The document discusses the principles of IoT security, highlighting the significant security fears associated with the vast number of vulnerable IoT devices and the immense economic impact they have. It outlines major security challenges such as insecure web interfaces and insufficient authentication, emphasizing that many IoT manufacturers prioritize product functionality over security. The proposed solution advocates for a holistic, security-by-design approach and calls for collaboration among developers, manufacturers, and consumers to ensure the creation and use of secure IoT products.

1. Principals of IoT Security
Stephanie Sabatini, Cyber Security Professional

2. Principals of IoT Security Agenda
Over the next 20 minutes we’ll discuss the following:
The Fear
• Be afraid (very afraid)
The Challenge
• IoT Security isn’t easy
The Solution
• Don’t be a statistic

3. The Fear
Principals of IoT Security

4. IoT Security – The Fear
• Baby monitors
• Thermostats
• Cars
• Medical devices
• Children’s toys
• Toasters
• Locks
• ETC…

5. IoT Security – The Fear
Gartner predicts 26 billion by 2020
• Revenue exceeding $300 billion in 2020
• $1.9 Trillion in global economic impact
The financially motivated attacker has 26 billion targets and 300 billion reasons.

6. The Challenge
Principals of IoT Security

7. IoT Security – The Challenge
The top 10 security challenges with IoT:
1. Insecure Web Interface
2. Insufficient Authentication / Authorization
3. Insecure Network Services
4. Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software / Firmware
10. Poor Physical Security

8. IoT Security – The Challenge
Many IoT producers aren’t committed to security like a major tech company would
be. Toy companies, for example – Toys made by Mattel Inc. (Fisher Price brand)
with internet connectivity have been hacked revealing names, ages and
geographical location of children. They specialize in making toys – not security.
These ‘things’ live differently than the traditional internet connected devices. Many
attacks that we have seen so far take advantage of these differences. They exploit
the differences.
The challenge is applying security controls on non-traditional devices. The principal
is the same, but the control itself needs to be adapted (or innovated) to fit the
security gap.
Network + Application + Mobile + Cloud = IoT

9. The Solution
Principals of IoT Security

10. Perimeter
Network
Host
Application
Data
IoT Security – The Solution
Security by design and a
defense in depth approach will
consider security from the
design phase to the end-of-life
and destruction of information
phase.

11. IoT Security – The Solution
A holistic approach needs to be built in – not bolted on
• The device (end point security)
• The cloud
• The mobile application
• The network interfaces
• Encryption
• Authentication
• Patching
• Physical security
• Data Destruction

12. IoT Security – The Solution
Developers – build components securely using secure development
methodologies and perform static code analysis.
Infrastructure Support – build infrastructure with secure end points,
detective and preventative controls.
Testers – include all attack vectors in testing methodologies.
Manufacturers – Due diligence! Check, test, audit – make sure that
you are manufacturing a secure product by bringing experts to the
table. Plan for sufficient budgets.
Consumers – change passwords regularly, use encryption – use the
technology safely.

13. The Conclusion
Principals of IoT Security

14. IoT Security – The Conclusion
• DO NOT TRY THIS AT HOME!
• Experts! Call the experts!
• Expert solutions can’t be matched by homegrown solutions.
• DON’T PANIC
• Defense in depth
• Innovate!

15. Stephanie Sabatini
Cyber Security Professional & Strategist
Stephanie@sabatiniconsulting.com
514-895-8635