Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Emerging Security Trends
Name of the Speaker : Amar Prusty
Company Name : DXC Technology
Place: Bangalore
Confidential – F...
Speaker Experience
◆ Cloud & Data Center Architect
◆ Worked for Global Clients across Industry Verticals
◆ Been in IT 17+ ...
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Smart Appliances
Healthcare
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Wearable...
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Why it Looks so Bad
• Breakers have a long history and robust tools
– Automated network attack tools
– Exploits for most s...
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
OWASP IoT Project
• An overall IoT security effort
– Attack surfaces (present)
– Vulnerability lists (working)
– Reference...
OWASP IoT Top 10
Category IoT Security Consideration Recommendations
I1: Insecure Web Interface •Ensure that any web inter...
Principles of IoT Security
• Assume a hostile edge
• Test for scale
• Internet of lies
• Exploit autonomy
• Expect isolati...
Framework assessment
• Based on a prototypical IoT
deployment model
• Designed like a checklist or
benchmark
Example Edge Considerations
• Are communications encrypted?
• Is storage encrypted?
• How is logging performed?
• Is there...
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Example Gateway Considerations
• Is encryption interrupted?
• Is there replay and denial of service defensive
capabilities...
Example Cloud Considerations
• Is there a secure web interface?
• Is there data classification and segregation?
• Is there...
Example Mobile Considerations
• What countermeasures are in place for theft
or loss of device?
• Does the mobile authentic...
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Potential Points of Vulnerability
● Coffee makers
● Crock pots
● Refrigerators
● Dishwashers
● Thermostats
● Garage door
o...
...Additional Unique Risk Factors...
This market is driven by consumers who DO NOT
associate IT risk with their purchases
...
Potential Damage
Theft and exploitation of banking and credit card
account numbers and logins
Theft and exploitation of bu...
Add'l Threat Information
Per “Massive Media” 10/31/16 – Other Mirai
exploits have since been identified
Universal Plug & P...
So, Where Do We Stand?
NO federal laws, policies, or guidelines exist
Vendor efforts are focused primarily on providing
“l...
What Can We Do?
VERIFY the IoT capabilities and associated risks
with ALL existing ...and new...products
Consider MOVING A...
...Worst Case Scenario...
● Your “smart” bed folds up and traps you...
● The thermostat drives up the temperature...
● The...
Recommendations
Accommodate IoT with existing
practices:
– Policies, Procedures, & Standards
– Awareness Training
– Risk M...
Recommendations
• Plan for IoT growth:
– Additional types of logging, log storage:
Can you find the needle in the haystack...
Recommendations
• Strengthen partnerships with researchers,
vendors, and procurement department
Education – Partnership – ...
Threat vs. Opportunity
• If misunderstood and misconfigured, IoT
poses risk to our data, privacy, and safety
• If understo...
Final Thoughts
• Privacy in realms of big data is a problem
– No real technical solution to this one
• Regulation is proba...
...Other Options..
Buy a Dumb Car...
Learn to cook over a campfire...
Learn to love “dumb” devices - some
of us can relate...
Questions and Discussion
Education – Partnership – Solutions
Information Security
Office of Budget and Finance
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
Prochain SlideShare
Chargement dans…5
×
Prochain SlideShare
What to Upload to SlideShare
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

