IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...CableLabs
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Jason Livingood
Vice President, Technology Policy & Standards, Comcast
https://www.cablelabs.com/informed/
In this presentation, Sowmya presents an interesting application that finds malware/viruses in mobile platforms through the use of data mining techniques
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria @ ICCC 2019 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Internet of things are exploding. This whitepaper would help product developers to understand the Security and Privacy issues, their impact and a recommendation for embedding the best practices during PDLC.
Internet of Things means every household or handy device which is used to make our world easy and better and connected with IP which transmit some data.
This slide covers IOT description, OWASP Top 10 2014 & its recommendations.
This presentation will cover all you need to know about mobile and application device security.
With an introduction, threats, applications, security, and useful tips for people who need to know
So, let's get started. If you enjoy this and find the information beneficial, please like and share it with your friends.
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...CableLabs
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Jason Livingood
Vice President, Technology Policy & Standards, Comcast
https://www.cablelabs.com/informed/
In this presentation, Sowmya presents an interesting application that finds malware/viruses in mobile platforms through the use of data mining techniques
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common Criteria @ ICCC 2019 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Internet of things are exploding. This whitepaper would help product developers to understand the Security and Privacy issues, their impact and a recommendation for embedding the best practices during PDLC.
Internet of Things means every household or handy device which is used to make our world easy and better and connected with IP which transmit some data.
This slide covers IOT description, OWASP Top 10 2014 & its recommendations.
This presentation will cover all you need to know about mobile and application device security.
With an introduction, threats, applications, security, and useful tips for people who need to know
So, let's get started. If you enjoy this and find the information beneficial, please like and share it with your friends.
This presentation discusses about IoT, challenges associated with it, common threats to IoT. It also briefs about how OWASP introduces Vulnerabilities in IoT.
The presentation explains about Data Security as an industrial concept. It addresses
its concern on Data Loss Prevention in detail, from what it is, its approach, the best practices and
common mistakes people make for the same. The presentation concludes with highlighting
Happiest Minds' expertise in the domain.
Learn more about Happiest Minds Data Security Service Offerings
http://www.happiestminds.com/IT-security-services/data-security-services/
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Operational technology (OT) and information technology (IT) security protect devices, networks, systems, and users. Cybersecurity has long been critical in IT and helps organizations keep sensitive data safe, ensure users connect to the internet securely, and detect and prevent potential cyberattacks.
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
In a world where convenience is key, consumers are adopting every new connected device that hits the shelves - and doing so with the assumption that due diligence security has been considered. But recent IoT attacks suggest otherwise.
As organizations migrate from a primarily offline to online business model, they are failing to consider IoT’s unique threats which traditional solutions are unable to secure. As a result, steps must be taken to ensure that the device, connections and infrastructure are hardened, especially software which runs IoT devices and is the source of ~90% of attacks.
This webinar is ideal for risk, technology, and security professionals that want to understand why a hacker would want to attack their “harmless” IoT device and what the stealth risk to their organization and consumers is.
Topics covered include:
- IoT security – why it’s so different….and tough
- The IoT ecosystem and attack surface
- Managing liability - IoT risks to consumers and vendors
- Auditing IoT software development
This presentation discusses about IoT, challenges associated with it, common threats to IoT. It also briefs about how OWASP introduces Vulnerabilities in IoT.
The presentation explains about Data Security as an industrial concept. It addresses
its concern on Data Loss Prevention in detail, from what it is, its approach, the best practices and
common mistakes people make for the same. The presentation concludes with highlighting
Happiest Minds' expertise in the domain.
Learn more about Happiest Minds Data Security Service Offerings
http://www.happiestminds.com/IT-security-services/data-security-services/
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Operational technology (OT) and information technology (IT) security protect devices, networks, systems, and users. Cybersecurity has long been critical in IT and helps organizations keep sensitive data safe, ensure users connect to the internet securely, and detect and prevent potential cyberattacks.
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
In a world where convenience is key, consumers are adopting every new connected device that hits the shelves - and doing so with the assumption that due diligence security has been considered. But recent IoT attacks suggest otherwise.
As organizations migrate from a primarily offline to online business model, they are failing to consider IoT’s unique threats which traditional solutions are unable to secure. As a result, steps must be taken to ensure that the device, connections and infrastructure are hardened, especially software which runs IoT devices and is the source of ~90% of attacks.
