SlideShare une entreprise Scribd logo

Internet of Things (IoT) Security and Privacy Recommendations by Jason Livingood at Inform[ED] IoT Security

CableLabs
CableLabs

As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry? Jason Livingood Vice President, Technology Policy & Standards, Comcast https://www.cablelabs.com/informed/

Technologie
1  sur  28
Télécharger pour lire hors ligne
Broadband Internet Technical Advisory Group April 2017 1 Internet of Things (IoT) Security and Privacy Recommendations
BITAG: An Overview • History – Established in 2010 prior to the first Open Internet Order, and just published 9th report. • Mission – BITAG brings together engineers and technical experts to develop consensus on broadband network management practices. • Technically Focused – Technical Working Group (TWG) participants must meet technical requirements through education and/or experience. • Expeditious – The TWG operates under a 120-day “shot clock” within which it must analyze the technical topic and generate a report. • Five Member Categories – BITAG has five participating member categories designed to include all of the Internet ecosystem. • Balanced Processes and Consensus-Based Decision-Making – The TWG strives to operate on a consensus basis, with backstop voting procedures. • Support for Independent Engineering Resources – BITAG members value broad participation and provide support for independent engineers and academics to participate and represent the public interest. 2
BITAG Work Product to Date • 9 Published Reports: – Internet of Things (IoT) Security and Privacy Recommendations (Nov. 2016) – Differentiated Treatment of Internet Traffic (2015) – Interconnection and Traffic Exchange on the Internet (2014) – VoIP Impairment, Failure, and Restriction (2014) – Real-time Network Management of Congestion (2013) – Port Blocking (2013) – Simple Network Management Protocol (SNMP) Reflected Amplification Distributed Denial of Service (DDoS) Attack Mitigation (2012) – Implications of Large Scale Network Address Translation (NAT) (2012) – IPv6 Domain Name System (DNS) Whitelisting (2011) 3
BITAG Participants • ADTRAN • AT&T • Steven Bauer, MIT • Richard Bennett • CableLabs • Center for Democracy & Technology (CDT) • Cellcom • CenturyLink • Charter Communications • Cisco • KC Claffy, UCSD/CAIDA • David Clark, MIT • Comcast • Amogh Dhamdhere, UCSD/CAIDA • DISH • DISNEY • Entertainment Software Association • Dave Farber, Carnegie Mellon • Nick Feamster, Princeton • Bob Frankston • Google • Dale Hatfield • Level 3 • Mozilla • National Cable & Telecommunications Association (NCTA) • Jon Peha, Carnegie Mellon • Public Knowledge • Sandvine • T-Mobile • Union Wireless • USTelecom • Vistabeam 4
IoT Security & Privacy Motivation: – In the past few years, many of the new devices connected to the Internet have not been personal computers, but rather a variety of devices embedded with Internet connectivity and functions. • This class of devices has generally been described as the Internet of Things (IoT) and has brought with it new security and privacy risks. • IoT presents opportunities for significant innovation – from smart homes to smart cities – but the possibility of collateral damage to consumers and others, including the resulting backlash, may impede the growth of IoT and ultimately the promise it holds. •Report published in November 2016 •Lead Editors: – Jason Livingood, VP – Technology Policy & Standards at Comcast – Nick Feamster, Professor of Computer Science at Princeton 5
Overview: Observations • Security vulnerabilities – devices ship with vulnerabilities or those are discovered over time • Insecure communications – unauthenticated, unencrypted, lack of network isolation • Data leaks – from the cloud, from and between devices • Susceptibility to malware infection and other abuse • Potential for service disruption • Potential that device security and privacy problems will persist – device software rarely updated • Device replacement may be an alternative for inexpensive or “disposable” devices • *Possible future role for in-home network technology 6
Overview: Recommendations • IoT devices should: – Use best current software practices – Follow security & cryptography best practices – Be restrictive rather than permissive in communicating – Continue to function if Internet connectivity is disrupted or if cloud- backend fails – Support addressing and naming best practices – Ship with a privacy policy that is easy to find and understand • Disclose rights to remotely decrease IoT device functionality • IoT device industry should consider a cybersecurity program • IoT supply chain should play their part in addressing security & privacy issues 7
Internet of Things (IoT) – Issue Overview • Past few years, many new devices with internet connectivity and functions: – Sensors to better understand patterns of daily life and monitor health. – Monitors and controls for home functions, from locks to heating and water systems. – Devices and appliances that anticipate a consumer’s needs and can take action to address them (e.g., devices that monitor inventory and automatically re-order products for a consumer). • IoT devices typically interact with software running elsewhere on the network and often function autonomously, without requiring human intervention. • The term “IoT” has potentially broad scope: – For this report, IoT refers solely to consumer-oriented devices and their associated local and remote software systems. – BITAG report concerned with scenarios where consumers are installing, configuring, and administering devices they lease or own. 8
Internet of Things (IoT) – Issue Overview • Consumers face general security and privacy threats with any Internet-connected device, but the nature of consumer IoT is unique: – Can involve non-technical or uninterested consumers. – Challenging device discovery or inventory on consumer home networks as the number and variety of devices proliferate. – Impacts on the Internet access service of both the consumer and others that run on shared network links. – Effects on other services, for when IoT devices are compromised by malware they can become platforms for unwanted data traffic – such as spam and denial of service attacks (DoS or DDoS). • Recent reports and incidents show that some devices do not abide by rudimentary security and privacy best practices: – Devices have been compromised. – Allowed unauthorized users to: • Perform surveillance and monitoring. • Gain access or control. • Induce device or system failures. • Disturb or harass authorized users or device owners. 9
Internet of Things (IoT) – Issue Overview • Potential issues contributing to the lack of security and privacy best practices include: – Lack of IoT supply chain experience with security and privacy. – Lack of incentives to develop and deploy updates after the initial sale. – Difficulty of secure over-the-network software updates. – Devices with constrained or limited: • Hardware resources (precluding certain basic or “common sense” security measures). • User interfaces (which, if present, may only have minimal functionality). – Devices with malware inserted during the manufacturing process: • Or shipped with existing known vulnerabilities. • Or where vulnerabilities develop over time but no ability to update the device (see hardware constraint above). 10