0

Partager

Télécharger pour lire hors ligne

Emerging Trends in Cybersecurity by Amar Prusty

Télécharger pour lire hors ligne

Emerging Trends in Cybersecurity by Amar Prusty

  • Soyez le premier à aimer ceci

Emerging Trends in Cybersecurity by Amar Prusty

  1. 1. Emerging Security Trends Name of the Speaker : Amar Prusty Company Name : DXC Technology Place: Bangalore Confidential – For Training Purposes Only
  2. 2. Speaker Experience ◆ Cloud & Data Center Architect ◆ Worked for Global Clients across Industry Verticals ◆ Been in IT 17+ years ◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC ◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics ◆ Hobbies– Cooking, Cycling, Reading, Travelling ◆ https://www.linkedin.com/in/amar-prusty-07913028/ Confidential – For Training Purposes Only
  3. 3. Education – Partnership – Solutions Information Security Office of Budget and Finance
  4. 4. Education – Partnership – Solutions Information Security Office of Budget and Finance
  5. 5. Education – Partnership – Solutions Information Security Office of Budget and Finance
  6. 6. Smart Appliances Healthcare Education – Partnership – Solutions Information Security Office of Budget and Finance Wearable Tech
  7. 7. Education – Partnership – Solutions Information Security Office of Budget and Finance
  8. 8. Education – Partnership – Solutions Information Security Office of Budget and Finance
  9. 9. Education – Partnership – Solutions Information Security Office of Budget and Finance
  10. 10. Education – Partnership – Solutions Information Security Office of Budget and Finance
  11. 11. Education – Partnership – Solutions Information Security Office of Budget and Finance
  12. 12. Education – Partnership – Solutions Information Security Office of Budget and Finance
  13. 13. Education – Partnership – Solutions Information Security Office of Budget and Finance
  14. 14. Education – Partnership – Solutions Information Security Office of Budget and Finance
  15. 15. Education – Partnership – Solutions Information Security Office of Budget and Finance
  16. 16. Education – Partnership – Solutions Information Security Office of Budget and Finance
  17. 17. Education – Partnership – Solutions Information Security Office of Budget and Finance
  18. 18. Education – Partnership – Solutions Information Security Office of Budget and Finance
  19. 19. Education – Partnership – Solutions Information Security Office of Budget and Finance
  20. 20. Education – Partnership – Solutions Information Security Office of Budget and Finance
  21. 21. Education – Partnership – Solutions Information Security Office of Budget and Finance
  22. 22. Education – Partnership – Solutions Information Security Office of Budget and Finance
  23. 23. Education – Partnership – Solutions Information Security Office of Budget and Finance
  24. 24. Education – Partnership – Solutions Information Security Office of Budget and Finance
  25. 25. Education – Partnership – Solutions Information Security Office of Budget and Finance
  26. 26. Education – Partnership – Solutions Information Security Office of Budget and Finance
  27. 27. Education – Partnership – Solutions Information Security Office of Budget and Finance
  28. 28. Education – Partnership – Solutions Information Security Office of Budget and Finance
  29. 29. Education – Partnership – Solutions Information Security Office of Budget and Finance
  30. 30. Education – Partnership – Solutions Information Security Office of Budget and Finance
  31. 31. Education – Partnership – Solutions Information Security Office of Budget and Finance
  32. 32. Education – Partnership – Solutions Information Security Office of Budget and Finance
  33. 33. Education – Partnership – Solutions Information Security Office of Budget and Finance
  34. 34. Education – Partnership – Solutions Information Security Office of Budget and Finance
  35. 35. Why it Looks so Bad • Breakers have a long history and robust tools – Automated network attack tools – Exploits for most segments of IoT stack – Physical access and hardware hacking • Builders are still searching for – Secure toolkits – Proven methodologies – Successful models • Result: – Builders cobble together components – Build very fragile full stack solutions – No visibility into security or attack surface – Attackers have a field day
  36. 36. Education – Partnership – Solutions Information Security Office of Budget and Finance
  37. 37. OWASP IoT Project • An overall IoT security effort – Attack surfaces (present) – Vulnerability lists (working) – Reference solutions (coming) • Aggregates community resources • Guidance for developers • IoT specific security principles • IoT framework assessment
  38. 38. OWASP IoT Top 10 Category IoT Security Consideration Recommendations I1: Insecure Web Interface •Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization •Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services •Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption •Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns •Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface •Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability •Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware •Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security •Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands...
  39. 39. Principles of IoT Security • Assume a hostile edge • Test for scale • Internet of lies • Exploit autonomy • Expect isolation • Protect uniformly • Encryption is tricky • System hardening • Limit what you can • Lifecycle support • Data in aggregate is unpredictable • Plan for the worst • The long haul • Attackers target weakness • Transitive ownership • N:N Authentication
  40. 40. Framework assessment • Based on a prototypical IoT deployment model • Designed like a checklist or benchmark
  41. 41. Example Edge Considerations • Are communications encrypted? • Is storage encrypted? • How is logging performed? • Is there an updating mechanism? • Are there default passwords? • What are the offline security features? • Is transitive ownership addressed?
