the internet of everything is here
TRANSCRIPT
Keith WilsonSystems Engineer
How Do We Secure It?The Internet of Everything Is Here
2© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IoT Security ChallengesThe Ever Expanding Attack Surface
3© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Is Hard
SHODAN – Google Dorking The IoT
5© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Defining The Aggressors
Activists Organized Crime Competition Nation States
6© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Health CareAll Your Medical Devices Are Belong To Us
• IoT is made up of life saving and life sustaining devices• Most devices have weak passwords, hard coded password,
and/or insecure embedded web servers• Health care companies are a huge target due to the value of
personal medical information.
The Michael Weston Theory of Security vs. Accessibility
8© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Health CareAll Your Medical Devices Are Belong To Us
9© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ManufacturingAll Your Assembly Lines Are Belong To Us
• IoT has existed for a long time in manufacturing• SCADA Systems are hard to protect due to product
interference• Compromise can lead to physical destruction• Manufacturers are a target because of value of IP
and M&A Data.
10© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Financial ServicesAll Your Insurance Data Are Belong To Us
• Insurance companies are embracing IoT• Currently auto insurance companies, but will soon
see health & life insurance companies• Targeted for detailed customer information
11© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
RetailAll Your Point of Sale Are Belong To Us
• Retail has been a target by organized crime for years.• More detailed customer information = more attacks
from other groups• IoT could provide pivot points for access to PoS or
manipulation of inventory
12© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IoT Security ChallengesThese Aren’t Your Traditional Devices
13© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Lacks update interface or update mechanism at all• Can be a black box• No encryption or poor encryption
Not Traditional For Admins
14© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Not security experts• Traditional development accounted for patching and updates, IoT
does not
Not Traditional For Developers
15© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IoT Security ChallengesProtecting The Consumer
16© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tobias Zillner, Cognosec
“… security is very often sacrificed or neglected due to fear of reduced or limited usability or fear of breaking backwards compatibility.”
Hacking Nest
The Human SCADA System
19© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Focus AreasWhere Do We Start?
20© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Username enumeration• Account lockout• Weak passwords• Unencrypted services• Poorly implemented encryption• Updates are sent without encryption• Lack of two-factor authentication
Secure At The ApplicationWorking with OWASP
21© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure At The Network
22© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure At The Network
23© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secur At The Network
Recon Exploit Command & Control Pivot Data
StagingData
Exfiltration
Recon Exploit Command & Control Pivot Data
StagingData
Exfiltration
Recon Exploit Command & Control Pivot Data
StagingData
Exfiltration
24© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Helps to maintain security & network performance
• Limit access to and from IoT devices• Logical segmentation is a “soft” approach
that helps with planning and validation
Secure At The NetworkSegmentation
25© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure At The NetworkSegmentation
26© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure At The NetworkUser Activity Monitoring
27© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Securing At The NetworkUser Activity Monitoring
28© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank [email protected] @detectedanomaly
www.lancope.comwww.detectedanomaly.com/talkingiot