Internet of Things Security Implications v1.4

+
Internet of Things –
Security Implications
ect
acre
t
t
i
i
h
h
c
r
W
A
h
t
Gar
lution
o
S
y
t
i
r
ecu
Senior S
+ Agenda
n 
Introduction
n 
What Is The Internet Of Things?
n 
What Happens On The Internet Of Things?
n 
Why Should You And Your Organization Be Concerned?
n 
What Can You Do About These Concerns?
n 
Questions And Discussion
2
+
Introduction
+
4
Experience
n 
5 years U.S. Army Signal Corps Officer
n 
14 years of private organization IT employment
n 
Last 9 years dedicated to security – operations, assessment and
implementation
n 
Prior to joining SHI led a team of 20 contracted security analysts for L-3
in support of USAFCENT
n 
Agnostic Certifications – CISSP, SANS GIAC (GAWN/GCIA)
n 
Vendor Certifications – Palo Alto, Check Point, RSA and McAfee
+
What Is The Internet of Things?
5
+
6
Definition
The Internet of Things (IoT) is the
interconnection of unique and identifiable
electronic devices within either a closed
system or more often the existing public
Internet infrastructure.
+
+ Components Of The Internet Of Things
Network Infrastructure
n  Desktops, Laptops and Servers
n  Printers and Imaging Devices
n  Smart Phones, Tablets, and Handheld Scanners
n  Cloud and Virtualization
n  Tags (RFID, Manufacturing, and Shipping)
n  Building Infrastructure
n  Vehicles
n  Home Appliances and Automation
n 
At the end of the day, almost any electronic
device can be on the Internet of Things.
8
+
9
Points On The Internet Of Things
n 
Private Networks
n 
Public Networks
n 
Personal Networks
n 
Closed Networks
n 
Gateways
+ What Happens On The Internet
Of Things?
10
+
11
Interactions
n 
Device Introduction
n 
Device-to-Device Communication
n 
Trusts
n 
Data Transfer
n 
Device Departure
+ Where Is Data In The Internet Of Things?
n 
General Files
n 
Email
n 
Databases
n 
Unstructured Data
n 
Removable Media Sources
n 
Cloud
12
+ Printer and Digital Imaging Devices
n  MFDs
and publishing systems are installed
throughout employee work areas.
13
+ Medical and Manufacturing
Environments
n 
Hospitals and clinics have deployed heart rate monitors and
IV systems to track system and patient health.
n 
Manufacturing equipment installed throughout the floor with
signals to reflect bin or hopper states.
n 
Handheld scanners are leveraged by employees to inventory
pallets and update ordering systems.
14
+
15
Facilities
n 
Physical badging system authenticate employees and
partners into authorized areas.
n 
HVAC systems communicate with service providers to state
the health of the system as well as interactions with other
components.
+ Why Should You And Your
Organization Be Concerned?
16
+ Top Security Challenges Identified by
Executives
Forrester Research – Executive Spotlight 2013
17
+
18
Growth of Telecommuting
Telework Growth by Class of Worker (2000-2012)
n 
Federal employees = 421.0%
n 
State government employees = 122.1%
n 
Not-for-profit employees = 87.6%
n 
For profit employees = 70.4%
n 
Local government employees = 62.3%
GlobalWorkplaceAnalytics.com
+
19
Bring Your Own Device (BYOD)
n 
50% of employers will stop supplying devices and move to
BYOD by 2017 – currently there is more support for BYOD
tablets than smart phones
n 
15% will never offer BYOD
Gartner Report – May 2013
+
20
Mobile – Where Is It Going?
