SIX DEGREES OF SEPARATION PLANNING THE IMPACT OF IOT ON YOUR FUTURE AUDITS
AGENDA What is 6 Degrees of Separation What is IoT The Impact of IoT Risks Auditing IoT
WHAT IS 6 DEGREES OF SEPARATION? The idea that all living things and everything else in the world are six or fewer steps away from each other So a chain of "a friend of a friend" statements can be made to connect any two people in a maximum of six steps Idea is you are 1 degree away from someone, 2 degrees from someone they know, 3 from someone these know etc It was originally set out by Frigyes Karinthy in 1929 and popularized in an eponymous 1990 play written by John Guare Courtesy: Wikipedia
WHAT IS 6 DEGREES OF SEPARATION? A 2007 study by Jure Leskovec and Eric Horvitz examined a data set of instant messages composed of 30 billion conversations among 240 million people. They found the average path length among Microsoft Messenger users to be 6 Researchers at Microsoft studied 30 billion electronic conversations in Microsoft Messenger using 180 million people in various countries in June 2006. People were considered acquainted if they send each other a message. The average length of hops was 6.6 78% could be connected with 7 or fewer hops So, you are five people away from connecting with your favorite movie star, Gandhi, the Queen etc
WHAT IS 6 DEGREES OF SEPARATION? So? How does this relate to IoT you ask? You are only 5 people away from connecting with someone or some business, who uses or benefits from an IoT device OR, 5 business away from someone wanting to use an IoT device maliciously against your business* Courtesy: https://upload.wikimedia.org/wikipedia/commons/8/88/six_degrees_of_separation_01.png
WHAT IS IOT? The Internet of Things is a term taken to mean devices connected to the internet 2013 Global Standards Initiative on Internet of Things defined the IoT as: A global infrastructure for the information society, enabling advanced services by interconnecting things based on existing and evolving interoperable information and communication technologies" For these purposes a "thing" is "an object of the physical world or the information world, which is capable of being identified and integrated into communication networks. Courtesy: Wikipedia
WHAT IS IOT?
WHAT IS IOT? What drives IoT? Connectivity IpV6 This internet addressing protocol opens the gate for anything to have a unique identifier. Enough addresses for more items than the world can produce Enhanced sensors Drop in cost combined with increase in capabilities of sensors to capture, analyze, store and transmit data Low-power/wide area communications Ability to transmit from a wide range of sensors across a simplified and secure communication infrastructure with low-power sources Courtesy: https://blog.protiviti.com/tag/auditing-iot-risk/
WHAT IS IOT? IoT Use Cases The taxonomy is arranged around people, and each level moves further away from individual and becomes high level. Different levels are categorized from personal (e.g. wearables) to macro-level control ( smart cities, smart highways). Courtesy: https://iwringer.wordpress.com/2015/10/08/taxonomy-of-iot-usecases-seeing-iot-forest-from-the-trees/
WHAT IS IOT? Amazon Dash Button A Wi-Fi connected device that reorders your favorite product with the press of a button. Can be paired with a product of your choice, using Amazon App during the setup process. When you run out of that product, press the button and it is ordered via Amazon
WHAT IS IOT?
WHAT IS IOT? THE NEXT WAVE!
WHAT IS IOT? Industry Logistics - DHL Vehicle monitoring and maintenance, Real-time tracking of packages, environmental sensors in shipping containers Information-gathering on employees and tools Safety-enhancing features for vehicles and people
WHAT IS IOT? Caterpillar Industry CAT Smartband Activity tracking to monitor operators to determine better operator safety Predict when the wearer s fatigue level will become a safety risk Courtesy: Caterpillar.com
WHAT IS IOT? Captures bar code and auto adds item to your shopping list in the GeniCan app
WHAT IS IOT? A smart wine decanter isommelier promises to soften up the tannins mature wine that normally requires years of cellaring through aerating your wine with highly concentrated purified oxygen. There's also a smart base with a digital screen that shows you the name of the wine, vintage and aeration progress bar There is an app that connects with the decanter to let you control the device, add aeration programs and gather information about different winemakers Courtesy: https://www.wareable.com/smart-home/best-smart-kitchen-devices
WHAT IS IOT? IoT is moving fast Cars Diagnostics, insurance tracking devices Lighting systems Refrigerators Telephones Supervisory Control and Data Acquisition (SCADA) systems POS devices Traffic control systems Home security systems Smart electricity meters Televisions, DVRs Kitchen appliances Instant Pot, Avona sous vide cooker, toasters
IMPACT OF IOT? Perhaps the biggest potential for IoT isn t consumer devices, but: Industrial automation Building automation Smart transportation Power and irrigation systems Environmental & pollution monitoring Courtesy: http://www.advancedmp.com/environmental-impact-of-iot/
IMPACT OF IOT? Environmental impact Not so Good E-waste (waste of electrical and electronic equipment) filling landfill sites Heavy metals and toxic materials Energy consumption. Huge increase in overall consumption to manage all the devices Demand for more as users become accustomed to usefulness Greater packaging waste Courtesy: http://www.advancedmp.com/environmental-impact-of-iot/