Observations • Security Vulnerabilities: – Some IoT devices ship “from the factory” with software that either is outdated or becomes outdated over time. – Other IoT devices may ship with more current software, but vulnerabilities may be discovered in the future. • Vulnerabilities that are discovered throughout a device’s lifespan may make a device less secure over time unless it has a mechanism to subsequently update its software. 11
Observations • Insecure Communications: – Many of the security functions designed for more general-purpose computing devices are difficult to implement on IoT devices and a number of security flaws have been identified in the field, including unencrypted communications and data leaks from IoT devices. – Unauthenticated communications: • Some IoT devices provide automatic software updates. Without authentication and encryption, however, this approach is insufficient because the update mechanism could be compromised or disabled. • In addition, many IoT devices do not use authentication in the course of communicating. – Unencrypted communications: • Many IoT devices send some or all data in cleartext, rather than in an encrypted form. • Communications in cleartext can be observed by other devices or by an attacker. 12
Observations • Insecure Communications (cont.): – Lack of mutual authentication and authorization: • A device that allows an unknown or unauthorized party to change its code or configuration, or to access its data, is a threat. • The device can reveal that its owner is present or absent, facilitate the installation or operation of malware, or cause its core IoT function to be fundamentally compromised. – Lack of network isolation: • These devices also create new risks and are susceptible to attacks inside the home. • Because many home networks do not, by default, isolate different parts of the network from each other, a network-connected device may be able to observe or exchange traffic with other devices on the same home network, thus making it possible for one device to observe or affect the behavior of unrelated devices. 13
Observations • Data Leaks: – IoT devices may leak private user data, both from the cloud (where data is stored) and between IoT devices themselves. – Leaks from the cloud: • Cloud services could experience a data breach due to an external attack or an insider threat. • Additionally, if users rely on weak authentication or encryption methods for these cloud-hosted services, user data may also be compromised. – Leaks from and between devices: • In some cases, devices on the same network or on neighboring networks may be able to observe data from other devices such as the names of people in a home, the precise geographic location of a home, or even the products that a consumer purchases. 14
Observations • Susceptibility to Malware Infection and Other Abuse: – Malware and other forms of abuse can disrupt IoT device operations, gain unauthorized access, or launch attacks. • Potential for Service Disruption: – The potential loss of availability or connectivity not only diminishes the functionality of IoT devices, but also may degrade the security of devices in some cases, such as when an IoT device can no longer function without such connectivity (e.g., a home alarm system deactivating if connectivity is lost). 15
Observations • Potential That Device Security and Privacy Problems Will Persist: – IoT device security issues are likely to persist because many devices may never receive a software update, either because the manufacturer (or other party in the IoT supply chain, or IoT service provider) may not provide updates or because consumers may not apply the updates that are already available. – Many IoT devices will never be fixed: • Deploying software updates that patch critical security vulnerabilities is difficult in general. • Many device vendors and manufacturers do not have systems or processes to deploy software updates to thousands of devices, and deploying over-the- network updates to devices that are operating in consumer homes is difficult, as updates can sometimes interrupt service and sometimes have the potential to “brick” the device, if done improperly. • Additionally, some devices may not even be capable of software updates. 16
Observations • Potential That Device Security and Privacy Problems Will Persist (cont.): – Software updates address more than just bugs: • Software updates are not simply intended to fix security or privacy bugs, but may also be intended to introduce major new functions, or improve performance and security. – Consumers are unlikely to update IoT device software: • Few end users consistently update device software of their own accord; it is best to assume that most end users will never take action on their own to update software. • Device Replacement May be an Alternative to Software Updates, for Inexpensive or “Disposable” Devices: – In some cases, replacing a device entirely may be an alternative to software updates. – Certain IoT devices may be so inexpensive that updating software may be impractical or not cost-effective. 17
Observations • *Possible Future Role for In-Home Network Technology – Recent studies and reports suggest there may be some role for a home network appliance to control and manage the traffic that IoT devices exchange with each other and with the rest of the Internet. – Possible capabilities for such a network device include: • Automatic discovery and inventory of in-home Internet connected devices. • Mechanisms for presenting the user with clear information about (1) what data the device is sending to the rest of the Internet and (2) what other devices in the home the device is talking to, as has been done in the past for smartphones and browsers. • Mechanisms that provide the user with simple ways to prevent or disable communication of a single device with other IoT devices on the home network, or with storage servers in the cloud, without impairing the primary functionality of the device. 18
Recommendations • IoT Devices Should Use Best Current Software Practices: – IoT devices should ship with reasonably current software: • BITAG recommends that IoT devices should ship to customers or retail outlets with reasonably current software that does not contain severe, known vulnerabilities. – IoT devices should have a mechanism for automated, secure software updates: • Software bugs should be minimized, but they are inevitable. Thus, it is critical for an IoT device to have a mechanism for automatic, secure software updates. • BITAG recommends that manufacturers of IoT devices or IoT service providers should therefore design their devices and systems based on the assumption that new bugs and vulnerabilities will be discovered over time. • They should design systems and processes to ensure the automatic update of IoT device software, without requiring or expecting any type of user action or even user opt-in. 19