+
21
www.theconnectivist.com (Cisco Data)
+
22
Security Statistics
n 
Since 2006 lost sensitive or private records by org type:
n 
n 
n 
n 
n 
87M sensitive or private records (federal)
255M (retail)
212M (financial and insurance)
13M (educational institutions)
From 2009 – 2013, breaches on federal networks rose from
26,942 to 46,605
US CERT Report - 2014
+
23
Security Statistics (continued)
n 
In 2013, number of federal breaches by origination:
n 
n 
21% to workers violating policy
16% to lost devices
n 
12% due to hard copy handling
8% who installed malware
n 
6% enticed by phishing/social engineering
n 
US CERT Report - 2014
+ Data Types That Exist On The IoT
n 
Protected Health Information
n 
Payment Card Industry
n 
Personally Identifiable Information
n 
Intellectual Property
n 
Customer Data
n 
Business Competitive Edge
n 
Financials
24
+ Regulatory and Compliance Drivers
n 
HIPAA/HITECH (Security/Privacy Rules & Breach Notification)
n 
Affordability Care Act (ACA) & MARS-E
n 
Payment Card Industry – Data Security Standard 3.0
n 
Criminal Justice Information Services (CJIS)
n 
Internal Revenue Service (IRS) Publication 1075
n 
Internal Revenue Code (IRC) 26 U.S.C. §6103
n 
State Breach and Privacy Laws
25
+
26
Threats and Risks
n 
Inadvertent/Intentional Man-Made
n 
Default or Improperly Configured Device
n 
Access Exposure
n 
Data Exposure
n 
Inability to Report Current or Past Status – Compliance
+
27
Understanding IoT Risk
+ Challenges
n 
Lack of Resources (Triple Constraint)
n 
Lack of Management Direction – Policies
n 
Limited Operational Lifecycle – Processes
n 
Operational vs. Security Priorities
n 
Lack of Visibility
28
+
What Can You Do About These
Concerns?
29
+
30
+
31
Policies and Processes
n 
Policies – Current, Approved and Encompassing
n 
Change Board
n 
Regular Assessments – Internal or Third-Party
+
32
Data Characterization
n 
Data Types Including Risks and Sensitivity
n 
Data Owners
n 
Data Custodians
n 
Data Locations
+
33
Visibility
n 
Intrusion Detection Systems
n 
Logging and Event Correlation
n 
Vulnerability Scanning
n 
Gateways – NGFW
n 
Data Access Control
n 
Data Loss Prevention
n 
Advanced Threat Detection
+
34
Segmentation
n 
Access Control Lists
n 
Physical Separation
n 
Gateways – NGFW
n 
Intrusion Prevention Systems
n 
Network Access Control
+
35
Authentication/Secure Channels
n 
Strong Security Protocols (such as WPA2)
n 
Encrypted Channels (e.g. ssh, https, ftps, etc.)
n 
Certificates
n 
Multi-Factor Authentication
+
36
Summary
n 
Policies and Processes
n 
Data Characterization
n 
Visibility
n 
Segmentation
n 
Authentication
+
37
Seven Simple Steps
1. 
2. 
3. 
4. 
5. 
6. 
7. 
Define requirements for devices connecting to the network
Identify the types of data and risks
Develop policies for device types and the conditions for
permitting connection
Implement security controls commensurate with the risks
associated
Provision new network devices
Manage endpoint processes and controls
De-provision inactive devices
+
Questions and Discussion
38
8 Rules For Good IoT Device Management
Daughter
Use your hands on my daughter and you'll
lose yours.
2.  You make her cry, I make you cry.
1. 
Safe sex is a myth. Anything you try will be
hazardous to your health.
4.  Bring her home late, there's no next date.
3. 
If you pull into my driveway and honk, you
better be dropping off a package because
you're sure not picking anything up.
6.  No complaining while you're waiting for her.
If you're bored, change my oil.
5. 
If your pants hang off your hips, I'll gladly
secure them with my staple gun.
8.  Dates must be in crowded public places. You
want romance? Read a book.
7. 
IoT Device
IT must pro-actively introduce devices to the
network. You will regret it if you don’t.
2.  If you have a security incident, you have to
be prepared to do something about it.
3.  Safe IoT platforms are a myth. You have to be
prepared to manage them.
4.  IoT device policies/processes need to
include when a device can join or leave.
5.  Realize that mobile devices are coming to
your environment whether you want them or
not.
6.  Establish requirements and expectations for
the workforce before introducing new
technologies.
7.  Only approved configurations should be
allowed to join the network.
8.  Connections in public places are not private
and must be protected.
1.