Internet of Things Security Implications

Internet of Things –

Security Implications

Senior Security So

+

_Agenda

n  Introduction

n  What Is The Internet Of Things?

n  What Happens On The Internet Of Things?

n  Why Should You And Your Organization Be Concerned?

n  What Can You Do About These Concerns?

n  Questions And Discussion

+

_Experience

n  5 years U.S. Army Signal Corps Officer

n  14 years of private organization IT employment

n  Last 9 years dedicated to security – operations, assessment and

implementation

n  Prior to joining SHI led a team of 20 contracted security analysts for L-3

in support of USAFCENT

n  Agnostic Certifications – CISSP, SANS GIAC (GAWN/GCIA)

n  Vendor Certifications – Palo Alto, Check Point, RSA and McAfee

What Is The Internet of Things?

+

_Definition

The Internet of Things (IoT) is the

interconnection of unique and identifiable

electronic devices within either a closed

system or more often the existing public

Internet infrastructure.

+

_{Components Of The Internet Of Things}

n  Network Infrastructure

n  Desktops, Laptops and Servers

n  Printers and Imaging Devices

n  Smart Phones, Tablets, and Handheld Scanners

n  Cloud and Virtualization

n  Tags (RFID, Manufacturing, and Shipping)

n  Building Infrastructure

n  Vehicles

n  Home Appliances and Automation

8

At the end of the day, almost any electronic device can be on the Internet of Things.

n  Private Networks

n  Public Networks

n  Personal Networks

n  Closed Networks

+

What Happens On The Internet

Of Things?

n  Device Introduction

n  Device-to-Device Communication

n  Trusts

n  Data Transfer

+

_{Where Is Data In The Internet Of Things?}

n  General Files

n  Email

n  Databases

n  Unstructured Data

n  Removable Media Sources

n  Cloud

n 

MFDs and publishing systems are installed

+

_{Medical and Manufacturing}

Environments

n  Hospitals and clinics have deployed heart rate monitors and

IV systems to track system and patient health.

n  Manufacturing equipment installed throughout the floor with

signals to reflect bin or hopper states.

n  Handheld scanners are leveraged by employees to inventory

pallets and update ordering systems.

n  Physical badging system authenticate employees and

partners into authorized areas.

n  HVAC systems communicate with service providers to state

the health of the system as well as interactions with other components.

+

Why Should You And Your

Organization Be Concerned?

Executives

+

Telework Growth by Class of Worker (2000-2012)

n  Federal employees = 421.0%

n  State government employees = 122.1%

n  Not-for-profit employees = 87.6%

n  For profit employees = 70.4%

n  Local government employees = 62.3%

Growth of Telecommuting

 GlobalWorkplaceAnalytics.com

n  50% of employers will stop supplying devices and move to

BYOD by 2017 – currently there is more support for BYOD tablets than smart phones

n  15% will never offer BYOD

+

Mobile – Where Is It Going?

+

_{Security Statistics}

n  Since 2006 lost sensitive or private records by org type:

n  87M sensitive or private records (federal)

n  255M (retail)

n  212M (financial and insurance)

n  13M (educational institutions)

n  From 2009 – 2013, breaches on federal networks rose from

26,942 to 46,605

22

n  In 2013, number of federal breaches by origination:

n  21% to workers violating policy

n  16% to lost devices

n  12% due to hard copy handling

n  8% who installed malware

n  6% enticed by phishing/social engineering

+

_{Data Types That Exist On The IoT}

n  Protected Health Information

n  Payment Card Industry

n  Personally Identifiable Information

n  Intellectual Property

n  Customer Data

n  Business Competitive Edge

n  Financials

n  HIPAA/HITECH (Security/Privacy Rules & Breach Notification) n  Affordability Care Act (ACA) & MARS-E

n  Payment Card Industry – Data Security Standard 3.0 n  Criminal Justice Information Services (CJIS)

n  Internal Revenue Service (IRS) Publication 1075 n  Internal Revenue Code (IRC) 26 U.S.C. §6103 n  State Breach and Privacy Laws

+

_{Threats and Risks}

n  Inadvertent/Intentional Man-Made

n  Default or Improperly Configured Device

n  Access Exposure

n  Data Exposure

n  Inability to Report Current or Past Status – Compliance

+

_Challenges

n  Lack of Resources (Triple Constraint)

n  Lack of Management Direction – Policies

n  Limited Operational Lifecycle – Processes

n  Operational vs. Security Priorities

n  Lack of Visibility

n  Policies – Current, Approved and Encompassing

n  Change Board

+

_{Data Characterization}

n  Data Types Including Risks and Sensitivity

n  Data Owners

n  Data Custodians

n  Data Locations

n  Intrusion Detection Systems

n  Logging and Event Correlation

n  Vulnerability Scanning

n  Gateways – NGFW

n  Data Access Control

n  Data Loss Prevention

+

_Segmentation

n  Access Control Lists

n  Physical Separation

n  Gateways – NGFW

n  Intrusion Prevention Systems

n  Network Access Control

n  Strong Security Protocols (such as WPA2)

n  Encrypted Channels (e.g. ssh, https, ftps, etc.)

n  Certificates

+

_Summary

n  Policies and Processes

n  Data Characterization

n  Visibility

n  Segmentation

n  Authentication

1.  Define requirements for devices connecting to the network

2.  Identify the types of data and risks

3.  Develop policies for device types and the conditions for

permitting connection

4.  Implement security controls commensurate with the risks

associated

5.  Provision new network devices

6.  Manage endpoint processes and controls

+

Questions and Discussion

1.  Use your hands on my daughter and you'll lose yours.

2.  You make her cry, I make you cry.

3.  Safe sex is a myth. Anything you try will be

hazardous to your health.

4.  Bring her home late, there's no next date.

5.  If you pull into my driveway and honk, you

better be dropping off a package because you're sure not picking anything up.

6.  No complaining while you're waiting for her.

If you're bored, change my oil.

7.  If your pants hang off your hips, I'll gladly

secure them with my staple gun.

8.  Dates must be in crowded public places. You

want romance? Read a book.

1. IT must pro-actively introduce devices to the

network. You will regret it if you don’t.

2. If you have a security incident, you have to

be prepared to do something about it.

3. Safe IoT platforms are a myth. You have to be

prepared to manage them.

4. IoT device policies/processes need to

include when a device can join or leave.

5. Realize that mobile devices are coming to

your environment whether you want them or not.

6. Establish requirements and expectations for

the workforce before introducing new technologies.

7. Only approved configurations should be

allowed to join the network.

8. Connections in public places are not private