Securing IoT in the Enterprise

Similar documents
F5 Network Security for IoT

IoT in Port of the Future

IoThings Milano Maggio 2017 Barbara Pareglio GSMA IoT Technical Director. Mobile IoT: 3GPP standard per reti LPWA e IoT security

Security Challenges in the Internet of Things. Dr. Sigrid Schefer-Wenzl

IoT and the Implications for Security Inside and Outside the Enterprise. Richard Boyer CISO & Chief Architect, Security

Internet of things (IoT) Regulatory aspects. Trilok Dabeesing, ICT Authority 28 June 2017

A Vision of IoT: Applications, Challenges, and Opportunities With China Perspective

The Internet-of-Things For Biodiversity

How to Categorize Risk in IoT

Internet of Things (IoT): The Big Picture

DRIVING REVENUE FROM THE INTERNET OF THINGS

Integrating Device Connectivity in IoT & Embedded devices

New Technologies: 4G/LTE, IOTs & OTTS WORKSHOP

ITU-T Y.4552/Y.2078 (02/2016) Application support models of the Internet of things

The Internet of You: The Ethical, Privacy, and Legal Implications of Connected Devices. Beverly Kracher, Ph.D. Business Ethics Alliance

FOSS PLATFORM FOR CLOUD BASED IOT SOLUTIONS

SIX STEPS TO BUYING DATA LOSS PREVENTION PRODUCTS

Plug & Play Mobile Frontend For Your IoT Solution

INTERNET OF THINGS THE GSMA GUIDE TO THE R A G E C A P A B I L C O V E I T Y T Y U R I E C R S B E C Y. gsma.com/iot

SIX DEGREES OF SEPARATION PLANNING THE IMPACT OF IOT ON YOUR FUTURE AUDITS

Building Your DLP Strategy & Process. Whitepaper

Internet of Things ( IoT) Luigi Battezzati PhD.

IoT Strategy Roadmap

ITU-T Y Functional framework and capabilities of the Internet of things

PoE: Adding Power to (IoT)

Growing the Digital Business: Spotlight on the Internet of Things. Accenture Mobility Research 2015

Maximize Your Enterprise's Potential Through IoT:

Securing the Internet of Things Survey

4K Video, Real-Time Analytics, and AI Applications Drive 24G SAS

ITU-T Y Specific requirements and capabilities of the Internet of things for big data

Internet of Things Telecommunication operator perspective

IOT TECHNOLOGY AND ITS IMPACT

IoT Egypt Forum A Catalyst for IoT Ecosystem in Egypt

The Internet of Things Will You Be Ready to Support a Device-Driven Future? Manish Nathwani SVP, Product Development

3 rd International Conference on Smart and Sustainable Technologies SpliTech2018 June 26-29, 2018

IoT Challenges in H2020. Mirko Presser, MSci, MSc, BSS/BTECH/MBIT Lab

T : Internet Technologies for Mobile Computing

DATA LOSS PREVENTION: A HOLISTIC APPROACH

PoLTE: The GPS Alternative for IoT Location Services

The Importance of Connectivity in the IoT Roadmap End-User Sentiment Towards IoT Connectivity. An IDC InfoBrief, Sponsored by February 2018

AXIS M30 Network Camera Series. AXIS M3046-V Network Camera. AXIS M3045 V Network Camera. User Manual

IoT Challenges & Testing aspects. Alon Linetzki, Founder & CEO QualityWize

IoT Software Platforms

The Smart Port Vision

Mobile IoT for Smart Cities: Open for Business. Svetlana Grant Future IoT Networks Director Connected Living Programme 17 November 2016

Internet of Things: Networking Infrastructure for C.P.S. Wei Zhao University of Macau December 2012

Enduring the IoT storm to unlock new paths to value. How a governance model protects you from a blizzard of IoT risk

IoT Technical foundation and use cases Anders P. Mynster, Senior Consultant High Tech summit DTU FORCE Technology at a glance

IOT TECHNOLOGY & BUSINESS. Format: Online Academy. Duration: 5 Modules

RUCKUS IoT SUITE DATA SHEET BENEFITS

Internet of Things (IoT)

What you need to know about IoT platforms. How platforms stack up in IoT

Mobilising the Smart Cities September Barbara Pareglio IoT Technical Director

DELL: POWERFUL FLEXIBILITY FOR THE IOT EDGE

The BIGGEST. The 2 nd Saudi International Exhibition & Conference for Internet of Things February 2019

Inc. Internet of Things. Outcome Economy. to Win in the. How Your Company Can Use the

IERC Standardization Challenges. Standards for an Internet of Things. 3 and 4 July 2014, ETSI HQ (Sophia Antipolis)

What is the 5G Network impact on the IoT Market?

