Deliveringthebestinzservices,so2ware,hardwareandtraining.Deliveringthebestinzservices,so2ware,hardwareandtraining.

WorldClasszSpecialists

IoT&BYOD-TheNewSecurityRisks

RuiMiguelFeio–SecurityLead

Agenda•  Introduc:on•  TheInternetOfThings(IoT)•  BringYourOwnDevice(BYOD)•  ExposingtheMainframe•  OnaniceSundaymorning…•  WhattoDo?•  ReferencesandResources•  Ques:ons?

Introduc:on-RuiFeio–  SecurityleadatRSMPartners

–  Beenworkingwithmainframesforthepast17years

–  StartedasanMVSSystemsProgrammerwithIBM

–  Specialisesinmainframesecurity

–  Experienceinnon-mainframeplaUormsaswell

–  Beengivenpresenta:onsallovertheworld

TheInternetofThings

IoT–Whatisit?–  IoTstandsforInternetofThings

–  Termusedtodescribephysicalobjectsthatcancommunicatewitheachotherandcompletetaskswithoutanyhumaninvolvementhavingtotakeplace.

–  Examples:•  Vehicles,appliances,buildings,…•  Anyitemembeddedwithelectronics,so2ware,sensors,andnetworkconnec:vity

IoT–Somenumbers•  AstudyconductbytheGartnersays:

–  Morethan4.9billionIoTconnecteddevicesin2015

–  6.4billionIoTconnecteddevicesin2016

–  Morethan20billionIoTconnecteddevicesin2020

•  ACISCOreportpredictstherewillbe50billionIoTconnecteddevicesin2020!

IoT–It’sheretostay

IoT–Theproblem•  Trendyfashionabledevicesareproducedtoappealtothetechnical

savvyconsumers

•  ButthemanufacturersofIoTdevicestendnottohavesecurityinmind

•  Somedeviceslikerouters,havethefirmwarecustomisedbytheInternetServiceProviders(ISP):–  Don’tallowfirmwareupdatesdirectlyfromthemanufacturer–  Don’tprovidecustomisedupdatedversionsofthefirmware

IoT–Thisleadsto…

IoT–Andto…

IoT–Andevento…

IoTandCyberCrime•  HPstudyreveals70%ofIoTdevicesarevulnerabletoafacks

•  Cybercriminalsareworkingonnewtechniquesforgehngthroughthesecurityofestablishedorganisa:onsfocusingonIoT:–  Homeappliances–  Officeequipment–  Smartdevices

•  IoTdevicesareeasiertohackastheydon’thaverobustsecuritymeasures

IoT–Howtohack?•  Thereareseveralresourcesavailableintheinternetanddarkweb:

–  Websites–  Blogs–  Forums–  So2waretools–  Scripts–  Vulnerabili:es–  Specialisedsearchengines

Shodan–TheIoTSearchEngine

hAps://www.shodan.io/

Shodan–AnExample

IoT-TheHeadofUSintelligence

IoT–TheNSAChiefofTAO

IoT–TheRisk•  YourhomenetworkcanbecompromisedbyoneofyourownIoT

devices•  HowsecureareyourIoTdevices?•  Howfrequentlydoyouupdatethefirmwareandso2wareofthe

devices?•  AretheIoTdevicess:llsupportedbythemanufacturer?•  Youconnectfromhometoyourcompany’snetwork•  Whatwillithappenifyourhomenetworkiscompromised?•  Howlongwillittakeforahackertoexploitthissecurityflaw?

IoT–TheRisk@Home

BringYourOwnDevice

BYOD–Whatisit?•  BYODstandsforBringYourOwn

Device•  It’sbecomingthestandardwhich

allowsemployeestousetheirownpersonaldevicestoaccessthecompany’snetworkremotely,eitherfromtheirhomeloca:onorfromtheworkplace

•  Seenbycompaniesasawaytoreducecosts

BYOD–SomenumbersAstudyfromGartner:

•  38%ofUSCIOswereexpectedtosupportBYODbytheendof2012

•  82%ofsurveyedcompaniesin2013allowedsomeorallworkerstouseemployee-owneddevices

•  By2017halfofallemployerswillu:liseBYODdevicestoreducecostsandincreaseusabilityintheworkplace.

BYOD–Theproblem•  Therearealargenumberofsecurityrisks:

–  Asthedeviceisownedbytheemployee,itisalsousedfortheirownpersonaluse

–  Theorganisa:onhaslimitedcontrolovertheBYODdevicesandhowtheyareused

–  IftheBYODdevicebecomesinfectedorcompromised,theafackercouldusethisasaplaUormtoafackthecompany’snetwork

BYOD–Thisleadsto…

BYOD–Andto…

BYODandCyberCrime•  IntheUKinadocumenten:tled”10StepstoCyberSecurity”the

GCHQhasadvisedbusinessestoconsiderbanningbringyourowndevice(BYOD)becausestaffrepresentthe"weakestlinkinthesecuritychain”

•  Approximately22%ofthetotalnumberofmobiledevicesproducedwillbelostorstolenduringtheirlife:me,andover50%ofthesewillneverberecovered

•  AccordingtoKaspersky,98%ofiden:fiedmobilemalwaretargettheAndroidplaUorm,andthenumberofvariantsofmalwareforAndroidsgrew163%in2012comparedwith2011.