This webinar is ideal for risk, technology, and security professionals that want to understand why a hacker would want to attack their “harmless” IoT device and what the stealth risk to their organization and consumers is.
Topics covered include:
- IoT security – why it’s so different….and tough
- The IoT ecosystem and attack surface
- Managing liability - IoT risks to consumers and vendors
- Auditing IoT software development
Presentation from IBM InterConnect in Las Vegas March 2017.
Enabling Internet of Things (IoT) so your employees and your customers can have a simplified experience with new services and products sounds exciting. In this session, we will dig into the top ten risks that come with the IoT experience. Due to the rapidly evolving nature of IoT and associated threats, there are risks in allowing access to your enterprise resources. Custom firmware, embedded operating systems and wi-fi connectivity of IoT devices offer many possible areas for exploits and misuse. Come explore current security offerings and get a first look at best practices. Walk away with an immediate checklist to benefit your enterprise as it deploys and offers IoT access.
What are the Challenges of IoT SecurityIoT has many of the same s.docxalanfhall8953
What are the Challenges of IoT Security?
IoT has many of the same security challenges that other systems have. There are, however, some challenges that are unique to IoT.
1. Embedded Passwords. Embedding passwords in IoT devices make it easy for remote support technicians to access devices for troubleshooting and simplifies the installation of multiple devices. Of course, it also simplifies access to devices for malicious purposes.
2. Lack of device authentication. Allowing IoT devices access to the network without authenticating opens the network to unknown and unauthorized devices. Rogue devices can serve as an entry point for attacks or even as a source of attacks.
3. Patching and upgrading. Some IoT devices do not provide a simple (or any) means to patch or upgrade software. This results in many IoT devices with vulnerabilities continuing to be in use.
4. Physical hardening. Physical access to IoT devices can introduce risk if those devices are not hardened against physical attack. Such an attack may not be intended to damage the device, but rather to extract information. Simply removing a microSD memory card to read its contents can give an attacker private data, as well as information such as embedded passwords that may allow access to other devices.
5. Outdated components. When vulnerabilities are discovered in hardware or software components of IoT devices, it can be difficult and expensive for manufacturers or users to update or replace them. As with patches, this results in many IoT devices with vulnerabilities continuing to be used.
6. Device monitoring and management. IoT devices do not always have a unique identifier that facilitates asset tracking, monitoring, and management. IT personnel do not necessarily consider IoT devices among the hosts that they monitor and manage. Asset tracking systems sometimes neglect to include IoT devices, so they sit on the network without being managed or monitored.
Most of these issues can be attributed to security being an afterthought (if a thought at all) in the design and manufacturing of IoT devices. Even those IoT developers who consider security in the design process struggle with implementation. Most IoT devices are limited by minimal processing power, memory, and data transfer speeds. This is a necessary evil in order to keep the size and cost of the devices small. Accordingly, security controls must be implemented to compensate for these inherent weaknesses.
The first step to implementing security controls is to determine where those controls are needed. This is another challenge for protecting IoT devices. Since IoT devices are often not recognized as network devices, they get overlooked when inventorying or mapping the network. If you do not know it is there, you cannot protect it.
Fortunately, IoT device manufacturers are beginning to address these issues, but organizations that are planning or currently using IoT cannot sit back and wait for that to happen. There are measures that.
The Internet of Things is the idea that everything around us from cars to ovens can be connected. If everything around us is linked and collecting information, these networks must be able to provide security and privacy to the end-user particularly in low-power lossy networks.
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Rob Alderfer, Moderator
Vice President Technology Policy, CableLabs
Gerald Faulhaber
Professor Emeritus, Business Economics & Public Policy, Wharton School
Chaz Lever
Lead Reseacher, Georgia Tech
Jason Livingood
Vice President, Technology Policy & Standards, Comcast
Though the potential of the IoT is vast, adoption can easily be curtailed by security worries. No company wants their products to be a victim of a hack, yet many do not appear to consider security as a primary driver of design decisions. This presentation will look at IoT security and describe what product designers – regardless of platform – need to be aware of if they want to build a secure and successful device.
IoT security encompasses requirements that are new for many product designers – such as provisioning, authentication, OTA upgrades and link encryption – and weaknesses in any one could potentially be used to compromise the security of the end product. From physical attacks to analysis of communications channels, there are many possible attack vectors that need to be considered.
