2015 NTX-ISSA Cyber Security Conference (Spring) Kid Proofing the Internet of Things April 24-25, 2015 Copyright 2015 NTX-ISSA 2015 Raytheon Cyber Security Company. Conference All rights (Spring) reserved. 1
Why We Want To Lock Down Our Home Networks As Information Security (IS) professionals (or students), we regularly defend enterprise networks General Internet threats - Malware, hackers, identity thieves Threats to and from our kids - The threats our kids bring in Malware, spyware, etc. - The threats against our kids Objectionable content, predators What is important in your Network Castle? April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 2
The Usual Solutions People Use To Do It (PCs) General Controls - Firewalls Perimeter firewall (wireless router) Host-based firewall - Anti-Virus - User Account Controls (UAC) Kid-Specific Controls - Parental controls / Google controls - Kid Safe browsers - Deep Freeze Securing a desktop is easier (but not easy) April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 3
All The Other Devices On Your Network The real problem is all the other devices on your network - With the Internet of Things have you really thought about how these affect the security of your home network? - Were these devices built with security in mind? Devices you or your kids likely have on the network - Tablets (IOS, Android, Chrome, other Linux variants) - Game Systems (Playstation, Wii, Nintendo DS, etc.) - TVs (Linux, Windows, Netflix, Hulu, YouTube, etc.) - Phones (IOS, Android) The Internet of Things is a different matter April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 4
Device Lockdowns Hard lesson learned about these devices - They don t care about your security concerns - At best they have VERY limited content controls - All connected, but no control over Internet content Game systems / TVs - Ratings Controls Android / Linux / IOS - Limited Parental Controls can control purchases - Apple s Restriction Controls (slightly better) - Kid Safe Apps and Browsers April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 5
Locking Down The IOS Apple has some decent controls via their Restrictions settings to make the IOS kid safe on any network Some strategies I use / have used - Don t let the kids install / delete Apps (they hate this) - Disable icloud and Messages (they hate this more) - Disable Safari / YouTube / remove problem apps - Install a kid safe browser - Configure Google parental controls Hacking IOS opens additional opportunities / risks Making IOS kid safe is reasonably doable April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 6
So What Does That Leave Us? What do all these devices have in common? - The home network and Internet Gateway Conventional Router Controls - Basics Encrypt What do wireless all these traffic devices (devices have may in common? limit strength) - MAC The home address network restrictions and Internet Gateway Guest Conventional network Router (if available) Controls - Basics Good ingress screening - Encrypt May have wireless limited traffic egress (devices screening may limit strength) MAC Limit sites address and restrictions times for some / all users Guest network (if available) April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 7
Advanced Strategies For More Security Segment your LAN into security zones - Move high risk / value devices to their own zone - Allows you to apply different access policies Some security zones to consider - Adult Household Member Zone - Hardwired Zone / Finance Zone Consider moving Finance into a VM Segment your LAN into security zones - Move high risk / value devices to their own zone - Allows you to apply different access policies Adult, Visitor, and Kid Zones are my minimums April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 8
How To Implement Security Zones One Router to rule them all - There are MANY possible variants of this Use the existing router as a master device - Leave the DNS the same or use unfiltered OpenDNS - With a dual wireless router this can be Adult + Visitor Add a new wireless router per zone - Connect Wireless APs via wire to master device - If this is to be a filtered network (Kids) then reconfigure the DNS to use filtered OpenDNS Shared network devices like printers are issues April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 9
Advanced Internet Controls At The Network Layer Advanced Internet Access Control is a difficult problem - Devices have very limited controls - Wireless routers are marginally better - Is there another way to provide this filtering? OpenDNS to the rescue (almost) - If you control DNS, you control the Internet* - Devices OpenDNS Wireless Advanced have routers is Internet a very free are limited Access (and marginally paid) controls Control service better is a that difficult provides problem a - filtered Is there / controlled another way Internet to provide experience this filtering? via DNS Free has a bunch of stock settings OpenDNS to the rescue (almost) April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 10
OpenDNS - Living With An Imperfect Solution (1) OpenDNS does not protect mobile devices when they leave your network (tablets, phones, laptops, etc.) - Sorry but I do not think there is a good solution for this - Auditing the device is probably the best work around OpenDNS (paid) can only be used on one Zone unless - It OpenDNS keys off the source IP to decide how things resolve leave - Sorry your but network I does not not (tablets, think protect there phones, mobile is a good laptops, devices solution etc.) when for they this - Auditing the device is probably the best work around Controlling devices off your network is very hard April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 11
OpenDNS - Living With An Imperfect Solution (2) OpenDNS does not stop direct access via an IP - Kids that understand what an IP can be a problem - Kids that know what a hosts file is can still have DNS OpenDNS does not stop direct access via an IP - Kids that understand what an IP can be a problem - Kids that know what a hosts file is can still have DNS OpenDNS works great for devices using DHCP - But if the device lets you change the DNS settings Its not a perfect solution, but works for me April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 12
Questions? April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 13
Presenter Bio <mug shot> Monty D. McDougal is a Raytheon Intelligence, Information and Services (IIS) Cyber Engineering Fellow. He has worked for Raytheon for the last 16+ years performing tasks ranging from programming to system administration and has an extensive web development / programming background spanning 18+ years. His work has included development/integration / architecture / accreditation work on numerous security projects for multiple government programs, internal and external security / wireless assessments, DCID 6/3 compliant web-based single sign-on solutions, PL-4 Controlled Interfaces (guards), reliable human review processes, audit log reduction tools, mail bannering solutions, and several advanced anti-malware IRADs / products / patents. Monty holds the following major degrees and certifications: BBA in Computer Science / Management (double major) from Angelo State University, MS in Network Security from Capitol College, CISSP, ISSEP, ISSAP, GCFE, GAWN-C, GSEC, and serves on the SANS Advisory Board. Monty has previously held the GCIH, GCFA, GREM, GCUX, and GCWN certifications. Monty is also the author of the Windows Forensic Toolchest (WFT). E-mail: Monty_D_McDougal@raytheon.com April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 14
Abstract Kid Proofing the Internet of Things This presentation is intended to address the unique challenges parents face in securing their home networks both against their kids and in order to protect their kids from the evils of the Internet. It is particularly focused on the problems the Internet of Things brings to us as parents. - Why we want to lock down our networks - The usual tools we would attempt to do it with (PC Solutions) - What about all those other devices on your network the real issue - Device lockdowns - Wireless Router / security zoning - OpenDNS and why it may be your best friend in this fight - Living with an imperfect solution April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 15