View
76
Download
0
Category
Preview:
Citation preview
Internet of Things & what it means for you, your business, your network, & your security.
Introduction
Jason Appel, CISSP, MCSE, MCSA, MCT Ao Project Manager | Security Practice
Managero ADNET Technologies
What things? SMART things Phones Watches Assistants Lightbulbs Cars Security Cameras Power jacks Thermostats
Propane meters Sous vide TVs Luggage Fridges Laundry Exercise equipment Waffle makers Irons
Homes, Buildings, Cities, Grids
Air purifiers Pet doors Baby breathing Trackers/locators Face cleansing Light switches Smokers Vents Sprinklers Music systems
What are these things? IoT “… is the network of physical objects—devices,
vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity—that enables these objects to collect and exchange data.” – Wikipediao https://en.wikipedia.org/wiki/Internet_of_Things
“Anything that can be connected, will be connected’” – Forbeso http://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-
understand/#3caf50ca6828
IoT – What is this thing?
Internet connected Local and remote command and control Web interfaces and mobile apps Alerting Reporting Integration
Common Components
What the things need… Power Internet Connectivity
o Wiredo Wirelesso Cellular data
Configuration SECURITY
Physical things… Phones HVAC Access controls TVs/displays Music systems Energy Security systems Lighting
Service things… MDM: Mobile Device Management
o Smart phone & tablet controlsoManage apps, settings, allowed locations,
etc. Cars/Fleets
o Routingo Tracking
Service things… Heat mapping
o Any Wi-Fi enabled deviceo Through wireless access points
What happens when…
What happens when…
Things die…
http://techcrunch.com/2016/01/09/nests-smart-home-apps-are-back-online-following-outages/
What happens when…
Things leaks private information
https://nakedsecurity.sophos.com/2012/01/08/28c3-smart-meter-hacking-can-disclose-which-tv-shows-and-movies-you-watch
What happens when…
Things get’s hacked…
http://gizmodo.com/remember-when-you-wire-up-your-hotel-with-a-fancy-inte-1764517197
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Questions that need asking…
WhoWhatWhereWhenWhyHow
Questions that need asking…
WhoWhatWhereWhenWhyHow
Authentication – o How are they proving they
are who they say they are? You, your employees,
visitors, vendors, customers, etc.
Questions that need asking…
Who
WhatWhereWhenWhyHow
Authorization – o What can they do once
connected? Restrict and isolate
connectivity
Questions that need asking…
WhoWhat
WhereWhenWhyHow
What are they connecting from?
Limiting access from certain locations
Is it isolated from other sensitive or vital infrastructure?
Questions that need asking…
WhoWhatWhere
WhenWhyHow
Can access be limited to certain times?
How long should they be able to access?
Can normal access be classified to certain times, and abnormal access trigger alerts?
Questions that need asking…
WhoWhatWhereWhen
WhyHow
Why do they need access? Does the benefit of access
outweigh the risks of that access?
What are the costs to mitigate those risks?
Questions that need asking…
WhoWhatWhereWhenWhy
How
Limiting access Is the method
SECURE?o Encryptedo Authenticatedo Updatedo Monitoredo Logged
Risks – Vendor Equipment
Land lines and 2G cellular are being phased out… Isolate equipment on your network: DMZ Remote management - enforce strong security What about cloud services?
Most vendors are contracted for expertise OTHER than IT security
Risks – Guests
Limitso Areaso Signal strength
Isolationo Guest networks: DMZo Devices when connected – client or wireless
isolation Legal liabilities
Everyone wants Wi-Fi
Risks – Employee Access
Remote Access - working from the beach?o Full access – generally the same account as from
within the officeo Unknown equipment….
Multi-Factor authentication Remote portals and NAC
Remote Access
Risks – Employee Access
o Let them buy what they want
o What do they really need access to? Internet or internal network
o How do you remove your data if they leave?
o Full controlo Standardizationo Might not be what
the employee wants, may try to use own equipment anyway
BYOD: Bring Your Own Device Organization Owned
Phones and tablets
MDM – Mobile Device Management
Mitigation: General Tips
Passwordso Phraseso Multi-factor authenticationo Secure management
Written policieso Disaster Recovery/
Business Continuityo InfoSeco Test and practice policies
Least privilegedo If they don’t need it, don’t
let them even see it Network Isolation Managed Security
Serviceo Real time alertingo Log correlationo Forensic reporting
Review
What things? IoT: What is this thing? What happens when… Questions that need asking Risks Mitigation
@ADNETTech
@ADNETTechnologies
@ADNETTechnologiesNY
www.thinkADNET.com
Recommended