Summary: The Internet of Things has been touted as the centerpiece of many innovative devices as it grows to encompass nearly every type of product imaginable. Already, appliances, cars and even buildings are being equipped with the capability to access Wi-Fi and wired networks. This has led to new efficiencies and data-driven opportunities for enterprises across the board. When you hear “the next big thing,” do you think they’re thinking big enough? Attend this webinar to find out more. Presenter: This webinar will be presented by Arthur Donkens, the managing partner of ITSX. Arthur has been active in information security since 1986, by advising, auditing and collaborating with more than 30 top class companies. Through his rich experience, he has been issued with credible certificates in information security, and has contributed in this sector by writing articles and whitepapers that are available. His moto is “Balancing security and business goals through well designed security architectures.”

1. Internet of Things
Security of Things?

2. Agenda
What is this all about?
Who am I?
Different views
Now what?

3. IoT, what is it about?
Grid of (inter)connected data sources and sinks
Ubiquitous (even pervasive?)
Monitoring most (or all?) aspects of your daily
live

4. Who am I?
Interested in info sec, technology and
organisation
Trainer for PECB (ISO27001, 27005, 31000)
Concerned citizen with respect to privacy (also
for the next generation)
arthur@itsx.com

5. Managing expectations
This webinar contains some opinions and
personal views that are meant to trigger your
own questions and considerations.
There is a lot of information available on the
Internet on the technology of IoT, but
technology is just a very small part of ‘the
problem’.

6. Managing expectations
IoT challenges are present on more fundamental
levels:
Data ownership, trust, responsible actions etc…

7. Managing expectations
This is not a presentation on how great
Internet of Things is!

8. Internet of Things
Philosophical view

9. Internet of Things
Nowadays anything can generate data:

10. Internet of Things
And one man’s data is a company’s information!
Information has value, it provides insights and
can be used for profiling and predictive
modelling

11. Internet of Things
Expected value in 2020 of Internet of Things
Remember, this is the estimated value of the
information, not the actual devices…

12. Internet of Things
You should wonder:
Are you the user or the product?

13. Internet of Things
Technological view

14. Internet of Things
Sensors (environment, location, health etc)
Connectivity (bluetooth, wifi, WAN)
Storage (Big Data)
Cloud
Control (remote and local)

15. Internet of Things

16. Internet of Things
Lot’s of devices (estimation: > 20 billion in 2020)
Embedded technology
IPv6 (large address space)
Devices can be stationary and/or mobile
(wearable)

17. Internet of Things
How secure are communications?
How secure is the embedded software?
How about patches and updates?
What about the CIA triangle?
What about accountability?

18. Internet of Things
How do devices authenticate?
How are devices authorised?
What do devices log and for how long?

19. Internet of Things
Do devices monitor more than advertised?
Who can can control the devices?
(smart TV’s listening to conversations in your living
room)

20. Internet of Things
Technological threats and risks are no different
from the ones we currently know and see.
Due to the vast amount of devices and data,
(large scale) breaches are inevitable!
Prevention is an illusion, (responsible) reaction
often the only option.

21. Internet of Things
How would you even detect a breach on an IoT
device?
Does your fridge suddenly order 10 kegs of beer?

22. Internet of Things
Data / information view

23. Internet of Things
20 billion IoT devices generate a LOT of data!
Thus: Big Data

24. Internet of Things
Fundamental question:
Who own this data?
The data source(s)?
The data sink(s)?
Other parties?

25. Internet of Things
Additional complications:
Privacy laws are national, IoT is global
How to enforce these laws?
What exactly are personal data?

26. Internet of Things
Example: difference between US and EU:
“Under EU law, personal data can be collected only under strict conditions and
for a legitimate purpose. The main component of the EU data protection law
is the Data Protection Directive 1995/46/EC.
In the US, there is no all-encompassing law regulating the collection and
processing of personal data. Instead, data protection is regulated by many
state and federal laws.”
Source: http://resources.infosecinstitute.com/differences-privacy-laws-in-eu-
and-us/

27. Internet of Things
Data vs metadata
“In a sufficiently large data set, metadata
becomes more valuable than actual data” (me)

28. Internet of Things
IoT metadata:
Locations (especially sequences)
Timing (frequency, duration)
Proximity to other IoT devices
Collection of device types

29. Internet of Things
IoT metadata patterns allow for easy
identification of people, their preferences and
living situation.

30. Internet of Things
It is surprising how small a sample needs to be
to uniquely identify a person.
For more information (OPSEC intelligence):
The Grugq
http://grugq.github.io/

31. Internet of Things
Wrapping up…
IoT offers a lot of new and exciting opportunities
Big value and big data
Privacy will be an issue
Infosec will be an issue
What is the price you are willing to pay?