SlideShare a Scribd company logo

Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)

Priyanka Aash
Priyanka Aash

The document discusses the formation of an IoT Security Task Force by the IoT Forum and CISO Platform to develop approaches for improving IoT security in India. It proposes a framework called SECURENET that uses principles of fresh thinking to better identify cyber attackers, authorize network access, monitor for anomalies, and allow reactive measures like quarantining threats. The framework also suggests a managed security provider model and exploring legal protocols to enable cross-border cooperation against cyber criminals, drawing from concepts in maritime law. Feedback is sought from stakeholders on the technical, legal and policy approaches proposed.

Technology
1 of 23
Download to read offline
1 IoTSecurityTaskForce Fresh Thinking. CISO Platform and IoTForum Intiative Arvind Tiwary, Chair IoTForum Bikash Barai, Co Founder CISO Platform
2 IoTForum: Raising the IoT Quotient of India www.iotforindia.org
3 Task Force on IoT Security IoT Forum & CISO platform join hands to create IoT Security Task force Readying up the Nation for #IoTSecurity The task force is chartered to develop threat models, controls and assist players in new techno-legal- commercial arrangements to improve IoT Security Fresh thinking around Security for IOThttp://wiki.iotforindia.org/FreshThinking
4 IOT Security § Over 13 Standards bodies have a advisory § http://www.cisoplatform.com/profiles/blogs/survey-of-iot-security- standards § FTC, NIST § IoT Security Foundation, Broadband Internet Technical Advisory Group (BITAG) § OWASP § IETF § DICE MUD, OtrF, ACE § IIC Industrial Internet Consortium, Cybersecurity = risk is Money and reputation IoT = risk is accident and human lives
5 Fresh Thinking: Is the Emperor Naked? You don’t change all the locks of each house in a city merrily because criminals can break 7 lever locks in less time
6 IOT Security § Program COMPLEXITY= Algorithm + Data Structure § CyberSecurity Difficulty= Legal + Technical § Internet was designed to withstand disruptive nuclear attack § IP and MAC spoofing make it fundamentally unsecure § Legal Basis § Product Quality and Liability regime – USA § DDOS by House Owners is like Rioters are House owner responsibility? § Petty Wannacry type ransom ware is like carjacking in Joburg § Armoured car ? § Criminal Law § Territorial § Individual, layers of Government § Precinct, City, State, Nation § Right of Self defence We need attribution which can hold in a court of law and can be easily and routinely derived. not require weeks of research?
7 Principles of FreshThinking: Blaming the Victim is so old fashioned § Reduce effort and skill required to secure § Increase probability of detection § Decrees success rewards § Impose costs on criminals. Pirates must be tamed § Law is Territorial. Cyberspace criminals must be caught and booked under laws of piracy and high seas § Special High frequency crime mitigation procedures § Instrument and infect hackers to provide evidence § Protocol between ISP of participating nations § Reduce burden and standard of care for network operators to act § Throttle and block suspicious activity For IoT Network 5 year Sandbox
8 CyberLaw for the Cyber City § Recognize pervasive criminal activity § SPAM, Carjacking § Allow right to self defence § Can instrument, infect and hack-back to identify and prove attacker § The individual house owner is the victim and he should be able to count on neighbours, community and police and not be blamed or denied rights to chase and catch criminals No amount of passive defence can stop pervasive criminal succeeding once in a while Broken Glass syndrome : Catch petty criminals deters big crime also
9 Managed SECURENET § A new business opportunity § Skills and effort required are increasing day by day § Pool and outsource § Hierarchy of Safety providers § Office security, Facility Security, Township , § Police, CISF, BSF, Army
10 Legal Requirements § Fool Proof Identification of actor § Not spoofable MAC and probabilistic pattern based § Establish Mens Rea (Intent) § Deception based defence. Not accidental entrance § Cyber CCTV § Anton Pillar order capability § Civil search and seizure § Execute a Letter of marque § Piracy on high seas
11 Before SECURENET A Few Security Trends …
12 Security, Impossibility & Halting Problem
13 Isolation, Walled Gardens … Zero Trust Model, Beyond Corp ..
14 4 Pillars of SECURENET (1) Identify (Authenticate) (2) Onboard (Authorize) (3) Monitor (4) Off-Board (React)
15 (1) Authenticate & (2) Authorize.. Identity/Authenticati on : Device, People, network Identity.. TPM, HW root of trust Social/Behavior, Biometrics, Multi Factor etc Authorization: Degrees of trust & scenario analysis, provision tiered authority
16
17 (3) Monitor •Centralized/Network Access Proxy: •At main entry point to subnet •Township entry/ Network Access Proxy •Decentralized: •Local Anomaly detection for neighbourhood •OSINT, SIEM, SA, NTA/NBA, CASB, UBA, UEBA •External & Hyper Local Threat Intelligence: •Central Intelligence to Neighbourhood watch
18 (4) React/Offboard •Offboard •Reduce Access/Quarantine: •Deception/Offensive Countermeasures/Active Defense
19 Delegated Police Authority § Semi Private and Semi Public Spaces § Cyber City and Cyber Neighbourhood not Cyber Jungle § Right of Self Defence § Chase a thief into other property § Enter a house from where enemy fire is coming § Stop a speeding truck trying to ram thru a entry gate inspection § Place a marker to trace stolen goods § High Seas and Space Piracy laws § Right for catching a cyberspace criminal § Letters of Marquee to bring criminals to justice
20 CROSS BORDER § PROTOCOL for Countries allowed to connect on SECURENET § FAST , MINIMUM ACTION on suspect SITES automatically § MARTIME LAW is basis In the days of fighting sail, a letter of marque and reprisal was a government license authorizing a person (known as a privateer) to attack and capture enemy vessels and bring them before admiralty courts for condemnation and sale. A "letter of marque and reprisal" would include permission to cross an international border to effect a reprisal (take some action against an attack or injury) authorized by an issuing jurisdiction to conduct reprisal operations outside its borders. Wikipedia The United States Constitution grants to the Congress the power, among others, to issue “Letters of Marque and Reprisal.
21 FreshThinking : Don’t blame victim but hurt criminals § SECURENET for IoT to test out new Techno Legal approach § Technical ability to identify source and produce actionable forensic evidence § Legal approach allowing cyber defence and chasing cyber pirates and hurting them and their assets § Broken Glass principle Security and safety is a stance. An Active defence posture will cut down lots of wannabe hackers. New types of instrumentation and network wide correlation will increase skills and costs of attackers
22 Plan ü Initial discussions IoTNext 2016 (4Q 2016) ü Public Airing 9 Sep 2017 ü CISO Platform 14 Sep ü IoTNext Nov 9 ü SACON Nov 11 § December / January § TSDSI, DOT,TRAI,CDAC, § BSNL. Airtel, Jio, Vodafone, Ericson, Telco Stack § SoC, Chip mfgs § Lawyers, Free Internet § IEEE (Roof) § March 2018 Revisions based on feedback
23 Critique, Alternative, Improvements § Volunteer Please…HARD PROBLEM § Technical Tools and approaches § Enterprise security at scale § Phishing and Super user hijack in IoT § Trigger words for Alexa, Google Home, Siri § MUD, DICE etc § Legal Tools and Approaches § Semi private and Semi Public in Cyberspace § Right to self defence § Delegated policing powers Join IoTSecurity Group www.iotforindia/beta