From hacked routers to refrigerators sending spam email, there have been a lot of scary news stories about Internet of Things (IoT) security, or lack of it. According to the 2014 Hewlett-Packard Internet of Things Research Study, 70% of Internet connected devices they surveyed didn’t even use encrypted network connections. The US Federal Trade Commission (FTC) recently weighed in on the issue too, releasing a report that outlines potential IoT security risks, ranging from unauthorized access and misuse of personal information, to facilitation of attacks on other systems and risks to personal safety.
Final Research Project - Securing IoT Devices What are the Challe.docxtjane3
Final Research Project - Securing IoT Devices: What are the Challenges?
Internet security, in general, is a challenge that we have been dealing with for decades. It is a regular topic of discussion and concern, but a relatively new segment of internet security is getting most attention—internet of things (IoT). So why is internet of things security so important?
The high growth rate of IoT should get the attention of cybersecurity professionals. The rate at which new technology goes to market is inversely proportional to the amount of security that gets designed into the product. According to IHS Markit, “The number of connected IoT devices worldwide will jump 12 percent on average annually, from nearly 27 billion in 2017 to 125 billion in 2030.”
IoT devices are quite a bit different from other internet-connected devices such as laptops and servers. They are designed with a single purpose in mind, usually running minimal software with minimal resources to serve that purpose. Adding the capability to run and update security software is often not taken into consideration.
Due to the lack of security integrated into IoT devices, they present significant risks that must be addressed. IoT security is the practice of understanding and mitigating these risks. Let’s consider the challenges of IoT security and how we can address them.
Some security practitioners suggest that key IoT security steps include:
1. Make people aware that there is a threat to security;
2. Design a technical solution to reduce security vulnerabilities;
3. Align the legal and regulatory frameworks; and
4. Develop a workforce with the skills to handle IoT security.
Final Assignment - Project Plan (Deliverables):
1) Address each of the FOURIoT security steps listed above in terms of IoT devices.
2) Explain in detail, in a step-by-step guide, how to make people more aware of the problems associated with the use of IoT devices.
Bottom of Form
Top of Form
Bottom of Form
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-Final.pdf
https://www.techrepublic.com/article/smart-farming-how-iot-robotics-and-ai-are-tackling-one-of-the-biggest-problems-of-the-century/
Video Resources:What is the Internet of Things (IoT) and how can we secure it?
https://www.youtube.com/watch?v=H_X6IP1-NDc
What is the problem with IoT security? - Gary explains
https://www.youtube.com/watch?v=D3yrk4TaIQQ
What are the Challenges of IoT Security?
IoT has many of the same security challenges that other systems have. There are, howe.
As organizations shift control of their infrastructure and data to the cloud, it is critical that they rethink their application security efforts. This can be accomplished by ensuring applications are designed to take advantage of built-in cloud security controls and configured properly in deployment.
Attend this webcast to gain insight into the security nuances of the cloud platform and risk mitigation techniques. Topics include:
• Common cloud threats and vulnerabilities
• Exposing data with insufficient Authorization and Authentication
• The danger of relying on untrusted components
• Distributed Denial of Service (DDoS) and other application attacks
• Securing APIs and other defensive measures
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
This talk will help you, as a decision maker or architect, to understand the risks of migrating a thick client or traditional web application to the modern web. In this talk I’ll give you tools and techniques to make the migration to the modern web painless and secure so you can mitigate common pitfalls without having to make the mistakes first. I’ll be doing demos, and telling lots of stories throughout.
Making some good architectural decisions up front can help you:
- Minimize the risk of data breach
- Protect your user’s privacy
- Make security choices easy the easy default for your developers
- Understand the cloud security model
- Create defaults, policies, wrappers, and guidance for developers
- Detect when developers have bypassed security controls
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
To ensure critical data can only be accessed by authorized personnel, it is paramount to integrate security best practices during development. It’s equally important to protect deployed systems, especially in CI/CD (continuous integration and deployment) and DevOps environments.
Attend this webcast to learn techniques to define, design, develop, test, and maintain secure systems. Particular focus will be paid to software-dependent systems.
Topics include:
• Identifying and risk-rating common vulnerabilities
• Applying practices such as least privilege, input/output sanitation, and system hardening
• Implementing test techniques for system components, COTS, and custom software
Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards.
Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable.