Recommendations • IoT Devices Should Use Best Current Software Practices (cont.): – IoT devices should use strong authentication by default: • BITAG recommends that IoT devices be secured by default (e.g. password protected) and not use common or easily guessable user names and passwords (e.g., “admin”, “password”). – IoT device configurations should be tested and hardened: • Some IoT devices allow a user to customize the behavior of the device. BITAG recommends that manufacturers test the security of each device with a range of possible configurations, as opposed to simply the default configuration. 20
Recommendations • IoT Devices Should Follow Security & Cryptography Best Practices: – BITAG recommends that IoT device manufacturers secure communications using Transport Layer Security (TLS) or Lightweight Cryptography (LWC). – If devices rely on a public key infrastructure (PKI), then an authorized entity must be able to revoke certificates when they become compromised, and manufacturers should take care to avoid encryption methods, protocols, and key sizes with known weaknesses. – Additional encryption best practices include: • Encrypt configuration (command & control) communications by default. • Secure communications to and from iot controllers. • Encrypt local storage of sensitive data. • Authenticate communications, software changes, and requests for data. • Use unique credentials for each device. • Use credentials that can be updated. • Close unnecessary ports and disable unnecessary services. • Use libraries that are actively maintained and supported. 21
Recommendations • IoT Devices Should Be Restrictive Rather Than Permissive in Communicating: – When possible, devices should not be reachable via inbound connections by default. IoT devices should not rely on the network firewall alone to restrict communication, as some communication between devices within the home may not traverse the firewall. • IoT Devices Should Continue to Function if Internet Connectivity is Disrupted: – BITAG recommends that an IoT device should be able to perform its primary function or functions (e.g., a light switch or a thermostat should continue to function with manual controls), even if it is not connected to the Internet because Internet connectivity may be disrupted due to causes ranging from accidental misconfiguration to intentional attack. – IoT devices that have implications for user safety should continue to function under disconnected operation to protect the safety of consumers. 22
Recommendations • IoT Devices Should Continue to Function If the Cloud Back-End Fails: – Many services that depend on or use a cloud back-end can continue to function, even if in a degraded or partially functional state, when connectivity to the cloud back-end is interrupted or the service itself fails. • IoT Devices Should Support Addressing and Naming Best Practices: – Many IoT devices may remain deployed for a number of years after they are installed. Supporting the latest protocols for addressing and naming will ensure that these devices remain functional for years to come. • IPv6: BITAG recommends that IoT devices support the most recent version of the Internet Protocol, IPv6. • DNSSEC: BITAG recommends that IoT devices support the use or validation of DNS Security Extensions (DNSSEC) when domain names are used. 23
Recommendations • IoT Devices Should Ship with a Privacy Policy That is Easy to Find & Understand: – BITAG recommends that IoT devices ship with a privacy policy, but that policy must be easy for a typical user to find and understand. • Disclose Rights to Remotely Decrease IoT Device Functionality: – BITAG recommends that if the functionality of an IoT device can be remotely decreased by a third party, such as by the manufacturer or IoT service provider, this possibility should be made clear to the user at the time of purchase. • The IoT Device Industry Should Consider an Industry Cybersecurity Program: – BITAG recommends that the IoT device industry or a related consumer electronics group consider the creation of an industry-backed program under which some kind of “Secure IoT Device” logo or notation could be carried on IoT retail packaging. 24
Recommendations • The IoT Supply Chain Should Play Their Part In Addressing IoT Security and Privacy Issues: – End users of IoT devices depend upon the IoT supply chain, from manufacturer to retailer, to protect their security and privacy, and some or all parts of that IoT supply chain play a critical role throughout the entire lifecycle of the product. – BITAG also recommends that the IoT supply chain takes the following steps: • Privacy policy: Devices should have a privacy policy that is clear and understandable, particularly where a device is sold in conjunction with an ongoing service. • Reset mechanism: Devices should have a reset mechanism for IoT devices that clears all configuration for use when a consumer returns or resells the device. The device manufacturers should also provide a mechanism to delete or reset any data that the respective device stores in the cloud. • Bug reporting system: Manufacturers should provide a bug reporting system with a well-defined bug submission mechanisms and documented response policy. 25
Recommendations • The IoT Supply Chain Should Play Their Part In Addressing IoT Security and Privacy Issues (cont.): • Secure software supply chain: Manufacturers should protect the secure software supply chain to prevent introduction of malware during the manufacturing process; vendors and manufacturers should take appropriate measures to secure their software supply chain. • Support IoT device for entire lifespan: Manufacturers should support an IoT device throughout the course of its lifespan, from design to the time when a device is retired, including transparency about the timespan over which they plan to provide continued support for a device, and what the consumer should expect from the device’s function at the end of the device’s lifespan. • Clear contact methods: Manufacturers should provide clear methods for consumers to determine who they can contact for support and methods to contact consumers to disseminate information about software vulnerabilities or other issues. 26
Recommendations • The IoT Supply Chain Should Play Their Part In Addressing IoT Security and Privacy Issues (cont.): • Report discovery and remediation of vulnerabilities: Manufacturers should report discovery and remediation of software vulnerabilities that pose security or privacy threats to consumers. • Clear vulnerability reporting process: Manufacturers should provide a vulnerability reporting process with a well-defined, easy-to-locate, and secure vulnerability reporting form, as well as a documented response policy. 27
Broadband Internet Technical Advisory Group http://www.bitag.com Twitter: @BITAGORG Mailing Address: 1550 Wynkoop, Suite 168 Denver, CO 80202 28 Jason Livingood VP – Technology Policy & Standards Comcast jason_livingood@comcast.com Douglas C. Sicker Executive Director Chair of the Technical Working Group BITAG dsicker@bitag.org 720-724-8083 Nick Feamster Professor of Computer Science Princeton feamster@cs.princeton.edu Kaleb A. Sieh Deputy Director General Counsel BITAG ksieh@bitag.org 720-724-8083