Recommended

SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
Priyanka Aash
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trust
scoopnewsgroup
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
Priyanka Aash
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
scoopnewsgroup
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
Centrify Corporation
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
Lancope, Inc.
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 

Recommended

SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)SACON - Devops-container (Richard Bussiere)
SACON - Devops-container (Richard Bussiere)
Priyanka Aash
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trust
scoopnewsgroup
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
Priyanka Aash
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash
 
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & SecureHow Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
scoopnewsgroup
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
Centrify Corporation
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is Here
Lancope, Inc.
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
Simplex
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
Denise Bailey
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
Seguridad en Capas: Smart & Actionable Data
Seguridad en Capas: Smart & Actionable DataSeguridad en Capas: Smart & Actionable Data
Seguridad en Capas: Smart & Actionable Data
Cristian Garcia G.
 
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy [Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
Nur Shiqim Chok
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky
 
Inteligentní ochrana osobních údajů v procesu digitální transformace
Inteligentní ochrana osobních údajů v procesu digitální transformaceInteligentní ochrana osobních údajů v procesu digitální transformace
Inteligentní ochrana osobních údajů v procesu digitální transformace
MarketingArrowECS_CZ
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
Er. Ajay Sirsat
 
An in depth understanding in the application of the zero-trust security model...
An in depth understanding in the application of the zero-trust security model...An in depth understanding in the application of the zero-trust security model...
An in depth understanding in the application of the zero-trust security model...
Max Justice
 
Business Continuity and app Security
Business Continuity and app Security Business Continuity and app Security
Business Continuity and app Security
Cristian Garcia G.
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
Priyanka Aash
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
MarketingArrowECS_CZ
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
Hybrid IT Europe
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
Okta-Inc
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Cristian Garcia G.
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
AlgoSec
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud
Block Armour
 
Forrester zero trust_dna
Forrester zero trust_dna Forrester zero trust_dna
Forrester zero trust_dna
Cristian Garcia G.
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Ciberseguridad: Enemigos o defraudadores (MAGISTRAL)
Ciberseguridad: Enemigos o defraudadores (MAGISTRAL)Ciberseguridad: Enemigos o defraudadores (MAGISTRAL)
Ciberseguridad: Enemigos o defraudadores (MAGISTRAL)
Cristian Garcia G.
 
Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)
Priyanka Aash
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
Priyanka Aash
 

More Related Content

What's hot

Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 

What's hot (20)

Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
 
Seguridad en Capas: Smart & Actionable Data
Seguridad en Capas: Smart & Actionable DataSeguridad en Capas: Smart & Actionable Data
Seguridad en Capas: Smart & Actionable Data
 
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy [Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
 
Inteligentní ochrana osobních údajů v procesu digitální transformace
Inteligentní ochrana osobních údajů v procesu digitální transformaceInteligentní ochrana osobních údajů v procesu digitální transformace
Inteligentní ochrana osobních údajů v procesu digitální transformace
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
 
An in depth understanding in the application of the zero-trust security model...
An in depth understanding in the application of the zero-trust security model...An in depth understanding in the application of the zero-trust security model...
An in depth understanding in the application of the zero-trust security model...
 
Business Continuity and app Security
Business Continuity and app Security Business Continuity and app Security
Business Continuity and app Security
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
 
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificadaProteja sus datos en cualquier servicio Cloud y Web de forma unificada
Proteja sus datos en cualquier servicio Cloud y Web de forma unificada
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud
 
Forrester zero trust_dna
Forrester zero trust_dna Forrester zero trust_dna
Forrester zero trust_dna
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Ciberseguridad: Enemigos o defraudadores (MAGISTRAL)
Ciberseguridad: Enemigos o defraudadores (MAGISTRAL)Ciberseguridad: Enemigos o defraudadores (MAGISTRAL)
Ciberseguridad: Enemigos o defraudadores (MAGISTRAL)
 

Viewers also liked

Viewers also liked (17)

Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)Sacon - IoT Hackfest (Sri Chakradhar K)
Sacon - IoT Hackfest (Sri Chakradhar K)
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
 
Sacon Threat Modeling Overview (Abhishek Datta)
Sacon Threat Modeling Overview (Abhishek Datta)Sacon Threat Modeling Overview (Abhishek Datta)
Sacon Threat Modeling Overview (Abhishek Datta)
 
SACON - Connected cars (Aditya Kakrania)
SACON - Connected cars (Aditya Kakrania)SACON - Connected cars (Aditya Kakrania)
SACON - Connected cars (Aditya Kakrania)
 
SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)SACON - API Security (Suhas Desai)
SACON - API Security (Suhas Desai)
 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
 
SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)SACON - Incident Response Automation & Orchestration (Amit Modi)
SACON - Incident Response Automation & Orchestration (Amit Modi)
 
SACON - Security Architecture (Arnab Chattopadhayay)
SACON - Security Architecture (Arnab Chattopadhayay)SACON - Security Architecture (Arnab Chattopadhayay)
SACON - Security Architecture (Arnab Chattopadhayay)
 
SACON - Immutable architecture (Nilanjan De)
SACON - Immutable architecture (Nilanjan De)SACON - Immutable architecture (Nilanjan De)
SACON - Immutable architecture (Nilanjan De)
 
Sacon - Fresh Thinking IoT (Arnab Chattopadhayay)
Sacon - Fresh Thinking IoT (Arnab Chattopadhayay)Sacon - Fresh Thinking IoT (Arnab Chattopadhayay)
Sacon - Fresh Thinking IoT (Arnab Chattopadhayay)
 
SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)SACON - Beyond corp (Arnab Chattopadhayay)
SACON - Beyond corp (Arnab Chattopadhayay)
 
SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)
SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)
SACON - Cyber Risk Assessment Using Bayesian Network (R Venkat)
 
SACON - Cloud Security Architecture (Moshe Ferber)
SACON - Cloud Security Architecture (Moshe Ferber)SACON - Cloud Security Architecture (Moshe Ferber)
SACON - Cloud Security Architecture (Moshe Ferber)
 
SACON - Enterprise Security Architecture (Bikash Barai)
SACON - Enterprise Security Architecture (Bikash Barai)SACON - Enterprise Security Architecture (Bikash Barai)
SACON - Enterprise Security Architecture (Bikash Barai)
 
SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)SecOps Workshop (Gregory Pickett)
SecOps Workshop (Gregory Pickett)
 
SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)SACON - Windows Forensic (Dr. Phil Polstra)
SACON - Windows Forensic (Dr. Phil Polstra)
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 

Similar to Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)

FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshop
forensicsnation
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
forensicsnation
 
All you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather VescentAll you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather Vescent
Blockchain España
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
AUTM_WRM_Blockchain FINAL.pptx
AUTM_WRM_Blockchain FINAL.pptxAUTM_WRM_Blockchain FINAL.pptx
AUTM_WRM_Blockchain FINAL.pptx
DJ Nag
 

Similar to Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai) (20)

IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
 
FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshop
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
 
FNC Corporate Protect
FNC Corporate ProtectFNC Corporate Protect
FNC Corporate Protect
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean Cybersecuirty
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
All you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather VescentAll you need to know about SSI for Corporates and IoT – Heather Vescent
All you need to know about SSI for Corporates and IoT – Heather Vescent
 
Hacking blockchain
Hacking blockchainHacking blockchain
Hacking blockchain
 
Fintech & blockchain technology 06.12.2021
Fintech & blockchain technology 06.12.2021Fintech & blockchain technology 06.12.2021
Fintech & blockchain technology 06.12.2021
 
The Realm Of Digital Forensics
The Realm Of Digital ForensicsThe Realm Of Digital Forensics
The Realm Of Digital Forensics
 
Iot privacy vs convenience
Iot privacy vs convenienceIot privacy vs convenience
Iot privacy vs convenience
 
Block chain
Block chainBlock chain
Block chain
 
BitGo Presents Multi-Sig Bitcoin Security at Inside Bitcoins NYC
BitGo Presents Multi-Sig Bitcoin Security at Inside Bitcoins NYCBitGo Presents Multi-Sig Bitcoin Security at Inside Bitcoins NYC
BitGo Presents Multi-Sig Bitcoin Security at Inside Bitcoins NYC
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber Crime
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
Cyber Security College Workshop
Cyber Security College WorkshopCyber Security College Workshop
Cyber Security College Workshop
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
AUTM_WRM_Blockchain FINAL.pptx
AUTM_WRM_Blockchain FINAL.pptxAUTM_WRM_Blockchain FINAL.pptx
AUTM_WRM_Blockchain FINAL.pptx
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Sacon - IoT Forum Fresh Thinking (Arvind Tiwary + Bikash Barai)