Topics covered include:
• Properly protecting stored cardholder data - encryption, hashing, masking and truncation
• Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security
• How to identify and mitigate missing encryption
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
Welcome to the lighter side of the software security world!
We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and your bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh).
Topics covered include:
- Injection Flaws
- XSS
- SQL Injection
- Broken Authentication
- Privilege Escalation
- Information Disclosure
- Parameter Tampering
- Configuration Errors
This webinar is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams.
Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would.
This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.
Ed Adams delivered his talk “Opening the Talent Spigot to Secure Our Digital Future” at both the North American & European 2019 PCI Community Meetings. Here are the slides from that talk.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
The cloud is a cost-effective way to provide maximum accessibility for your customers. However, organizations often fail to optimize and configure it properly for their environment, leaving them inadvertently exposed.
These slides are from our recent webinar covering proven techniques that reduce cloud risk, including:
• Building applications to leverage automation and built-in cloud controls
• Securing access control and key management
• Ensuring essential services are running, reachable, and securely hardened
After running 300+ customer, community and industry events, Security Innovation has received some great feedback to further enhance our award-winning CMD+CTRL Cyber Range. We’ve taken that feedback and made some major improvements to our newly released CMD+CTRL user interface.
In this live webinar, we will unveil the new and improved CMD+CTRL platform, showcasing how it provides players with an improved learning environment, and administrators now have maximum control over in-house events.
The new CMD+CTRL experience includes:
* Enhanced Gamification Experience
* Seamless Event Switching
* Dedicated Player Report Card
* Admin All-in-One mode
* Instant Event Setup
* Event Specific Dashboards
Join us for a first look at all of the new features our CMD+CTRL Cyber Range has to offer.
This session provides an introduction to simulation environments like Cyber Ranges, differentiate them from gamification systems, and discusses the emerging delivery, adoption and organizational lessons learned that are driving further adoption.
Blockchain is a promising technology getting a lot of attention these days; however, organizations aren’t entirely sure how it might improve business operations, what the risk implications are, and the security savviness needed to implement securely.
This webcast will address the most pressing issues and misconceptions surrounding Blockchain today, including:
• What is Blockchain?
• What are the new technologies I need to understand?
• Use Cases: where is Blockchain most advantageous?
• Snooze Cases: where/when is Blockchain a bad idea?
• What are the most common pitfalls with Blockchain?
Software runs our world — the cars we drive, the phones we use, the websites we browse, the entertainment we consume. In every instance privacy risks abound. How do software development teams design and build software to ensure privacy data is protected?
Attend this webcast to learn practical tips to build software applications that protect privacy data. Understand the requirements of new laws such as GDPR and the impact they have on software development.
Topics covered:
• Designing for Privacy: least privilege and compartmentalization
• Creating privacy impact rating
• Implementing application privacy controls
• Techniques for effective privacy testing
Privacy has overtaken security as a top concern for many organizations. New laws such as GDPR come with steep fines and stringent rules, and more are certainly to come. Attend this webcast to learn how everyday business operations put customer privacy data at risk. More importantly understand best practices on protecting this data and dealing with disclosure requirements. Topics include:
* Types of privacy and threats to them
* How is privacy different than security?
* Business systems putting you most at risk
DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through.
Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
When GDPR becomes law in a few months, it will be the most wide-ranging and stringent data protection initiative in history. To prepare for this sea change, most organizations have streamlined and detailed their information security policies; however, many are unaware that immature application security programs arguably pose the biggest threat of a data breach. This oft-forgotten piece of data protection puts organizations at risk of GDPR fines.
Attend this joint webinar with Security Innovation and Smarttech247 to learn practical tips on incorporating application security best practices into an InfoSec program to achieve GDPR compliance.
Topics include:
* Summary of GDPR key concepts
* Security of data processing in software and the CIA triad
* The people and process problem of GDPR: Governance
* Using Data Protection by Design for secure design and business logic
* Assessments to verify the security of processing
Presenters:
Roman Garber, Security Innovation
Edward Skraba, Smarttech247
The OWASP Top Ten is the de-facto web application security standard because it reflects the evolving threat landscape, providing organizations a framework to manage and mitigate application security risk.