Recommandé

IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Iot Security
Iot SecurityIot Security
Iot SecurityMAITREYA MISRA
 
IoT security
IoT securityIoT security
IoT securityYashKesharwani2
 
IOT Security
IOT SecurityIOT Security
IOT SecuritySylvain Martinez
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITYThe Avi Sharma
 
Iot(security)
Iot(security)Iot(security)
Iot(security)Shreya Pohekar
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of ThingsBryan Len
 

Recommandé

IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Iot Security
Iot SecurityIot Security
Iot SecurityMAITREYA MISRA
 
IoT security
IoT securityIoT security
IoT securityYashKesharwani2
 
IOT Security
IOT SecurityIOT Security
IOT SecuritySylvain Martinez
 
Security and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSecurity and Privacy considerations in Internet of Things
Security and Privacy considerations in Internet of ThingsSomasundaram Jambunathan
 
Presentation on IOT SECURITY
Presentation on IOT SECURITYPresentation on IOT SECURITY
Presentation on IOT SECURITYThe Avi Sharma
 
Iot(security)
Iot(security)Iot(security)
Iot(security)Shreya Pohekar
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of ThingsBryan Len
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIntel® Software
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)Sanjay Kumar (Seeking options outside India)
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of thingssreelekha appakondappagari
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT SecuritySHAAMILIVARSAGV
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTUniversity of Ontario Institute of Technology (UOIT)
 
IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber securitysajid mehmood
 
Iot and cloud computing
Iot and cloud computingIot and cloud computing
Iot and cloud computingeteshagarwal1
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoTgr9293
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Securitynoornabi16
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Ulf Mattsson
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Security challenges in IoT
Security challenges in IoTSecurity challenges in IoT
Security challenges in IoTVishnupriya T H
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
 
Future of IoT: Key Challenges to Face
Future of IoT: Key Challenges to FaceFuture of IoT: Key Challenges to Face
Future of IoT: Key Challenges to FaceAltoros
 

Contenu connexe

Tendances

IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIntel® Software
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT SecuritySHAAMILIVARSAGV
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
Iot and cloud computing
Iot and cloud computingIot and cloud computing
Iot and cloud computingeteshagarwal1
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoTgr9293
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and SolutionsUlf Mattsson
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Securitynoornabi16
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Ulf Mattsson
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Security challenges in IoT
Security challenges in IoTSecurity challenges in IoT
Security challenges in IoTVishnupriya T H
 

Tendances (20)

IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of things
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT Security
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
 
A survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOTA survey in privacy and security in Internet of Things IOT
A survey in privacy and security in Internet of Things IOT
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
 
Iot and cloud computing
Iot and cloud computingIot and cloud computing
Iot and cloud computing
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and Solutions
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
Security challenges in IoT
Security challenges in IoTSecurity challenges in IoT
Security challenges in IoT
 

Similaire à Internet of Things (IoT) Security and Privacy Recommendations by Jason Livingood at Inform[ED] IoT Security

Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
 
Future of IoT: Key Challenges to Face
Future of IoT: Key Challenges to FaceFuture of IoT: Key Challenges to Face
Future of IoT: Key Challenges to FaceAltoros
 
Key challenges facing the future of IoT
Key challenges facing the future of IoTKey challenges facing the future of IoT
Key challenges facing the future of IoTAhmed Banafa
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
 
Presentation about IoT in media and communication.pdf
Presentation about IoT in media and communication.pdfPresentation about IoT in media and communication.pdf
Presentation about IoT in media and communication.pdfezzAyman1
 
Views and myths of IoT
Views and myths of IoTViews and myths of IoT
Views and myths of IoTAhmed Banafa
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014Adrian Wright
 
Unit 6 Final ppt (1).ppt
Unit 6 Final ppt (1).pptUnit 6 Final ppt (1).ppt
Unit 6 Final ppt (1).pptnadoje
 
Unit 1 IoT Fundamentals.pdf
Unit 1 IoT Fundamentals.pdfUnit 1 IoT Fundamentals.pdf
Unit 1 IoT Fundamentals.pdfZoyaAli844417
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Internet of things chapter2.pdf
Internet of things chapter2.pdfInternet of things chapter2.pdf
Internet of things chapter2.pdfRupesh930637
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsStanford School of Engineering
 
Internet of Things-ppt.pptx
Internet of Things-ppt.pptxInternet of Things-ppt.pptx
Internet of Things-ppt.pptxSaonDey3
 
Introduction to IOT security
Introduction to IOT securityIntroduction to IOT security
Introduction to IOT securityPriyab Satoshi
 
IOT TOTAL POWER POINT PRESENTATION UNITS
IOT TOTAL POWER POINT PRESENTATION UNITSIOT TOTAL POWER POINT PRESENTATION UNITS
IOT TOTAL POWER POINT PRESENTATION UNITSDineshV95
 
2 - Iot-Internet-of-Things.pptx
2 - Iot-Internet-of-Things.pptx2 - Iot-Internet-of-Things.pptx
2 - Iot-Internet-of-Things.pptxssuser2cc0d4
 
It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11newbie2019
 

Similaire à Internet of Things (IoT) Security and Privacy Recommendations by Jason Livingood at Inform[ED] IoT Security (20)

Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT Security
 
Future of IoT: Key Challenges to Face
Future of IoT: Key Challenges to FaceFuture of IoT: Key Challenges to Face
Future of IoT: Key Challenges to Face
 