  • 1. 1 IoTSecurityTaskForce Fresh Thinking. CISO Platform and IoTForum Intiative Arvind Tiwary, Chair IoTForum Bikash Barai, Co Founder CISO Platform
  • 2. 2 IoTForum: Raising the IoT Quotient of India www.iotforindia.org
  • 3. 3 Task Force on IoT Security IoT Forum & CISO platform join hands to create IoT Security Task force Readying up the Nation for #IoTSecurity The task force is chartered to develop threat models, controls and assist players in new techno-legal- commercial arrangements to improve IoT Security Fresh thinking around Security for IOThttp://wiki.iotforindia.org/FreshThinking
  • 4. 4 IOT Security § Over 13 Standards bodies have a advisory § http://www.cisoplatform.com/profiles/blogs/survey-of-iot-security- standards § FTC, NIST § IoT Security Foundation, Broadband Internet Technical Advisory Group (BITAG) § OWASP § IETF § DICE MUD, OtrF, ACE § IIC Industrial Internet Consortium, Cybersecurity = risk is Money and reputation IoT = risk is accident and human lives
  • 5. 5 Fresh Thinking: Is the Emperor Naked? You don’t change all the locks of each house in a city merrily because criminals can break 7 lever locks in less time
  • 6. 6 IOT Security § Program COMPLEXITY= Algorithm + Data Structure § CyberSecurity Difficulty= Legal + Technical § Internet was designed to withstand disruptive nuclear attack § IP and MAC spoofing make it fundamentally unsecure § Legal Basis § Product Quality and Liability regime – USA § DDOS by House Owners is like Rioters are House owner responsibility? § Petty Wannacry type ransom ware is like carjacking in Joburg § Armoured car ? § Criminal Law § Territorial § Individual, layers of Government § Precinct, City, State, Nation § Right of Self defence We need attribution which can hold in a court of law and can be easily and routinely derived. not require weeks of research?
  • 7. 7 Principles of FreshThinking: Blaming the Victim is so old fashioned § Reduce effort and skill required to secure § Increase probability of detection § Decrees success rewards § Impose costs on criminals. Pirates must be tamed § Law is Territorial. Cyberspace criminals must be caught and booked under laws of piracy and high seas § Special High frequency crime mitigation procedures § Instrument and infect hackers to provide evidence § Protocol between ISP of participating nations § Reduce burden and standard of care for network operators to act § Throttle and block suspicious activity For IoT Network 5 year Sandbox
  • 8. 8 CyberLaw for the Cyber City § Recognize pervasive criminal activity § SPAM, Carjacking § Allow right to self defence § Can instrument, infect and hack-back to identify and prove attacker § The individual house owner is the victim and he should be able to count on neighbours, community and police and not be blamed or denied rights to chase and catch criminals No amount of passive defence can stop pervasive criminal succeeding once in a while Broken Glass syndrome : Catch petty criminals deters big crime also
  • 9. 9 Managed SECURENET § A new business opportunity § Skills and effort required are increasing day by day § Pool and outsource § Hierarchy of Safety providers § Office security, Facility Security, Township , § Police, CISF, BSF, Army
  • 10. 10 Legal Requirements § Fool Proof Identification of actor § Not spoofable MAC and probabilistic pattern based § Establish Mens Rea (Intent) § Deception based defence. Not accidental entrance § Cyber CCTV § Anton Pillar order capability § Civil search and seizure § Execute a Letter of marque § Piracy on high seas
  • 11. 11 Before SECURENET A Few Security Trends …
  • 13. 13 Isolation, Walled Gardens … Zero Trust Model, Beyond Corp ..
  • 14. 14 4 Pillars of SECURENET (1) Identify (Authenticate) (2) Onboard (Authorize) (3) Monitor (4) Off-Board (React)
  • 15. 15 (1) Authenticate & (2) Authorize.. Identity/Authenticati on : Device, People, network Identity.. TPM, HW root of trust Social/Behavior, Biometrics, Multi Factor etc Authorization: Degrees of trust & scenario analysis, provision tiered authority
  • 16. 16
  • 17. 17 (3) Monitor •Centralized/Network Access Proxy: •At main entry point to subnet •Township entry/ Network Access Proxy •Decentralized: •Local Anomaly detection for neighbourhood •OSINT, SIEM, SA, NTA/NBA, CASB, UBA, UEBA •External & Hyper Local Threat Intelligence: •Central Intelligence to Neighbourhood watch
  • 19. 19 Delegated Police Authority § Semi Private and Semi Public Spaces § Cyber City and Cyber Neighbourhood not Cyber Jungle § Right of Self Defence § Chase a thief into other property § Enter a house from where enemy fire is coming § Stop a speeding truck trying to ram thru a entry gate inspection § Place a marker to trace stolen goods § High Seas and Space Piracy laws § Right for catching a cyberspace criminal § Letters of Marquee to bring criminals to justice
  • 20. 20 CROSS BORDER § PROTOCOL for Countries allowed to connect on SECURENET § FAST , MINIMUM ACTION on suspect SITES automatically § MARTIME LAW is basis In the days of fighting sail, a letter of marque and reprisal was a government license authorizing a person (known as a privateer) to attack and capture enemy vessels and bring them before admiralty courts for condemnation and sale. A "letter of marque and reprisal" would include permission to cross an international border to effect a reprisal (take some action against an attack or injury) authorized by an issuing jurisdiction to conduct reprisal operations outside its borders. Wikipedia The United States Constitution grants to the Congress the power, among others, to issue “Letters of Marque and Reprisal.
  • 21. 21 FreshThinking : Don’t blame victim but hurt criminals § SECURENET for IoT to test out new Techno Legal approach § Technical ability to identify source and produce actionable forensic evidence § Legal approach allowing cyber defence and chasing cyber pirates and hurting them and their assets § Broken Glass principle Security and safety is a stance. An Active defence posture will cut down lots of wannabe hackers. New types of instrumentation and network wide correlation will increase skills and costs of attackers
  • 22. 22 Plan ü Initial discussions IoTNext 2016 (4Q 2016) ü Public Airing 9 Sep 2017 ü CISO Platform 14 Sep ü IoTNext Nov 9 ü SACON Nov 11 § December / January § TSDSI, DOT,TRAI,CDAC, § BSNL. Airtel, Jio, Vodafone, Ericson, Telco Stack § SoC, Chip mfgs § Lawyers, Free Internet § IEEE (Roof) § March 2018 Revisions based on feedback
  • 23. 23 Critique, Alternative, Improvements § Volunteer Please…HARD PROBLEM § Technical Tools and approaches § Enterprise security at scale § Phishing and Super user hijack in IoT § Trigger words for Alexa, Google Home, Siri § MUD, DICE etc § Legal Tools and Approaches § Semi private and Semi Public in Cyberspace § Right to self defence § Delegated policing powers Join IoTSecurity Group www.iotforindia/beta