This presentation examines the critical newcomers and pesky incumbents from both an offensive and defensive perspective. Our experts share their insight on how to harden Web applications and align your program towards OWASP compliance.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
3. About Me
• CEO by day; engineer by trade (and heart)
• Mechanical Engineer, Software Engineer
• Research Fellow, Ponemon Institute
• Privacy by Design Ambassador, Canada
• In younger days, built non-lethal weapons
systems for US Federal Government
4. Agenda
Security Risks of IoT Devices
• Risk-based Testing Essentials
• IoT Device Considerations
• Securing Our Digital Future
6. Good Ol’ Days: Devices Were Just Devices
• Ran on a little code; made to serve a specific purpose
• Cash payments
• Real-time changes; no “wait for compile” and see
• Had to be physically at the device to access/change
• Sharing data meant print, verbal, film, CD, etc.
7. Today’s Devices are Still Devices but...
• Run on LOTS of code; made to serve single/multiple purposes
• Make changes from anywhere via cellular or Wi-Fi connection
• Sharing data is instantaneous and digital
8. The Mirai Botnet (aka Dyn Attack)
A not so oldie but goodie
• Domain Name System (DNS) service disrupted
• Affected nearly 1/3 of all Internet users in US and Europe
• No access to (short list):
• Amazon.com
• Comcast
• DirecTV
• GitHub
• Netflix
• Twitter
• PayPal
• Starbucks
• Verizon
• Visa
• Walgreens
• Xbox Live
• PlayStation Network
• iHeart Radio
• BBC
• NY Times
• GrubHub
• Slack
Millions of IoT Devices (printers, IP cameras, baby monitors) infected
with Mirai malware and used to flood Dyn with traffic (DDoS)
9. More Recent IoT Trouble
Consumer & Medical Devices
• 465,000 vulnerable pacemakers from St. Jude
• Implantable cardiac devices have vulnerabilities
• Unauthorized remote access
• Deplete battery, change pacing, or deliver shocks
• Owlet WiFi Baby Heart Monitor
• Alerts parents when babies have heart troubles
• Connectivity element makes them exploitable
• TRENDnet SecurView Webcam
• Faulty software anyone who obtained a camera’s IP address
could look through it and listen as well
• Transmitted user login credentials in clear, readable text
• Mobile app stored login information in clear, readable text
Best intentions exploited via careless manufacture configuration
10. Governments & Customers Getting Involved
• FTC vs D-Link: The legal risks of IoT insecurity
• Lawsuit against D-Link
• Claims company put thousands of customers at risk
• Unauthorized access to its IP cameras and routers
• Customers vs John Deere: The business risks of IoT
• US farmers dispute rights to repair their tractors
• Contain embedded software (it’s an IoT device)
• Company issued a new license agreement
• Prohibits software modification on its tractors
• Ensure all repairs are done by John Deere contractors
11. Skimmers
• Evolved from mag stripe readers
Bluetooth and cellular transmitters
• devices keep getting smaller
• embedded inside pumps and PoS devices
• Future skimmers
• Embedded devices that don't steal credit card data
but rather attack your networks directly.
13. Convenience-Risk Trade Offs
• Building in security takes time initially; equates to money
• Time to market pressures often trump this investment
• Security can equate to safety in consumer IoT devices
• Ease of setup and operation
• Consumers want devices to “just work”
• Quick setup and minimal configuration required
• Often means little to no authentication or default (same for all devices)
• When vulnerabilities discovered, patching is the answer
• But IoT patching can be difficult, impossible, and illegal
Consumers demand easy and convenient features, until they backfire
14. Today’s IoT Deployment in Practice
• How is testing IoT different from our other platforms, e.g., web, mobile cloud? The
answer is it’s not very different.
• Most IoT devices are connected to many of the following:
• Mobile App
• APIs
• Cloud Infrastructure
• Web App
• KEYPOINT: IoT is not a magical technology,
but a mash up of many different technologies
– and at its core, it’s just almost all software
Sources: “International Journal of Web Portals” Ahmedi, Sejdiu, et al; Geoff Vaughan Security Innovation, Inc.
15. Top 4 IoT Security Weak Points
• Insufficient Security Awareness
• Humans #1 weak point: building, deploying, using
• Weak Physical Security
• Debug interfaces (JTAG, UART, etc.) and USB ports allow unintended device or
data access
• Infrequent Updates
• Firmware, device apps, admin apps/interfaces
• Expensive and/or remote IoT devices long lifespan (difficult to update)
• Weak Data Protection
• Data at rest/transit uses weak encryption techniques
• Lack of dedicated security chips and modules to store sensitive data.