  42. 42. Education – Partnership – Solutions Information Security Office of Budget and Finance
  43. 43. Example Gateway Considerations • Is encryption interrupted? • Is there replay and denial of service defensive capabilities? • Is there local storage? Is it encrypted? • Is there anomaly detection capability? • Is there logging and alerting?
  44. 44. Example Cloud Considerations • Is there a secure web interface? • Is there data classification and segregation? • Is there security event reporting? • How are 3rd party components tracked/updated? • Is there an audit capability? • Is there interface segregation? • Is there complex, multifactor authentication allowed?
  45. 45. Example Mobile Considerations • What countermeasures are in place for theft or loss of device? • Does the mobile authentication degrade other component security? • Is local storage done securely? • Is there an audit trail of mobile interactions? • Can mobile be used to enhance authentication for other components?
  46. 46. Education – Partnership – Solutions Information Security Office of Budget and Finance
  47. 47. Education – Partnership – Solutions Information Security Office of Budget and Finance
  48. 48. Education – Partnership – Solutions Information Security Office of Budget and Finance
  49. 49. Education – Partnership – Solutions Information Security Office of Budget and Finance
  50. 50. Potential Points of Vulnerability ● Coffee makers ● Crock pots ● Refrigerators ● Dishwashers ● Thermostats ● Garage door openers ● Webcams ● Baby monitors ● Smart TVs ● Adjustable beds ● Heart monitors ● Breathing ventilators
  51. 51. ...Additional Unique Risk Factors... This market is driven by consumers who DO NOT associate IT risk with their purchases Susceptible device vendors are led by executives focused on sales, profit margin, and market share – NOT IT Security This market sector has little or no experience with, knowledge of, or sensitivity to... IT Security
  52. 52. Potential Damage Theft and exploitation of banking and credit card account numbers and logins Theft and exploitation of business information, including information corruption Utilization of access and credentials to proliferate spam & DoS attacks via home appliance botnets Utilization of access to alter IoT device settings, including medical devices Violation of user privacy, including access to baby monitors
  53. 53. Add'l Threat Information Per “Massive Media” 10/31/16 – Other Mirai exploits have since been identified Universal Plug & Play (UPnP) poses a security risk: - NO form of user authentification is required - ANY app can ask the router to forward a port over UPnP – probably NOT secure... Firmware updates delivered through WeMo- paired devices commonly use non-encrypted channels
  54. 54. So, Where Do We Stand? NO federal laws, policies, or guidelines exist Vendor efforts are focused primarily on providing “legalese” disclaimers...protecting THEM Third-party components in products may constitute a significant – and HIDDEN – threat It may NOT BE POSSIBLE to change passwords in some products OR disable the IoT features IoT capable devices CAN BE SUSCEPTIBLE to tampering, return, re-sale, and exploitation by hackers
  55. 55. What Can We Do? VERIFY the IoT capabilities and associated risks with ALL existing ...and new...products Consider MOVING AWAY from devices which CANNOT be readily or practically secured MONITOR THE MEDIA for information about IoT exploits and risks Investigate products such as “Dojo” to block access and “Shodan” to monitor devices Be careful DISPOSING OF IoT appliances – Remember what we all learned about printers ???
  56. 56. ...Worst Case Scenario... ● Your “smart” bed folds up and traps you... ● The thermostat drives up the temperature... ● The IoT vacuum cleaner blocks the door... ● Your SmartPhone answers that you are “out”... ● Your webcam broadcasts the whole thing while the coffee pot, the crock pot, and the microwave bubble over and celebrate in the kitchen while the garage door happily opens and closes...
  57. 57. Recommendations Accommodate IoT with existing practices: – Policies, Procedures, & Standards – Awareness Training – Risk Management – Vulnerability Management – Forensics Education – Partnership – Solutions Information Security Office of Budget and Finance
  58. 58. Recommendations • Plan for IoT growth: – Additional types of logging, log storage: Can you find the needle in the haystack? – Increased network traffic: will your firewall / IDS / IPS be compatible and keep up? – Increased demand for IP addresses both IPv4 and IPv6 – Increased network complexity – should these devices be isolated or segmented? Education – Partnership – Solutions Information Security Office of Budget and Finance
  59. 59. Recommendations • Strengthen partnerships with researchers, vendors, and procurement department Education – Partnership – Solutions Information Security Office of Budget and Finance
  60. 60. Threat vs. Opportunity • If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety • If understood and secured, IoT will enhance communications, lifestyle, and delivery of services Education – Partnership – Solutions Information Security Office of Budget and Finance
  61. 61. Final Thoughts • Privacy in realms of big data is a problem – No real technical solution to this one • Regulation is probably coming – FTC set to release guidelines next year • Consumers may eschew security but business won’t • Security can be a differentiator
  62. 62. ...Other Options.. Buy a Dumb Car... Learn to cook over a campfire... Learn to love “dumb” devices - some of us can relate to them pretty easily... NEVER leave your IoT devices together in the dark where they can conspire against you!
  63. 63. Questions and Discussion Education – Partnership – Solutions Information Security Office of Budget and Finance

Emerging Trends in Cybersecurity by Amar Prusty

Vues

Nombre de vues

464

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

290

Actions

Téléchargements

14

Partages

0

Commentaires

0

Mentions J'aime

0

×