3. Internet dos Trecos
"Internet das Coisas (IoT) envolve
a conexão de entidades físicas
("coisas") com sistemas de TI
através de redes". Fonte: ISO / IEC
05/02/16 3
6. 05/02/16 6
Atualização
infeliz faz
centenas de
fechaduras
conectadas
pararem de
funcionar
https://olhardigital.com.br/noticia/atualizaca
o-infeliz-faz-centenas-de-fechaduras-
conectadas-pararem-de-funcionar/70403
7. 465 mil pacientes
orientados a
visitar o médico
para corrigir
vulnerabilidade
crítica no marca-
passo
https://arstechnica.com/information-
technology/2017/08/465k-patients-need-a-
firmware-update-to-prevent-serious-pacemaker-
hacks/
05/02/16 7
9. Internet of Threats
05/02/16 9
http://www.joyoftech.com/joyoftech/joyarchives/2340.html
• Privacidade
• Uso malicioso
• Ransomwares
• Realizar
ciber ataques
• Danos físicos
10. “Fazemos segurança em IoT
como fazíamos segurança na
Web nos anos 90”
Julio Cesar Fort
@juliocesarfort
05/02/16 10
11. Desafios de segurança
• Segurança é nova
para os fabricantes
• Segurança não é foco
• Desenvolvedores IoT
sem conhecimento de
segurança
• Falta de padrões de
segurança para IoT
05/02/16 11
Picture source: Giphy
12. Fonte: Ponemon Institute, IBM, and Arxan
http://www.techrepublic.com/article/80-of-iot-apps-not-tested-for-vulnerabilities-report-says/
dos apps IoT não são testados
contra vulnerabilidades
14. Iniciativas da ISO/IEC
ISO/IEC CD 20924,
Internet of Things —
Definition and
Vocabulary
ISO/IEC CD 30141,
Internet of Things
Reference Architecture
(IoT RA)
05/02/16 14
16. 13 passos para segurança
em IoT
1. Metodologia de desenvolvimento seguro
2. Ambiente seguro de desenvolvimento
3. Recursos de segurança da plataforma
4. Definir proteções de Privacidade
5. Controles de segurança em hardware
6. Proteger dados
7. Proteger aplicativos e serviços associados
05/02/16 16
17. 13 passos para segurança
em IoT
8. Proteger interfaces e APIs
9. Atualização segura
10.Autenticação, Autorização e Controle de
Acesso
11.Gerenciamento seguro de chaves
12.Fornecer mecanismos de Log
13.Revisões de segurança
05/02/16 17
18. Cloud Security Alliance
“Security Guidance
for Early Adopters of
the IoT”
Abr. 2015
https://cloudsecurityalliance.org/download
/new-security-guidance-for-early-adopters-
of-the-iot/
05/02/16 18
19. The OWASP Internet of
Things Project
IoT Attack Surface Areas
IoT Vulnerabilities
Firmware Analysis
ICS/SCADA Software
Weaknesses
Community Information
IoT Testing Guides
05/02/16 19
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
IoT Security Guidance
Principles of IoT
Security
IoT Framework Assessment
Developer, Consumer and
Manufacturer Guidance
Design Principles
20. The OWASP Internet of
Things Top 10 Project
1. Insecure Web Interface
2. Insufficient
Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
05/02/16 20
21. The OWASP Internet of
Things Top 10 Project
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware
10.Poor Physical Security
05/02/16 21
22. Iniciativas governamentais
“The key principles of vehicle
cyber security for connected and
automated vehicles”
UK, Ago. 2017
https://www.gov.uk/government/publications/principles-of-cyber-security-
for-connected-and-automated-vehicles/the-key-principles-of-vehicle-
cyber-security-for-connected-and-automated-vehicles
05/02/16 22
23. The key principles of
vehicle cyber security …
1 - organisational security is owned, governed
and promoted at board level
2 - security risks are assessed and managed
appropriately and proportionately, including
those specific to the supply chain
3 - organisations need product aftercare and
incident response to ensure systems are secure
over their lifetime
23
24. The key principles of
vehicle cyber security …
4 - all organisations, including sub-
contractors, suppliers and potential 3rd
parties, work together to enhance the security
of the system
5 - systems are designed using a defence-in-
depth approach
6 - the security of all software is managed
throughout its lifetime
24
25. The key principles of
vehicle cyber security …
7 - the storage and transmission of data is
secure and can be controlled
8 - the system is designed to be resilient to
attacks and respond appropriately when its
defences or sensors fail
25
27. Para saber mais
Internet of Things Working Group
https://cloudsecurityalliance.org/group/internet-of-things/
Getting to Know Mirai
https://community.rsa.com/community/products/netwitness/blog/201
7/08/30/getting-to-know-mirai
05/02/16 27