16. 3 Must-have IoT Security Considerations
• “Shift left”
• Think security earlier and more often in system design
• Account for resources that will be able to provide security updates
• Could be vendor, e.g., maintenance agreement, and/or internal staff, e.g., patching
• KEYPOINT: Every component needs to be tested as part of the ecosystem
• Not just individual IoT device testing
Sources: “Dr. Dobbs” Larry Smith; Geoff Vaughan Security Innovation, Inc.
17. Start with “Simple” Questions
• How is the IoT deployed in our organization today, and who owns it or its
respective components?
• IoT inventory and business activity/role
• Don’t expect the word “IoT” to show up in project docs
• Do we know what data is collected, stored and analyzed? Have we assessed the
legal, security and privacy implications?
• Governance policies cover data captured at thousands of sensors?
• Do we have contingency plans in place in case our IoT “things” are hijacked or
modified for unintended purposes?
Driven by Key Threats & Attack Surface
18. Start by Assessing IoT Risk/Liability
IoT Connection Chain Ownership Threats
Device hardware/firmware Vendor X Known vulnerabilities with Vendor products
Patching process for Vendor X products
Mobile application Vendor Y Secure SDLC activities for Vendor Y
Web application Us Our own Secure SDLC activities/process
Information/Data management Us Storage and transport of data
Where is it encrypted?
Channels of transmission Telco X Security guarantees/SLA with Telco X
User authentication/roles Us Enumerate each role and authorized activity
Authentication for each role
19. US FTC IoT Security Best Practices*
• Build security into devices at the outset, rather than as an afterthought
• Train employees about the importance of security
• Ensure security is managed at an appropriate level in the organization
• Ensure outside service providers are capable of maintaining reasonable security, and
provide oversight of providers
• Consider a “defense-in-depth” strategy whereby multiple layers of security may be used
to defend against a particular risk
• Keep unauthorized users from accessing device data, or personal info
• Monitor connected devices; provide security patches for known risks
* https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices
20. Agenda
• Security Risks of IoT Devices
• Risk-based Testing Essentials
IoT Device Considerations
• Securing Our Digital Future
21. Testing IoT Devices
• ~8-10 very technology specific areas to consider
• Component Identification and Classification
• Static Firmware Analysis
• Dynamic Debugging
• Peripheral Hacking
• Protocols and Data Sniffing
• WIFI
• BLE
• SDR
• Cellular
• USB
• Hardware Hacks
• JTAG
• UART
• SPI
• Obtain from vendor website
• Web search: support and community forums
• Reverse the mobile application
• Sniffing the OTA update mechanism
• Dumping it from the device
Tools such as Binwalk, IDA
Pro, Radare2 can be usefulSimilar to other network-based testing
• What services are running?
• What communication protocols are being used?
• What ports are open?
• What version is running? Known vulnerability?
Sources: Attify, Security Innovation
22. Agenda
• How Connected Are We?
• Nothing Ever Goes Wrong… Right?
• IoT Device Considerations
Securing Our Digital Future
23. Top 5 IoT Security Tips
TIPS
Secure the Device OS and Firmware
Ensure Sufficient Data Protection
Secure the Physical Device
Secure the Communication Channel
Enforce Authentication and Authorization
24. Secure the Device OS and Firmware
Security Controls
Ensure updates are over a secure channel, signed and verified
Ensure bootloader firmware is secure and has not been tampered with
Ensure installed bootloader is verified at every stage of boot sequence
Ensure device makes use of full disk encryption
Disable unnecessary services running on the device
Protect against fuzzing and buffer overflow attacks
Ensure that binaries are compiled and signed for security
25. Ensure Sufficient Data Protection
Security Controls
Encrypt data at rest using strong and known encryption techniques
Ensure device uses dedicated security chips and modules to store sensitive data
Avoid usage of hard-coded credentials or cryptographic key
Do not collect data not essential for device functionality
Avoid usage of weak, broken, or risky cryptographic algorithms
Log all secure data access and alter events
Ensure authentication and authorization to all PII
26. Secure the Physical Device
Security Controls
Ensure data storage is not directly accessible
Test debug interfaces (JTAG, UART, etc.) and USB ports for unintended
device or data access
Ensure tamper protection/resistance techniques are in use
Limit the admin functionalities present on the device
27. Secure the Communication Channel
Security Controls
Secure the Wi-Fi interface via secure configurations (encryption, password, etc.)