Key challenges facing the future of IoT
Key challenges facing the future of IoTKey challenges facing the future of IoT
Key challenges facing the future of IoT
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of Things
 
Presentation about IoT in media and communication.pdf
Presentation about IoT in media and communication.pdfPresentation about IoT in media and communication.pdf
Presentation about IoT in media and communication.pdf
 
Views and myths of IoT
Views and myths of IoTViews and myths of IoT
Views and myths of IoT
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
 
Unit 6 Final ppt (1).ppt
Unit 6 Final ppt (1).pptUnit 6 Final ppt (1).ppt
Unit 6 Final ppt (1).ppt
 
CHA_001_IOT.pptx
CHA_001_IOT.pptxCHA_001_IOT.pptx
CHA_001_IOT.pptx
 
iot_basic_1.pptx
iot_basic_1.pptxiot_basic_1.pptx
iot_basic_1.pptx
 
Unit 1 IoT Fundamentals.pdf
Unit 1 IoT Fundamentals.pdfUnit 1 IoT Fundamentals.pdf
Unit 1 IoT Fundamentals.pdf
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Internet of things chapter2.pdf
Internet of things chapter2.pdfInternet of things chapter2.pdf
Internet of things chapter2.pdf
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
 
Internet of Things-ppt.pptx
Internet of Things-ppt.pptxInternet of Things-ppt.pptx
Internet of Things-ppt.pptx
 
Introduction to IOT security
Introduction to IOT securityIntroduction to IOT security
Introduction to IOT security
 
IOT TOTAL POWER POINT PRESENTATION UNITS
IOT TOTAL POWER POINT PRESENTATION UNITSIOT TOTAL POWER POINT PRESENTATION UNITS
IOT TOTAL POWER POINT PRESENTATION UNITS
 
2 - Iot-Internet-of-Things.pptx
2 - Iot-Internet-of-Things.pptx2 - Iot-Internet-of-Things.pptx
2 - Iot-Internet-of-Things.pptx
 
It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11It nv51 instructor_ppt_ch11
It nv51 instructor_ppt_ch11
 

Plus de CableLabs

"Future Impact of IoT and the Implications of Security" Keynote by Brian Scri...
"Future Impact of IoT and the Implications of Security" Keynote by Brian Scri..."Future Impact of IoT and the Implications of Security" Keynote by Brian Scri...
"Future Impact of IoT and the Implications of Security" Keynote by Brian Scri...CableLabs
 
Protecting ISP Networks and the Internet at Inform[ED] IoT Security
Protecting ISP Networks and the Internet at Inform[ED] IoT SecurityProtecting ISP Networks and the Internet at Inform[ED] IoT Security
Protecting ISP Networks and the Internet at Inform[ED] IoT SecurityCableLabs
 
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT SecurityCableLabs
 
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...CableLabs
 
Innovation in Connected Healthcare by Summer Knight MD at Inform[ED] Connecte...
Innovation in Connected Healthcare by Summer Knight MD at Inform[ED] Connecte...Innovation in Connected Healthcare by Summer Knight MD at Inform[ED] Connecte...
Innovation in Connected Healthcare by Summer Knight MD at Inform[ED] Connecte...CableLabs
 
Keynote by Simon Kos at Inform[ED] Connected Healthcare
Keynote by Simon Kos at Inform[ED] Connected HealthcareKeynote by Simon Kos at Inform[ED] Connected Healthcare
Keynote by Simon Kos at Inform[ED] Connected HealthcareCableLabs
 
NFV ISG – Phase 2 Begins
NFV ISG – Phase 2 BeginsNFV ISG – Phase 2 Begins
NFV ISG – Phase 2 BeginsCableLabs
 

Plus de CableLabs (7)

"Future Impact of IoT and the Implications of Security" Keynote by Brian Scri...
"Future Impact of IoT and the Implications of Security" Keynote by Brian Scri..."Future Impact of IoT and the Implications of Security" Keynote by Brian Scri...
"Future Impact of IoT and the Implications of Security" Keynote by Brian Scri...
 
Protecting ISP Networks and the Internet at Inform[ED] IoT Security
Protecting ISP Networks and the Internet at Inform[ED] IoT SecurityProtecting ISP Networks and the Internet at Inform[ED] IoT Security
Protecting ISP Networks and the Internet at Inform[ED] IoT Security
 
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT Security
 
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
 
Innovation in Connected Healthcare by Summer Knight MD at Inform[ED] Connecte...
Innovation in Connected Healthcare by Summer Knight MD at Inform[ED] Connecte...Innovation in Connected Healthcare by Summer Knight MD at Inform[ED] Connecte...
Innovation in Connected Healthcare by Summer Knight MD at Inform[ED] Connecte...
 
Keynote by Simon Kos at Inform[ED] Connected Healthcare
Keynote by Simon Kos at Inform[ED] Connected HealthcareKeynote by Simon Kos at Inform[ED] Connected Healthcare
Keynote by Simon Kos at Inform[ED] Connected Healthcare
 
NFV ISG – Phase 2 Begins
NFV ISG – Phase 2 BeginsNFV ISG – Phase 2 Begins
NFV ISG – Phase 2 Begins
 

Dernier

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 

Dernier (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 

Internet of Things (IoT) Security and Privacy Recommendations by Jason Livingood at Inform[ED] IoT Security