ITU-T Y Reference architecture for Internet of things network capability exposure

Introduction to the ITU-T Global Standards Initiative on IoT with focus on SG13 activities

Why Connecting to the Internet of Things Project List

Bridging the Trust Gap for Mobile BYOD Deployments. Ojas Rege, VP Strategy, MobileIron Professional Techniques D12

Addressing the technical challenges for enterprises deploying IoT solutions

AXIS M30 Series AXIS M3015 AXIS M3016. User Manual

Architecture of Industrial IoT

Internet of Things: Cross-cutting Integration Platforms Across Sectors

SPECIALIST TASK FORCE 505 IOT STANDARDS LANDSCAPING & IOT LSP GAP ANALYSIS

Recomm I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n

AXIS M30 Network Camera Series. AXIS M3046-V Network Camera. AXIS M3045 V Network Camera. User Manual

Dr. Tanja Rückert EVP Digital Assets and IoT, SAP SE. MSB Conference Oct 11, 2016 Frankfurt. International Electrotechnical Commission

Internet of Things. Decoding the IoT Ecosystem. Jad El Cham October 2017 RIPE75 Tutorial

Chapter 2. Analysis of ICT Industrial Trends in the IoT Era. Part 1

Last Edit: 19 Feb 2018

Emerging IoT Technologies for Smart Cities

Internet of Things (IoT) and Big Data DOAG 2016 Big Data Days

WHO WILL WIN THE IoT PLATFORM WARS?

Micro Services Architecture: Spring Boot and Netflix Infrastructure

PROTOTYPE OF IOT ENABLED SMART FACTORY. HaeKyung Lee and Taioun Kim. Received September 2015; accepted November 2015

From Innovative Niches to a Cooperative IoT Ecosystem

IoT - Internet of Things. Brokerage event for Innovative ICT November, Varazdin, Croatia

INTERNET OF THINGS WINNING FORMULA. Rami Avidan Managing Director, Tele2 IoT

Security of the Internet of Things

HEART ATTACK DETECTION BY HEARTBEAT SENSING USING INTERNET OF THINGS : IOT

EdgeX Foundry. Facilitating IoT Interoperability by Extending Cloud Native Principles to the Edge GLOBAL SPONSORS

SAP Edge Services Edge Services Overview Guide Version 1711

Internet of Things (IoT) Vikram Raval GSMA

RECENT TRENDS AND ISSUES IN IOT

The Omnichannel Dilemma: Everyone Wants It, But How Do You Start?

AXIS P14 Network Camera Series. AXIS P1425-LE Mk II Network Camera. AXIS P1435-LE Network Camera. User Manual

Bringing an all-in-one solution to IoT prototype developers

AXIS P14 Network Camera Series AXIS P1448-LE Network Camera. User Manual

Televisions, Video Privacy, and Powerline Electromagnetic Interference

IoT Architecture for Future Building Management Embedded Lighting Controls

The Rise of the Internet of Things

Firmware Security: Hot Topics to Watch

Four steps to IoT success

The IoT Inc Business Meetup Silicon Valley Opening remarks and guest presentation

Machina Research. M2M Communications for Policy Makers

Home Monitoring System Using RP Device

THE MPI INTERNET OF THINGS STUDY SPONSORED BY BDO

Transcription:

Securing IoT in the Enterprise Daniel Miessler May 2017

Securing IoT in the Enterprise Daniel Miessler, IOActive May 2017

About - Infosec for around 18 years - Mostly technical testing and enterprise consulting - Net / app / web / mobile / IoT - Director of Advisory Services for IOActive - I do a weekly show on infosec, technology, humans - Reading, writing, table tennis - Wrote a book: The Real Internet of Things - @danielmiessler 3

Discuss - A functional definition of IoT - The IoT Attack Surface - Securing IoT in the Enterprise - IoT and Ransomware 4

