Internet of Things Security Implications

Transcription

1 + Internet of Things Security Implications Garth Whitacre Senior Security Solution Architect

2 + Agenda 2 n Introduction n What Is The Internet Of Things? n What Happens On The Internet Of Things? n Why Should You And Your Organization Be Concerned? n What Can You Do About These Concerns? n Questions And Discussion

3 + Introduction

4 + Experience 4 n 5 years U.S. Army Signal Corps Officer n 14 years of private organization IT employment n Last 9 years dedicated to security operations, assessment and implementation n Prior to joining SHI led a team of 20 contracted security analysts for L-3 in support of USAFCENT n Agnostic Certifications CISSP, SANS GIAC (GAWN/GCIA) n Vendor Certifications Palo Alto, Check Point, RSA and McAfee

5 + What Is The Internet of Things? 5

6 + Definition 6 The Internet of Things (IoT) is the interconnection of unique and identifiable electronic devices within either a closed system or more often the existing public Internet infrastructure.

7 +

8 + Components Of The Internet Of Things 8 n Network Infrastructure n Desktops, Laptops and Servers n Printers and Imaging Devices n Smart Phones, Tablets, and Handheld Scanners n Cloud and Virtualization n Tags (RFID, Manufacturing, and Shipping) n Building Infrastructure n Vehicles n Home Appliances and Automation At the end of the day, almost any electronic device can be on the Internet of Things.

9 + Points On The Internet Of Things 9 n Private Networks n Public Networks n Personal Networks n Closed Networks n Gateways

10 +What Happens On The Internet Of Things? 10

11 + Interactions 11 n Device Introduction n Device-to-Device Communication n Trusts n Data Transfer n Device Departure

12 + Where Is Data In The Internet Of Things? 12 n General Files n n Databases n Unstructured Data n Removable Media Sources n Cloud

13 + Printer and Digital Imaging Devices 13 n MFDs and publishing systems are installed throughout employee work areas.

14 + Medical and Manufacturing Environments n Hospitals and clinics have deployed heart rate monitors and IV systems to track system and patient health. 14 n Manufacturing equipment installed throughout the floor with signals to reflect bin or hopper states. n Handheld scanners are leveraged by employees to inventory pallets and update ordering systems.

15 + Facilities 15 n Physical badging system authenticate employees and partners into authorized areas. n HVAC systems communicate with service providers to state the health of the system as well as interactions with other components.

16 +Why Should You And Your Organization Be Concerned? 16

17 Forrester Research Executive Spotlight Top Security Challenges Identified by Executives 17

18 + Growth of Telecommuting 18 Telework Growth by Class of Worker ( ) n Federal employees = 421.0% n State government employees = 122.1% n Not-for-profit employees = 87.6% n For profit employees = 70.4% n Local government employees = 62.3% GlobalWorkplaceAnalytics.com

19 + Bring Your Own Device (BYOD) 19 n 50% of employers will stop supplying devices and move to BYOD by 2017 currently there is more support for BYOD tablets than smart phones n 15% will never offer BYOD Gartner Report May 2013

20 + Mobile Where Is It Going? 20

21 (Cisco Data) + 21

22 + Security Statistics 22 n Since 2006 lost sensitive or private records by org type: n 87M sensitive or private records (federal) n 255M (retail) n 212M (financial and insurance) n 13M (educational institutions) n From , breaches on federal networks rose from 26,942 to 46,605 US CERT Report

23 + Security Statistics (continued) 23 n In 2013, number of federal breaches by origination: n 21% to workers violating policy n 16% to lost devices n 12% due to hard copy handling n 8% who installed malware n 6% enticed by phishing/social engineering US CERT Report

24 + Data Types That Exist On The IoT 24 n Protected Health Information n Payment Card Industry n Personally Identifiable Information n Intellectual Property n Customer Data n Business Competitive Edge n Financials

25 + Regulatory and Compliance Drivers 25 n HIPAA/HITECH (Security/Privacy Rules & Breach Notification) n Affordability Care Act (ACA) & MARS-E n Payment Card Industry Data Security Standard 3.0 n Criminal Justice Information Services (CJIS) n Internal Revenue Service (IRS) Publication 1075 n Internal Revenue Code (IRC) 26 U.S.C n State Breach and Privacy Laws

26 + Threats and Risks 26 n Inadvertent/Intentional Man-Made n Default or Improperly Configured Device n Access Exposure n Data Exposure n Inability to Report Current or Past Status Compliance

27 + Understanding IoT Risk 27

28 + Challenges 28 n Lack of Resources (Triple Constraint) n Lack of Management Direction Policies n Limited Operational Lifecycle Processes n Operational vs. Security Priorities n Lack of Visibility

29 What Can You Do About These + Concerns? 29

30 + 30

31 + Policies and Processes 31 n Policies Current, Approved and Encompassing n Change Board n Regular Assessments Internal or Third-Party

32 + 32 Data Characterization n Data Types Including Risks and Sensitivity n Data Owners n Data Custodians n Data Locations

33 + Visibility 33 n Intrusion Detection Systems n Logging and Event Correlation n Vulnerability Scanning n Gateways NGFW n Data Access Control n Data Loss Prevention n Advanced Threat Detection

34 + Segmentation 34 n Access Control Lists n Physical Separation n Gateways NGFW n Intrusion Prevention Systems n Network Access Control

35 + Authentication/Secure Channels 35 n Strong Security Protocols (such as WPA2) n Encrypted Channels (e.g. ssh, https, ftps, etc.) n Certificates n Multi-Factor Authentication

36 + Summary 36 n Policies and Processes n Data Characterization n Visibility n Segmentation n Authentication

37 + Seven Simple Steps Define requirements for devices connecting to the network 2. Identify the types of data and risks 3. Develop policies for device types and the conditions for permitting connection 4. Implement security controls commensurate with the risks associated 5. Provision new network devices 6. Manage endpoint processes and controls 7. De-provision inactive devices

38 + Questions and Discussion 38

39 8 Rules For Good IoT Device Management Daughter IoT Device 1. Use your hands on my daughter and you'll lose yours. 2. You make her cry, I make you cry. 3. Safe sex is a myth. Anything you try will be hazardous to your health. 4. Bring her home late, there's no next date. 5. If you pull into my driveway and honk, you better be dropping off a package because you're sure not picking anything up. 6. No complaining while you're waiting for her. If you're bored, change my oil. 7. If your pants hang off your hips, I'll gladly secure them with my staple gun. 8. Dates must be in crowded public places. You want romance? Read a book. 1. IT must pro-actively introduce devices to the network. You will regret it if you don t. 2. If you have a security incident, you have to be prepared to do something about it. 3. Safe IoT platforms are a myth. You have to be prepared to manage them. 4. IoT device policies/processes need to include when a device can join or leave. 5. Realize that mobile devices are coming to your environment whether you want them or not. 6. Establish requirements and expectations for the workforce before introducing new technologies. 7. Only approved configurations should be allowed to join the network. 8. Connections in public places are not private and must be protected.