IMPACT OF IOT? Environmental impact Good Pocket-sized environmental sensors that provide for monitoring the airborne quality, radiation, water quality, hazardous airborne chemicals etc Airbot, waterbot, Sensordrone, Sensaris, Pressurenet IoT smart grids in the energy sector could save over 2.0 Gt of CO 2 using smart meters and demand-response systems Improved energy efficiency with optimized routes of transportation, IoT could reduce about 1.9Gt of CO 2 in 5 years Courtesy: http://www.advancedmp.com/environmental-impact-of-iot/
IMPACT OF IOT? Other Key Impacts Real-time operational data Performance of individual machines Energy usage in buildings Telematics from your vehicles on the road, connections to field staff or monitoring of remote assets, Richer and faster flow of real-time operational data, yielding deeper, more accurate insights about your business so you make better and timelier decisions Improved operational efficiencies and standards. For example, food and drug manufacturers monitor shipping containers for changes in temperature that could affect product quality and safety
RISKS IoT devices are always on Attackers have all the time they need How will you know they have been hacked? Business risks Compliance, privacy Technical risks Hacking, device vulnerabilities, Operational risks Performance (slowdown or speed up), shadow or rogue use, managing updates
RISKS At the Heart of the matter Dick Cheney has wireless access removed A precaution as he was Vice President of the USA at the time Upon getting a new defibrillator, his doctor Dr. Reiner ordered the manufacturer to disable the wireless feature These devices monitor the heart's electrical activity and, when an arrhythmic event is detected, can induce a shock that resets the heart. They also contain small radio transmitters that let doctors read their monitoring of the heart and even reprogram the device to customize it to the patient
RISKS Medical Risks The recent WannaCry ransomware: Locked down medical records in hospitals, Infected MRI machines, and Hit diagnostic radiology equipment
RISKS Medical Risks Jay Radcliffe, a security researcher at Rapid7 and a diabetic, found that the wireless remote for his Johnson & Johnson Animas OneTouch Ping diabetes pump communicated in an unencrypted fashion "Attackers can trivially sniff the remote/pump key and then spoof being the remote or the pump," he wrote last year. "This can be done without knowledge of how the key is generated. This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction." https://www.pcmag.com/news/354582/can-a-hack-give-you-a-heart-attack?utm_source=email&utm_campaign=dailynews&utm_medium=title
RISKS Home Automation Locks, baby monitors, lights etc Executives Car tolls, medical, homes Sensitive positions Admins, HR etc Theft, Kidnapping, Coercion
RISKS Network risks Connected devices may allow unauthorized access to your inside network Courtesy: https://www.forescout.com/wp-content/uploads/2016/10/iot-enterprise-risk-report.pdf
RISKS Network risks Different degrees of risk Courtesy: https://www.forescout.com/wp-content/uploads/2016/10/iot-enterprise-risk-report.pdf
AUDITING IOT Need a survey / questionnaire to users about internet connected devices in the office Is IoT part of a business strategic initiative? Does the business know what IoT data is collected, and stored? Is the data analyzed for business and security related objectives? Has the organization assessed potential implications? Security Privacy Organizational
AUDITING IOT Risk Assessment Conduct an assessment of risk in your organization through the use of IoT enabled devices Technical risks Business risks Perform a vulnerability assessment Conduct penetration tests on IoT systems Assess the adequacy of the encryption used by IoT systems for communication
AUDITING IOT Monitoring Monitor IoT systems to ensure they are functioning as intended Assess whether adequate monitoring controls are in place and whether all such controls have been operating effectively over time. Assess whether exceptions and failures that occur get properly logged Ensure resolutions to incidents are recorded on a timely basis Assess whether a process is in place for incidents to determine their root causes Ensure that someone is accountable for reviewing logs
AUDITING IOT Is someone accountable? Who manages IoT assets, from purchase to disposal? Know what you have Is a list of IoT enabled devices maintained? Part of asset management? Is it broken down by level of connectivity / risk? Connectivity Who authorizes connectivity to the network? Is that a good idea? Segregated on the network?
AUDITING IOT Maintenance Who is accountable and responsible for ensuring regular maintenance? How do you ensure all devices are updated as required? Are stakeholders engaged when considering new devices? Understand risks, benefits, manage rogue use Legal ramifications researched, understood and managed? Compliance, Privacy etc
AUDITING IOT Network properly managed? Denial of Service attacks on IoT devices? Ready for added demand on network bandwidth? Patch management standard updated to include IoT devices? Incident response procedures handling IoT? Insurance updated to include risks associated with IoT?
TACTICS FOR IOT IoT security tactics you might consider: Design a good perimeter protection with a firewall and an intrusion prevention system Implement an emergency incident response program Include a good identity and access management program with your IoT program for central user control. Implement two-factor authentication where practical Have the administrators of your devices use privileged user control Search for standardization. The market will soon define standards for the IoT, including security standards If you have a third-party IoT provider, consider due diligence Stay informed with key sources of security through groups such as the National Institute of Standards and Technology (NIST) Courtesy: https://securityintelligence.com/how-to-protect-yourself-against-iot-risks/
THANK YOU! Barry D. Lewis lewisb@cerberus-isc.com