What is IoT - Lots of definitions out there. - Some are based on connectivity. - Some require embedded. - OXFORD(ish): An extension of the Internet where everyday objects have network connectivity, allowing them to send and receive data. 5

Attack Surface 6

What do? 7

IoT Security!= Device Security What they think it is 8

IoT Security!= Device Security 9

IoT Security!= Device Security 10

IoT Security!= Device Security 11

OWASP IoT Security 12

OWASP IoT Security Attack surfaces Vulnerabilities Medical Devices Firmware Analysis IoT Event Logging ICS / SCADA 13

OWASP IoT Security Ecosystem (general) Device Memory Device Physical Interfaces Device Web Interface Device Firmware Device Network Services Administrative Interface Local Data Storage Cloud Web Interface Third-party Backend APIs Update Mechanism Mobile Application Vendor Backend APIs Ecosystem Communication Network Traffic Privacy Sensors 14

IoT Attack Surfaces 15

IoT Attack Surfaces 16

IoT Attack Surfaces 17

IoT Attack Surfaces https://github.com/craigz28/firmwalker 18

IoT Attack Surfaces 19

IoT Attack Surfaces 20

IoT Attack Surfaces 21

IoT Attack Surfaces 22

IoT Attack Surfaces 23

IoT Attack Surfaces 24

Network Focus What they think it is 25

Network Focus What it actually is 26

Getting Packet Visibility LAN grep -i Wombat27! TAP Firewall Internet PCAP 27

Get a Tap 28

Caparser *Capture all internal traffic from an internal ecosystem *Exercise the product fully Break the.pcap into its component parts using tshark Extract any sensitive content from the.pcap. Associate the sensitive content with where it s being sent https://github.com/danielmiessler/caparser 29

tshark(s) tshark -r diphone.pcap -q -z conv,ip awk '{print $3}' grep "^[0-9]" sort uniq awk '{print $1}' 30

tshark(s) tshark -r diphone.pcap -q -z conv,ip awk '{print $3}' grep "^[0-9]" sort uniq awk '{print $1}' 31

Caparser Output 32

Enterprise IoT 33

Enterprise IoT (attack surface) The biggest threat to enterprises from IoT is not any specific technology, but blindness to the attack surface. Device Sensors Administration Firmware Network Mobile Cloud Backend APIs Third-party integrations 34

Enterprise IoT (understand) Above all else, you have to understand the components and structure of the system you re deploying into your companies. How many devices? What types of sensors? What network are they on? How are they administered? What ports are open on these systems? How is authentication and authorization performed? 35

Enterprise IoT (assess) This means doing an IoT deployment risk assessment before implementing any solution. What data is being captured? Via what sensors? Where is it being sent? How is it being stored? Who has access to it? How will it be updated if a flaw is found? What can those systems access if they re compromised? How bad would it be if this system was unavailable? What would we do if that happened? 36

Enterprise IoT (data) Increasingly, we re going to have to start thinking about what sensors can perceive, how that data can be leaked, and the implications thereof. Installed systems Wearables Are they recording video? Are they recording audio? How easy is it to share that content outside? What could happen if that content went public? > New sensor project that connects to electrical sockets and tells you what s happening inside your house. 37

Enterprise IoT (ransomware) The way to think about ransomware is this: if it s important to you, they re coming for it. Infrastructure Data Connectivity Devices Systems IoT 38

Enterprise IoT (three trends) 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business 39

Enterprise IoT (three trends) 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business 2. You gain business efficiency when those things are network enabled (IoT) 40

Enterprise IoT (three trends) 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business 2. You gain business efficiency when those things are network enabled (IoT) 3. Attackers now have a new way to harm your business. 41

Takeaways 42

Takeaways 1. IoT is about everyday objects becoming interactive. 43

Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 44

Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 45

Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what s being captured, via what methods, and how it s being stored and accessed. 46

Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what s being captured, via what methods, and how it s being stored and accessed. 5. Be prepared for that system to be compromised or unavailable. 47

Takeaways 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what s being captured, via what methods, and how it s being stored and accessed. 5. Be prepared for that system to be compromised or unavailable. 6. Expect ransomware attacks, because IoT means putting our critical dependencies on the network. 48

Thanks & Contact Daniel Miessler IOActive daniel.miessler@ioactive.com @danielmiessler danielmiessler.com/podcast 49

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback