The problem • Trendy fashionable devices are produced to appeal to the technical savvy consumers • But the manufacturers of IoT devices tend not to have security in mind • Some devices like routers, have the firmware customised by the Internet Service Providers (ISP): – Don’t allow firmware updates directly from the manufacturer – Don’t provide customised updated versions of the firmware
  9. 9. IoT – This leads to…
  10. 10. IoT – And to…
  11. 11. IoT – And of course to…
  12. 12. IoT – Some numbers…
  13. 13. IoT and Cyber Crime • HP study reveals 70% of IoT devices are vulnerable to attacks • Cyber criminals are working on new techniques for getting through the security of established organisations focusing on IoT: – Home appliances – Office equipment – Smart devices • IoT devices are easier to hack as they don’t have robust security measures
  14. 14. IoT – How to hack? • There are several resources available in the internet and dark web: – Web sites – Blogs – Forums – Software tools – Scripts – Vulnerabilities – Specialised search engines
  15. 15. Shodan – The IoT Search Engine https://www.shodan.io/
  16. 16. Shodan – An Example
  17. 17. IoT - The Head of US intelligence
  18. 18. IoT – The NSA Chief of TAO
  19. 19. IoT – “1984”, George Orwell
  20. 20. IoT – The Risk • Your home network can be compromised by one of your own IoT devices • How secure are your IoT devices? • How frequently do you update the firmware and software of the devices? • Are the IoT devices still supported by the manufacturer? • You connect from home to your company’s network • What will it happen if your home network is compromised? • How long will it take for a hacker to exploit this security flaw?
  21. 21. IoT – The Risk @ Home
  22. 22. Bring Your Own Device
  23. 23. BYOD – What is it? • BYOD stands for Bring Your Own Device • It’s becoming the standard which allows employees to use their own personal devices to access the company’s network remotely, either from their home location or from the workplace • Seen by companies as a way to reduce costs
  24. 24. BYOD – Some numbers • 59% of companies allow employees to use their own devices at work, and another 13% plan to in the near future. (study from Tech Pro Research) • 87% of companies allow employees to use personal devices to access business apps (study from Syntonic) • A company can save an average of $350 per year for each employee using their own devices (study from CISCO)
  25. 25. BYOD – The problem • There are a large number of security risks: – As the device is owned by the employee, it is also used for their own personal use – The organisation has limited control over the BYOD devices and how they are used – If the BYOD device becomes infected or compromised, the attacker could use this as a platform to attack the company’s network
  26. 26. BYOD – The problem • There are a large number of security risks: – Employees failing to complete security updates – Employees using unsecured Wi-Fi connections – Employee turnover – Employees losing their devices
  27. 27. BYOD – This leads to…
  28. 28. BYOD – And to…
  29. 29. BYOD and Cyber Crime • In the UK in a document entitled ”10 Steps to Cyber Security” the GCHQ has advised businesses to consider banning bring your own device (BYOD) because staff represent the "weakest link in the security chain” • Approximately 22% of the total number of mobile devices produced will be lost or stolen during their lifetime, and over 50% of these will never be recovered • According to Kaspersky, 98% of identified mobile malware target the Android platform, and the number of variants of malware for Androids grew 163% in a single year
  30. 30. BYOD – The Risk • A 2016 Ponemon Institute study reports: – Negligent employees are seen as the greatest source of endpoint risk • Increased number of BYOD devices connected to the network (including mobile devices) • Use of commercial cloud applications in the workplace • Security management control tasks become less efficient and more difficult to implement, ‘creating holes’ that can be exploited by hackers
  31. 31. Exposing the Mainframe
  32. 32. IoT & BYOD vs The Mainframe • Remember: the mainframe is just another platform residing in the company’s network • If the network is compromised the mainframe can be directly or indirectly affected • Using BYOD creates challenges to the company’s security team that can be difficult to tackle • You may think that your home network is secure; you update your laptop with the latest security patches, antivirus and firewall definitions, but… have you ever considered the IoT devices?
  33. 33. What to do?
  34. 34. What can be done? • Manufacturers of IoT devices need to start focusing more on security • Governments must take lead in IoT security • Companies and individuals need to be more security conscious and consider the implications of BYOD and IoT • Reducing costs on the short term can lead to great financial losses in the medium and long term for everyone
  35. 35. What can be done? • Strong security policies and rules need to be in place to ensure that any BYOD device is security compliant • Employees need to be educated about the risks and challenges of both IoT and BYOD • Managers and directors also need to be educated!! Money saving now, can be a very costly thing in the future • Have you ever imagined how a company’s image would be affected if it’s IT security had been breached using a…
  36. 36. What if… • A hacker compromises your IOT device… • Your Fridge!! • They have access to your WiFi network • The are scanning your network and see your work laptop connected • They manage to compromise your laptop • You VPN into your corporate network • They port scan and find telnet listening on port 23 for a DNS entry called zOSProd • And they just happen to know what z/OS is or they google zOSProd or zOS TELNET • Start reading and enjoy!!! • I dont believe in scaring people, but this could happen!
  37. 37. Being more specific • Evaluate device usage scenarios and investigate leading practices to mitigate each risk scenario • Invest in a mobile device management (MDM) solution to enforce policies and monitor usage and access • Enforce industry standard security policies as a minimum • Set a security baseline • Differentiate trusted and untrusted devise access • Introduce more stringent authentication and access controls for critical business apps. • Add mobile device risk to the organisation’s awareness program
  38. 38. Summary and Conclusions
  39. 39. But remember… We have Users...
  40. 40. But remember… We have Users...
  41. 41. A clear example…
  42. 42. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training. UK: RSM House Isidore Rd Bromsgrove Enterprise Park Bromsgrove B60 3FQ UK T: +44 (0)1527 837767 E: info@rsmpartners.com www.rsmpartners.com US: Suite 1600 222 So. 9th Street Minneapolis MN 55402 US T: +1 (612) 547-0089 E: info@rsmpartners.com www.rsmpartners.com Rui Miguel Feio ruif@rsmpartners.com

×