and drivers
Ensure protection against Denial-of-Service (DoS) and fuzzing attacks
Secure the exposed services and keys during device enrollment
Audit the file, printer and device sharing mechanism in place regularly
Secure the Bluetooth interface via secure configurations (discovery modes, PIN,
etc.) and drivers
Verify that secure Bluetooth modes are in use
Ensure sensitive data is not sent over unencrypted bus lines
28. Enforce Authentication and Authorization
Security Controls
Ensure role-based access control is currently in place
Mandate the use of multi-factor authentication for privileged accounts
Ensure that a strong password management policy is in place
29. Summary of Tips for Securing IoT Systems
• Know your technology vendor’s track record
• Update your evaluation process, if necessary
• Invest in security training for all in-house systems staff
• From “Don’t Click on Sh*t” toTechnical/Configuration for IT/Ops teams
• Perform proactive penetration testing
• Obtain right to do so from 3rd-parties
• Adopt a "defense-in-depth" strategy
• e.g.,WAF between IoT devices and cloud admin app?
• Eliminate all hardcoded default passwords and backdoors
IoT Security Toolkit: https://tinyurl.com/y4zxw577
30. Engage with Security Professionals
•Have a chat with us
•Bug Bounty Programs
•Non-hostile relationship with “researchers”
•Vulnerability Disclosure Program
•Direct Relationship
• Use as independent 3rd-party
• Share info about good/bad ones
All of our devices are conveniently connected and able to communicate with each other either via central control systems or with some consumption device like your phone or tablet. Getting too hot? Just have your thermostat signal your blinds to close. Speak into your phone and have your front-door unlock. Washing machine in need of a check-up? It can request service by itself through an API call.
loaded with Attack Vectors
Cloud apps and wireless networks accessible by others
Distributed devices may be used for email, DDoS, and other applications subjected to social engineering
Devices may be accessible by unknown/unauthorized people
Devices may have open connections
Devices likely lack encryption
Physical interfaces on the devices leak sensitive data
Debug ports lead to privileged access on the device
Radio and network communication protocols can be exploited
Weak Firmware security can lead to device compromise
Summary - Friday October 21, 2016 - Dyn (The company that controls much of internets domain name system infrastructure) came under attack by two large and complex Distributed Denial of Service (DDoS) attacks against its Managed DNS infrastructure. High flood of TCP and UDP traffic both with destination port 53 (DNS port) from large number of source IP addresses. When service went down – legitimate devices started trying to reconnect to the services. This made it difficult to differentiate between real and fake requests.
Many devices had no login credentials; others had default username-password; the “tough” ones to crack were easily brute-forced by Mirai
Mirai open-source software freely available
St. Jude/ Abbott:
The wireless protocol (RF) used had serious security vulnerabilities that could be exploited by unauthorized attackers (as far as 10 ft away .. but can be extended with off-the-shelf parts). The unauthorized commands could modify device settings (e.g., stop pacing), deliver shocks or impact device functionality.
Owlet WiFi Baby Heart Monitor: sensor that babies wear in a sock that monitors their heartbeat and relays that data wirelessly to parent's smartphones if anything is amiss. Vulnerabiility was that the device created its own base station which is basically an unlocked wifi network that anyone can join. After joining the attackers can monitor a stranger's baby and prevent alerts from being sent out.
we conduct trainings at well known conferences like Black Hat. That way they can trust that we know what we are talking about.
Most organizations don’t have sufficient in-house expertise to keep their IoT systems secure day in and day out. Developers, testers, operators, and system administrators often lack the training to identify common vulnerabilities, understand why they’re dangerous, and mitigate their risks. Without this in-house security expertise, IT staff don’t recognize system vulnerabilities until after a hack or breach occurs. People can’t protect themselves if they don’t understand the threat.
In addition to this lack of in-house knowledge, when organizations deploy IoT systems, they’re also typically constricted by tight deadlines and inadequate in-house experience. These combined constraints, coupled with complex documentation and deployment processes, will inevitably leave systems unsecured and vulnerable to hacks and breaches.