BYOD–TheRisk•  A2015PonemonIns:tutestudyreports:

–  Negligentemployeesareseenasthegreatestsourceofendpointrisk•  IncreasednumberofBYODdevicesconnectedtothenetwork(includingmobiledevices)

•  Useofcommercialcloudapplica:onsintheworkplace

•  Securitymanagementcontroltasksbecomelessefficientandmoredifficulttoimplement,‘crea:ngholes’thatcanbeexploitedbyhackers

BYOD–TheRiskofMobiledevices

ExposingtheMainframe

IoT&BYODvsTheMainframe•  Remember:themainframeisjustanotherplaUormresidinginthe

company’snetwork

•  Ifthenetworkiscompromisedthemainframecanbedirectlyorindirectlyaffected

•  UsingBYODcreateschallengestothecompany’ssecurityteamthatcanbedifficulttotackle

•  Youmaythinkthatyourhomenetworkissecure;youupdateyourlaptopwiththelatestsecuritypatches,an:virusandfirewalldefini:ons,but…haveyoueverconsideredtheIoTdevices?

OnaniceSundayMorning…

OnaniceSundaymorning…

OnitsTVscreenfacingthestreet

Whattodo?

Whatcanbedone?•  ManufacturersofIoTdevicesneedtostartfocusingmoreon

security

•  GovernmentsmusttakeleadinIoTsecurity

•  IsanIoTwatchdogneeded?

•  Companiesandindividualsneedtobemoresecurityconsciousandconsidertheimplica:onsofBYODandIoT

•  Reducingcostsontheshorttermcanleadtogreatfinanciallossesinthemediumandlongtermforeveryone

Whatcanbedone?•  Strongsecuritypoliciesandrulesneedtobeinplacetoensurethat

anyBYODdeviceissecuritycompliant

•  EmployeesneedtobeeducatedabouttherisksandchallengesofbothIoTandBYOD

•  Managersanddirectorsalsoneedtobeeducated!!Moneysavingnow,canbeaverycostlythinginthefuture

•  Haveyoueverimaginedhowacompany’simagewouldbeaffectedifit’sITsecurityhadbeenbreachedusinga…....

Whatif…..•  AhackercompromisesyourIOTdevice….•  YourFridge!!•  TheyhaveaccesstoyourWiFinetwork•  Thearescanningyournetworkandseeyourworklaptopconnected•  Theymanagetocompromiseyourlaptop•  YouVPNintoyourcoporatenetwork•  Theyportscanandfindtelnetlisteningonport23foraDNSentrycalled

zOSProd•  Andtheyjusthappentoknowwhatz/OSisortheygooglezOSProdorzOS

TELNET•  Startreadingandenjoy!!!•  Idontbelieveinscaringpeople,butthiscouldhappen!

Beingmorespecific•  Evaluatedeviceusagescenariosandinves:gateleadingprac:cesto

mi:gateeachriskscenario.•  Investinamobiledevicemanagement(MDM)solu:ontoenforce

policiesandmonitorusageandaccess.•  Enforceindustrystandardsecuritypoliciesasaminimum•  Setasecuritybaseline•  Differen:atetrustedanduntrusteddeviseaccess•  Introducemorestringentauthen:ca:onandaccesscontrolsfor

cri:calbusinessapps.•  Addmobiledevicerisktotheorganisa:on’sawarenessprogram.

References&Resources

References&Resources

•  “SixthingsyoushouldknowabouttheInternetofThings”,TechRadar•  Gartner:hfp://www.gartner.com•  ArsTechnica:hfp://arstechnica.com•  MITTechnologyReview:hfps://www.technologyreview.com•  Alphr:hfp://www.alphr.com/•  HPCommunityEnterprise:hfp://community.hpe.com/•  CIO:hfp://www.cio.co.uk•  EETimes:hfp://www.ee:mes.com•  ComputerWeekly:hfp://www.computerweekly.com•  CISCO:hfp://www.cisco.com•  ExactTrak:hfp://www.exacfrak.com•  PonemonIns:tute:hfp://www.ponemon.org

Ques:ons?

RuiMiguelFeio,RSMPartnersruif@rsmpartners.commobile:+44(0)7570911459linkedin:www.linkedin.com/in/rfeiowww.rsmpartners.com

Contact