  • 1. Broadband Internet Technical Advisory Group April 2017 1 Internet of Things (IoT) Security and Privacy Recommendations
  • 2. BITAG: An Overview • History – Established in 2010 prior to the first Open Internet Order, and just published 9th report. • Mission – BITAG brings together engineers and technical experts to develop consensus on broadband network management practices. • Technically Focused – Technical Working Group (TWG) participants must meet technical requirements through education and/or experience. • Expeditious – The TWG operates under a 120-day “shot clock” within which it must analyze the technical topic and generate a report. • Five Member Categories – BITAG has five participating member categories designed to include all of the Internet ecosystem. • Balanced Processes and Consensus-Based Decision-Making – The TWG strives to operate on a consensus basis, with backstop voting procedures. • Support for Independent Engineering Resources – BITAG members value broad participation and provide support for independent engineers and academics to participate and represent the public interest. 2
  • 3. BITAG Work Product to Date • 9 Published Reports: – Internet of Things (IoT) Security and Privacy Recommendations (Nov. 2016) – Differentiated Treatment of Internet Traffic (2015) – Interconnection and Traffic Exchange on the Internet (2014) – VoIP Impairment, Failure, and Restriction (2014) – Real-time Network Management of Congestion (2013) – Port Blocking (2013) – Simple Network Management Protocol (SNMP) Reflected Amplification Distributed Denial of Service (DDoS) Attack Mitigation (2012) – Implications of Large Scale Network Address Translation (NAT) (2012) – IPv6 Domain Name System (DNS) Whitelisting (2011) 3
  • 4. BITAG Participants • ADTRAN • AT&T • Steven Bauer, MIT • Richard Bennett • CableLabs • Center for Democracy & Technology (CDT) • Cellcom • CenturyLink • Charter Communications • Cisco • KC Claffy, UCSD/CAIDA • David Clark, MIT • Comcast • Amogh Dhamdhere, UCSD/CAIDA • DISH • DISNEY • Entertainment Software Association • Dave Farber, Carnegie Mellon • Nick Feamster, Princeton • Bob Frankston • Google • Dale Hatfield • Level 3 • Mozilla • National Cable & Telecommunications Association (NCTA) • Jon Peha, Carnegie Mellon • Public Knowledge • Sandvine • T-Mobile • Union Wireless • USTelecom • Vistabeam 4
  • 5. IoT Security & Privacy Motivation: – In the past few years, many of the new devices connected to the Internet have not been personal computers, but rather a variety of devices embedded with Internet connectivity and functions. • This class of devices has generally been described as the Internet of Things (IoT) and has brought with it new security and privacy risks. • IoT presents opportunities for significant innovation – from smart homes to smart cities – but the possibility of collateral damage to consumers and others, including the resulting backlash, may impede the growth of IoT and ultimately the promise it holds. •Report published in November 2016 •Lead Editors: – Jason Livingood, VP – Technology Policy & Standards at Comcast – Nick Feamster, Professor of Computer Science at Princeton 5
  • 6. Overview: Observations • Security vulnerabilities – devices ship with vulnerabilities or those are discovered over time • Insecure communications – unauthenticated, unencrypted, lack of network isolation • Data leaks – from the cloud, from and between devices • Susceptibility to malware infection and other abuse • Potential for service disruption • Potential that device security and privacy problems will persist – device software rarely updated • Device replacement may be an alternative for inexpensive or “disposable” devices • *Possible future role for in-home network technology 6
  • 7. Overview: Recommendations • IoT devices should: – Use best current software practices – Follow security & cryptography best practices – Be restrictive rather than permissive in communicating – Continue to function if Internet connectivity is disrupted or if cloud- backend fails – Support addressing and naming best practices – Ship with a privacy policy that is easy to find and understand • Disclose rights to remotely decrease IoT device functionality • IoT device industry should consider a cybersecurity program • IoT supply chain should play their part in addressing security & privacy issues 7
  • 8. Internet of Things (IoT) – Issue Overview • Past few years, many new devices with internet connectivity and functions: – Sensors to better understand patterns of daily life and monitor health. – Monitors and controls for home functions, from locks to heating and water systems. – Devices and appliances that anticipate a consumer’s needs and can take action to address them (e.g., devices that monitor inventory and automatically re-order products for a consumer). • IoT devices typically interact with software running elsewhere on the network and often function autonomously, without requiring human intervention. • The term “IoT” has potentially broad scope: – For this report, IoT refers solely to consumer-oriented devices and their associated local and remote software systems. – BITAG report concerned with scenarios where consumers are installing, configuring, and administering devices they lease or own. 8
  • 9. Internet of Things (IoT) – Issue Overview • Consumers face general security and privacy threats with any Internet-connected device, but the nature of consumer IoT is unique: – Can involve non-technical or uninterested consumers. – Challenging device discovery or inventory on consumer home networks as the number and variety of devices proliferate. – Impacts on the Internet access service of both the consumer and others that run on shared network links. – Effects on other services, for when IoT devices are compromised by malware they can become platforms for unwanted data traffic – such as spam and denial of service attacks (DoS or DDoS). • Recent reports and incidents show that some devices do not abide by rudimentary security and privacy best practices: – Devices have been compromised. – Allowed unauthorized users to: • Perform surveillance and monitoring. • Gain access or control. • Induce device or system failures. • Disturb or harass authorized users or device owners. 9
  • 10. Internet of Things (IoT) – Issue Overview • Potential issues contributing to the lack of security and privacy best practices include: – Lack of IoT supply chain experience with security and privacy. – Lack of incentives to develop and deploy updates after the initial sale. – Difficulty of secure over-the-network software updates. – Devices with constrained or limited: • Hardware resources (precluding certain basic or “common sense” security measures). • User interfaces (which, if present, may only have minimal functionality). – Devices with malware inserted during the manufacturing process: • Or shipped with existing known vulnerabilities. • Or where vulnerabilities develop over time but no ability to update the device (see hardware constraint above). 10
