iot lock down - battling the bot net builders
TRANSCRIPT
@adam_englander
IoT Lock Down Battling the Bot Net Builders
Adam Englander, iovation
@adam_englander
What happened on October 21, 2016?
@adam_englander
@adam_englander
Dyn DNS DDOS Attack
• Up to 380,000 IoT devices
• Generating up to 1.2 terabits per second of DNS request data
• Producing 50x normal traffic after mitigation
• One month after similar Krebs on Security attack
@adam_englander
It is our job to prevent this from ever happening again.
@adam_englander
IoT Benefits of Embedded Linux• Making IoT
development and manufacturing more accessible
• Enables rapid prototyping and reduces time to market
@adam_englander
Security Benefits of Embedded Linux
• Linux provides facilities for fantastic security
• Numerous resources exist for implementing super secure Linux
@adam_englander
Remember Two Things
1. You will be attacked
2. You will be exposed to a Zero Day vulnerability
@adam_englander
Know Your Adversary• Lone Gunmen
• Local Criminals
• Hactivist Groups
• Competitors
• Organized Crime
• Nation States
@adam_englander
Security is like an Ogre. It has layers.
@adam_englander
Layered SecurityDefense in Depth
@adam_englander
NetworkApplicationServices
File System
OS
@adam_englander
Operating System Security• Patching strategy
• Minimal distribution
• Randomize default usernames and passwords
• Require strong passwords via PAM
Network
Application
Services
File System
OS
@adam_englander
File System Security• Named application user
• Remove “everyone” access where possible
• Restrict application user to files necessary to run
• Avoid write access where possible
Network
Application
Services
File System
OS
@adam_englander
Service Security• Reduce local service
dependencies
• Remove all non-essential services (SSH, FTP, SMTP, etc)
• Require authentication
• Be as secure as possible with service data
Network
Application
Services
File System
OS
@adam_englander
Network Layer Security• Outbound connections
only
• Restrict inbound and outbound IP traffic
• Prefer paired Bluetooth
• Pair Bluetooth with challenge-response
Network
Application
Services
File System
OS
@adam_englander
Application Security
• Know what you are preventing
• Do as much as is reasonable
• Patching/update strategy
Network
Application
Services
File System
OS
@adam_englander
What you are preventing
SensitiveData
Exposure
Escalationof
Privilege
AccountHijacking
DenialofService
RemoteCode
Execution
@adam_englander
Sensitive Data Exposure
• Protect data in transit via encryption and available network protocol options
• Protect data at rest with encryption
@adam_englander
Certificate Verification via Fingerprint
• Also called certificate pinning
• Prevents man in the middle attacks over TLS/SSL
@adam_englander
Encrypting Data
• Encrypt data you do not want to give to attackers
• Use the strongest encryption that is feasible
@adam_englander
Digital Signatures
• Send signature with data in transit
• Store signature on the file system for data in the file system.
@adam_englander
Account Hijacking• Secure application with
passwords using strong hashing: Argon2i, scrypt, bcrypt, or PBKDF2
• Secure initial setup via hardware or force wipe
• Alert for changes to accounts
@adam_englander
Nonces• Single use token
• Used for CSRF tokens
• Must be cryptographically random
• Should expire
@adam_englander
Replay/Denial of Service• Identify bad actors
either by tracking utilization or with a Honey Pot
• Mitigate by not responding to the request or with minimal processing
@adam_englander
Remote Code Execution
• Do not execute unverified code ever ever ever!
• Database specific mitigation to prevent SQL injection
@adam_englander
ToolsDon’t try to do all of this yourself
@adam_englander
Internet Engineering Task Force
• Javascript Object Signing and Embedding (JOSE)
• CBOR Object Signing and Embedding (COSE)
@adam_englander
Open Web Application Security Project
• Testing guides
• Attack surface areas
• Top 10 security vulnerability studies
• https://www.owasp.org
@adam_englander
Bug Bounty
• Pay ETHICAL hackers to test the security of your devices and systems
• Attract experts in the field for a little money and recognition
• Can be managed internally or externally
@adam_englander
Me Things
• @adam_englander
• https://www.iovation.com/blog/author/aenglander