Weak Physical Security – Opening up the IoT device you can find test pads. These may be debug ports like JTAG, UART. In the past we’ve encountered devices that directly drop us to “root” when we connect hardware tools to it (Eg: http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/ and https://blog.malwarebytes.com/security-world/2014/02/uart-root-shell-on-commercial-devices/). This is pretty common in our projects too.
Updating firmware on IoT devices can be a daunting task. It’s understandable that an organization may want to avoid the hassle and potential business risk of updating firmware regularly, especially if the business doesn’t have trusted processes in place. But firmware releases often contain critical security updates. By skipping releases, not only does an IoT infrastructure get out-of-date; it also becomes vulnerable to threats.
IoT devices tend to have a much longer lifespan than typical software applications, largely because they are physical devices, some of which have relatively high capital costs (think refrigerators and TVs). The legacy systems supporting these devices can be difficult to keep up-to-date, and may have vulnerabilities that can't easily be patched due to legacy design issues or a lack of vendor support.
we conduct trainings at well known conferences like Black Hat. That way they can trust that we know what we are talking about.
Most organizations don’t have sufficient in-house expertise to keep their IoT systems secure day in and day out. Developers, testers, operators, and system administrators often lack the training to identify common vulnerabilities, understand why they’re dangerous, and mitigate their risks. Without this in-house security expertise, IT staff don’t recognize system vulnerabilities until after a hack or breach occurs. People can’t protect themselves if they don’t understand the threat.
In addition to this lack of in-house knowledge, when organizations deploy IoT systems, they’re also typically constricted by tight deadlines and inadequate in-house experience. These combined constraints, coupled with complex documentation and deployment processes, will inevitably leave systems unsecured and vulnerable to hacks and breaches.
Weak Physical Security – Opening up the IoT device you can find test pads. These may be debug ports like JTAG, UART. In the past we’ve encountered devices that directly drop us to “root” when we connect hardware tools to it (Eg: http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/ and https://blog.malwarebytes.com/security-world/2014/02/uart-root-shell-on-commercial-devices/). This is pretty common in our projects too.
Updating firmware on IoT devices can be a daunting task. It’s understandable that an organization may want to avoid the hassle and potential business risk of updating firmware regularly, especially if the business doesn’t have trusted processes in place. But firmware releases often contain critical security updates. By skipping releases, not only does an IoT infrastructure get out-of-date; it also becomes vulnerable to threats.
IoT devices tend to have a much longer lifespan than typical software applications, largely because they are physical devices, some of which have relatively high capital costs (think refrigerators and TVs). The legacy systems supporting these devices can be difficult to keep up-to-date, and may have vulnerabilities that can't easily be patched due to legacy design issues or a lack of vendor support.
How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization.
Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns?
Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.
Go back to the Attack Surface list and start identifying who owns what
Then discuss threats for each piece of the IoT chain
Finally, discuss steps to mitigate each threat identified
If you’re investing in new IoT technology, perform due diligence to understand whether the vendor comes with a history of insecure firmware, inadequate responses to public vulnerability reports, or any kind of lax attitude towards security. If so, find a different vendor.
In-house expertise and sound internal processes can help prevent human error and ensure systems are secure. However, because they can't prevent what they don't know, developers need to understand common vulnerabilities before they can avoid them. When planning your initial security spending priorities, ensuring the security knowledge of your in-house staff will be your best line of defense, and will deliver your best security value overall. Remember that if you’re switching to a new IoT technology platform, your operations, system admins, testers, and others have to be ramped up on the new technology. They’ll also need to draft new systems deployment, configuration, and verification guidelines.
Organizations, particularly those with high-risk applications, need to undergo regular penetration testing – before product launch (for manufacturers) and before product deployment (for customers). Too often, penetration testing doesn’t happen until after a breach, public disclosure, or other event that tarnishes a company’s brand or leaks customer data.
IT managers can mistakenly assume that their firewalls, network segmentation, and perimeter defenses will be enough to secure their IoT assets. As a result, they fail to prioritize application security on the devices themselves, leaving gaping security holes. The IoT firmware, applications that run on the IoT devices, communication to outside resources, and servers (to which IoT devices upload data), all need to be secured.
Device firmware sometimes includes default credentials or "administrative backdoors.” While these "features" may make it easier to troubleshoot potential problems that on the devices, they also create a large attack surface for hackers. The safest solution is to adopt the more secure key-based and multi-factor forms of authentication.