  • 11. Observations • Security Vulnerabilities: – Some IoT devices ship “from the factory” with software that either is outdated or becomes outdated over time. – Other IoT devices may ship with more current software, but vulnerabilities may be discovered in the future. • Vulnerabilities that are discovered throughout a device’s lifespan may make a device less secure over time unless it has a mechanism to subsequently update its software. 11
  • 12. Observations • Insecure Communications: – Many of the security functions designed for more general-purpose computing devices are difficult to implement on IoT devices and a number of security flaws have been identified in the field, including unencrypted communications and data leaks from IoT devices. – Unauthenticated communications: • Some IoT devices provide automatic software updates. Without authentication and encryption, however, this approach is insufficient because the update mechanism could be compromised or disabled. • In addition, many IoT devices do not use authentication in the course of communicating. – Unencrypted communications: • Many IoT devices send some or all data in cleartext, rather than in an encrypted form. • Communications in cleartext can be observed by other devices or by an attacker. 12
  • 13. Observations • Insecure Communications (cont.): – Lack of mutual authentication and authorization: • A device that allows an unknown or unauthorized party to change its code or configuration, or to access its data, is a threat. • The device can reveal that its owner is present or absent, facilitate the installation or operation of malware, or cause its core IoT function to be fundamentally compromised. – Lack of network isolation: • These devices also create new risks and are susceptible to attacks inside the home. • Because many home networks do not, by default, isolate different parts of the network from each other, a network-connected device may be able to observe or exchange traffic with other devices on the same home network, thus making it possible for one device to observe or affect the behavior of unrelated devices. 13
  • 14. Observations • Data Leaks: – IoT devices may leak private user data, both from the cloud (where data is stored) and between IoT devices themselves. – Leaks from the cloud: • Cloud services could experience a data breach due to an external attack or an insider threat. • Additionally, if users rely on weak authentication or encryption methods for these cloud-hosted services, user data may also be compromised. – Leaks from and between devices: • In some cases, devices on the same network or on neighboring networks may be able to observe data from other devices such as the names of people in a home, the precise geographic location of a home, or even the products that a consumer purchases. 14
  • 15. Observations • Susceptibility to Malware Infection and Other Abuse: – Malware and other forms of abuse can disrupt IoT device operations, gain unauthorized access, or launch attacks. • Potential for Service Disruption: – The potential loss of availability or connectivity not only diminishes the functionality of IoT devices, but also may degrade the security of devices in some cases, such as when an IoT device can no longer function without such connectivity (e.g., a home alarm system deactivating if connectivity is lost). 15
  • 16. Observations • Potential That Device Security and Privacy Problems Will Persist: – IoT device security issues are likely to persist because many devices may never receive a software update, either because the manufacturer (or other party in the IoT supply chain, or IoT service provider) may not provide updates or because consumers may not apply the updates that are already available. – Many IoT devices will never be fixed: • Deploying software updates that patch critical security vulnerabilities is difficult in general. • Many device vendors and manufacturers do not have systems or processes to deploy software updates to thousands of devices, and deploying over-the- network updates to devices that are operating in consumer homes is difficult, as updates can sometimes interrupt service and sometimes have the potential to “brick” the device, if done improperly. • Additionally, some devices may not even be capable of software updates. 16
  • 17. Observations • Potential That Device Security and Privacy Problems Will Persist (cont.): – Software updates address more than just bugs: • Software updates are not simply intended to fix security or privacy bugs, but may also be intended to introduce major new functions, or improve performance and security. – Consumers are unlikely to update IoT device software: • Few end users consistently update device software of their own accord; it is best to assume that most end users will never take action on their own to update software. • Device Replacement May be an Alternative to Software Updates, for Inexpensive or “Disposable” Devices: – In some cases, replacing a device entirely may be an alternative to software updates. – Certain IoT devices may be so inexpensive that updating software may be impractical or not cost-effective. 17
  • 18. Observations • *Possible Future Role for In-Home Network Technology – Recent studies and reports suggest there may be some role for a home network appliance to control and manage the traffic that IoT devices exchange with each other and with the rest of the Internet. – Possible capabilities for such a network device include: • Automatic discovery and inventory of in-home Internet connected devices. • Mechanisms for presenting the user with clear information about (1) what data the device is sending to the rest of the Internet and (2) what other devices in the home the device is talking to, as has been done in the past for smartphones and browsers. • Mechanisms that provide the user with simple ways to prevent or disable communication of a single device with other IoT devices on the home network, or with storage servers in the cloud, without impairing the primary functionality of the device. 18
  • 19. Recommendations • IoT Devices Should Use Best Current Software Practices: – IoT devices should ship with reasonably current software: • BITAG recommends that IoT devices should ship to customers or retail outlets with reasonably current software that does not contain severe, known vulnerabilities. – IoT devices should have a mechanism for automated, secure software updates: • Software bugs should be minimized, but they are inevitable. Thus, it is critical for an IoT device to have a mechanism for automatic, secure software updates. • BITAG recommends that manufacturers of IoT devices or IoT service providers should therefore design their devices and systems based on the assumption that new bugs and vulnerabilities will be discovered over time. • They should design systems and processes to ensure the automatic update of IoT device software, without requiring or expecting any type of user action or even user opt-in. 19
  • 20. Recommendations • IoT Devices Should Use Best Current Software Practices (cont.): – IoT devices should use strong authentication by default: • BITAG recommends that IoT devices be secured by default (e.g. password protected) and not use common or easily guessable user names and passwords (e.g., “admin”, “password”). – IoT device configurations should be tested and hardened: • Some IoT devices allow a user to customize the behavior of the device. BITAG recommends that manufacturers test the security of each device with a range of possible configurations, as opposed to simply the default configuration. 20
  • 21. Recommendations • IoT Devices Should Follow Security & Cryptography Best Practices: – BITAG recommends that IoT device manufacturers secure communications using Transport Layer Security (TLS) or Lightweight Cryptography (LWC). – If devices rely on a public key infrastructure (PKI), then an authorized entity must be able to revoke certificates when they become compromised, and manufacturers should take care to avoid encryption methods, protocols, and key sizes with known weaknesses. – Additional encryption best practices include: • Encrypt configuration (command & control) communications by default. • Secure communications to and from iot controllers. • Encrypt local storage of sensitive data. • Authenticate communications, software changes, and requests for data. • Use unique credentials for each device. • Use credentials that can be updated. • Close unnecessary ports and disable unnecessary services. • Use libraries that are actively maintained and supported. 21
  • 22. Recommendations • IoT Devices Should Be Restrictive Rather Than Permissive in Communicating: – When possible, devices should not be reachable via inbound connections by default. IoT devices should not rely on the network firewall alone to restrict communication, as some communication between devices within the home may not traverse the firewall. • IoT Devices Should Continue to Function if Internet Connectivity is Disrupted: – BITAG recommends that an IoT device should be able to perform its primary function or functions (e.g., a light switch or a thermostat should continue to function with manual controls), even if it is not connected to the Internet because Internet connectivity may be disrupted due to causes ranging from accidental misconfiguration to intentional attack. – IoT devices that have implications for user safety should continue to function under disconnected operation to protect the safety of consumers. 22
  • 23. Recommendations • IoT Devices Should Continue to Function If the Cloud Back-End Fails: – Many services that depend on or use a cloud back-end can continue to function, even if in a degraded or partially functional state, when connectivity to the cloud back-end is interrupted or the service itself fails. • IoT Devices Should Support Addressing and Naming Best Practices: – Many IoT devices may remain deployed for a number of years after they are installed. Supporting the latest protocols for addressing and naming will ensure that these devices remain functional for years to come. • IPv6: BITAG recommends that IoT devices support the most recent version of the Internet Protocol, IPv6. • DNSSEC: BITAG recommends that IoT devices support the use or validation of DNS Security Extensions (DNSSEC) when domain names are used. 23
  • 24. Recommendations • IoT Devices Should Ship with a Privacy Policy That is Easy to Find & Understand: – BITAG recommends that IoT devices ship with a privacy policy, but that policy must be easy for a typical user to find and understand. • Disclose Rights to Remotely Decrease IoT Device Functionality: – BITAG recommends that if the functionality of an IoT device can be remotely decreased by a third party, such as by the manufacturer or IoT service provider, this possibility should be made clear to the user at the time of purchase. • The IoT Device Industry Should Consider an Industry Cybersecurity Program: – BITAG recommends that the IoT device industry or a related consumer electronics group consider the creation of an industry-backed program under which some kind of “Secure IoT Device” logo or notation could be carried on IoT retail packaging. 24
  • 25. Recommendations • The IoT Supply Chain Should Play Their Part In Addressing IoT Security and Privacy Issues: – End users of IoT devices depend upon the IoT supply chain, from manufacturer to retailer, to protect their security and privacy, and some or all parts of that IoT supply chain play a critical role throughout the entire lifecycle of the product. – BITAG also recommends that the IoT supply chain takes the following steps: • Privacy policy: Devices should have a privacy policy that is clear and understandable, particularly where a device is sold in conjunction with an ongoing service. • Reset mechanism: Devices should have a reset mechanism for IoT devices that clears all configuration for use when a consumer returns or resells the device. The device manufacturers should also provide a mechanism to delete or reset any data that the respective device stores in the cloud. • Bug reporting system: Manufacturers should provide a bug reporting system with a well-defined bug submission mechanisms and documented response policy. 25
  • 26. Recommendations • The IoT Supply Chain Should Play Their Part In Addressing IoT Security and Privacy Issues (cont.): • Secure software supply chain: Manufacturers should protect the secure software supply chain to prevent introduction of malware during the manufacturing process; vendors and manufacturers should take appropriate measures to secure their software supply chain. • Support IoT device for entire lifespan: Manufacturers should support an IoT device throughout the course of its lifespan, from design to the time when a device is retired, including transparency about the timespan over which they plan to provide continued support for a device, and what the consumer should expect from the device’s function at the end of the device’s lifespan. • Clear contact methods: Manufacturers should provide clear methods for consumers to determine who they can contact for support and methods to contact consumers to disseminate information about software vulnerabilities or other issues. 26
  • 27. Recommendations • The IoT Supply Chain Should Play Their Part In Addressing IoT Security and Privacy Issues (cont.): • Report discovery and remediation of vulnerabilities: Manufacturers should report discovery and remediation of software vulnerabilities that pose security or privacy threats to consumers. • Clear vulnerability reporting process: Manufacturers should provide a vulnerability reporting process with a well-defined, easy-to-locate, and secure vulnerability reporting form, as well as a documented response policy. 27
  • 28. Broadband Internet Technical Advisory Group http://www.bitag.com Twitter: @BITAGORG Mailing Address: 1550 Wynkoop, Suite 168 Denver, CO 80202 28 Jason Livingood VP – Technology Policy & Standards Comcast jason_livingood@comcast.com Douglas C. Sicker Executive Director Chair of the Technical Working Group BITAG dsicker@bitag.org 720-724-8083 Nick Feamster Professor of Computer Science Princeton feamster@cs.princeton.edu Kaleb A. Sieh Deputy Director General Counsel BITAG ksieh@bitag.org 720-724-8083