270 likes | 290 Views
Explore challenges & mitigation strategies for IoT security risks. Learn how to protect data, prevent attacks & strengthen network security. Key focus on data governance, attack surface reduction, and monitoring capabilities.
E N D
Security Risks & Mitigation Approaches in the IoT Michele D. Guel Distinguished Engineer, Cisco
How Connected Are We? • How many smart devices, apps and providers • Personal • Work • Hybrid • How many social media “connections” • How much “background” traffic? • What is your security confidence level? • At Home • At Work • In the world
What are Some Challenges? • Loss of privacy • Loss of humanity • New, unforeseen attack vectors • Increase risk of targeted attacks • Increase need for new laws and regulations • Exponential expansion of threat landscape
The Bottom Line… • “Almost everything that can be used for good can also be used for bad.” Are We Ready?
IOT at Moving at Warp Speed • Balance speed of business with security • Embrace security is a joint effort • Expect data proliferation on order of petabytes • Prioritize Lagging architectures
Enterprises are Still Lagging • Aging infrastructure • 92% running vulnerable • 32% end of sale • Trailing security posture • 64% in 2014 • 59% in 2015 • Time to detect is not decreasing
DNS Attacks are Still a Blind Spot • Monitoring is not common • DNS monitoring should be used as early warning system • 91.3% of malware uses DNS in attacks • IoT devices need DNS
Common Attack Patterns Have Emerged • Endpoints (Sensors, devices, hubs) • Web based attacks (command/SQL injection, CSRF) • Altered firmware • Physical tampering to force report • Old /vulnerable firmware • Communication channels (ZigBee, Bluetooth, Wi-Fi) • Cloud infrastructure (identity, policies, firmware updates, etc.) • User facing UI controls (AAA)
“As is often the case, consumer demand for new and exciting technologies have far surpassed the implementation of security measures.” Smart Watch Vulnerability Study
Overview How Do We Catch Up?
“Extend” Your Security Team • Security Leaders • Security “Doers” • Ensure end to end security • Raise awareness of security in area • Ensure sufficient security “doers” • Develop security strategy for area • Ensure security has seat at table • Message up to leadership • Perform security architecture & deployment reviews. • Complete security artifacts • Act as SME to clients for area • Continuous learners on security • Develop trusted partnerships
Expand Visibility on Risk Posture • Service level risks • Infrastructure vulnerabilities • Process maturity & compliance • Coverage of Leaders & Doers • Regular pen tests Need C-Level visibility to trending values
Consider CIS Critical Controls Framework Operationalization of “20 Critical Controls” • Be sufficient in all 20 controls in Production & Extranet network • Be sufficient in most critical controls across labs, engineering, and other non-IT • Add compensating controls where culturally not appropriate • Measure posture of acquisitions using 20 controls • Automate Metric & Test portion of controls • Self reporting when something goes wrong • Score twice a year and report metrics https://www.cisecurity.org/critical-controls.cfm
Keys to Minimizing Attack Surface • “Trustworthy Products” • Full embodiment of Trusted Device Policy and technology to back it up • Pervasive differentiated access (e.g. use of ISE) • Mature behavioral based anomaly detection • Decrease “Mean Time to Detect” and “Mean Time to Contain” • Instrument the network – Fireamp, NGIPS, Netflow everywhere • Segment the network – control zones, security group tags, data-aware
Mature Your Data Security Governance Strategy • Govern the data • Laws, contracts, and policies impose requirements on the data • Roles, responsibilities, ownership, etc. sets the accountability • Training, awareness, and metrics to manage behavior Protect the data • Manage use of data throughout the life cycle (i.e. collection disposal) • Access and rights management • Incubate data-level security solutions Go Deeper Go Broader • Securing the foundation • System / Application / Data security • Monitoring and response • Risk management
Key Tenants of Strong Data Protection • Policies and Standards • Identification and Classification • Data Risk and Organizational Maturity • Incident Response • Oversight and Enforcement • Privacy and Security by Design • Awareness and Education In 2017 Data Center hosted data will be 7.7 Zettabytes
Scaling Cloud Engagements • Governance & Remediation • Assessment Questionnaires • Architecture Engagement Process • Terms of Use • Compliance • Security Architecture • Architecture Guiding Principles • Assessment & Design Reviews • Baseline Compliance Criteria • Monitoring and Incident Response • Logging & Monitoring Strategy • Event Analysis • Incident Response • Vulnerability Management & Remediation • Scanning methodology • Pen Testing Methodology • Remediation
Key Take Aways • Implement “extended” teams • Master the basics – block & tackle • Expand accountability, visibility, knowledge • Minimize attack surface • Instrument the network • Mature data management • Mature cloud engagement models
Resources & Interesting Reads • http://iwe.cisco.com/web/internet-of-everything-program • http://www.cio-today.com/news/Internet-Devices-Lure-Hackers/story.xhtml?story_id=12100B4EOO00 • http://newsroom.cisco.com/feature-content?type=webcontent&articleId=1312830 • http://www.cisco.com/web/IN/about/leadership/cyber_security_ioe.html • http://adtmag.com/Articles/2014/11/20/IoT-Security-Concerns.aspx?Page=2 • http://blog.trendmicro.com/internet-everything-requires-attention-old-new-cybersecurity-risks-2/ • http://www.simafore.com/blog/bid/207914/Data-and-Analytics-form-2-of-the-4-key-pieces-in-internet-of-things • http://blog.trendmicro.com/road-signs-hacked-ioe-security-takes-center-stage/ • http://www.securityweek.com/top-10-things-cybersecurity-professionals-need-know-about-internet-everything
Thank You @MicheleDGuel mguel@cisco.com