Practical IoT Security in the Enterprise
•Télécharger en tant que PPTX, PDF•
2 j'aime•403 vues
IoT definitions, attack surfaces, and practical guidance on implementing within an enterprise environment.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Practical IoT Security in the Enterprise
Similaire à Practical IoT Security in the Enterprise (20)
Plus de Daniel Miessler
Plus de Daniel Miessler (10)
Dernier
Dernier (20)
Practical IoT Security in the Enterprise
- 1. Securing IoT in the Enterprise Daniel Miessler May 2017
- 2. Securing IoT in the Enterprise Daniel Miessler, IOActive May 2017
- 3. About 3 - Infosec for around 18 years - Mostly technical testing and enterprise consulting - Net / app / web / mobile / IoT - Director of Advisory Services for IOActive - I do a weekly show on infosec, technology, humans - Reading, writing, table tennis - Wrote a book: “The Real Internet of Things” - @danielmiessler
- 4. Discuss 4 - A functional definition of IoT - The IoT Attack Surface - Securing IoT in the Enterprise - IoT and Ransomware
- 5. What is IoT 5 - Lots of definitions out there. - Some are based on connectivity. - Some require “embedded”. - “OXFORD(ish): An extension of the Internet where everyday objects have network connectivity, allowing them to send and receive data.”
- 7. What do? 7
- 8. IoT Security != Device Security 8 What they think it is…
- 9. IoT Security != Device Security 9
- 10. IoT Security != Device Security 10
- 11. IoT Security != Device Security 11
- 13. OWASP IoT Security 13 • Attack surfaces • Vulnerabilities • Medical Devices • Firmware Analysis • IoT Event Logging • ICS / SCADA
- 14. OWASP IoT Security 14 • Ecosystem (general) • Device Memory • Device Physical Interfaces • Device Web Interface • Device Firmware • Device Network Services • Administrative Interface • Local Data Storage • Cloud Web Interface • Third-party Backend APIs • Update Mechanism • Mobile Application • Vendor Backend APIs • Ecosystem Communication • Network Traffic • Privacy • Sensors
- 25. Network Focus 25 What they think it is…
- 26. Network Focus 26 What it actually is…
- 27. Getting Packet Visibility 27 Internet LAN PCAP TAP Firewall grep -i “Wombat27!”
- 28. Get a Tap 28
- 29. Caparser 29 https://github.com/danielmiessler/Caparser • *Capture all internal traffic from an internal ecosystem • *Exercise the product fully • Break the .pcap into its component parts using tshark • Extract any sensitive content from the .pcap. • Associate the sensitive content with where it’s being sent
- 30. tshark(s) 30 tshark -r diphone.pcap -q -z conv,ip | awk '{print $3}' | grep "^[0-9]" | sort | uniq | awk '{print $1}'
- 31. tshark(s) 31 tshark -r diphone.pcap -q -z conv,ip | awk '{print $3}' | grep "^[0-9]" | sort | uniq | awk '{print $1}'
- 34. Enterprise IoT (attack surface) 34 • The biggest threat to enterprises from IoT is not any specific technology, but blindness to the attack surface. ‣ Device ‣ Sensors ‣ Administration ‣ Firmware ‣ Network ‣ Mobile ‣ Cloud ‣ Backend APIs ‣ Third-party integrations
- 35. Enterprise IoT (understand) 35 •Above all else, you have to understand the components and structure of the system you’re deploying into your companies. ‣ How many devices? ‣ What types of sensors? ‣ What network are they on? ‣ How are they administered? ‣ What ports are open on these systems? ‣ How is authentication and authorization performed?
- 36. Enterprise IoT (assess) 36 •This means doing an IoT deployment risk assessment before implementing any solution. ‣ What data is being captured? ‣ Via what sensors? ‣ Where is it being sent? ‣ How is it being stored? ‣ Who has access to it? ‣ How will it be updated if a flaw is found? ‣ What can those systems access if they’re compromised? ‣ How bad would it be if this system was unavailable? ‣ What would we do if that happened?
- 37. Enterprise IoT (data) 37 •Increasingly, we’re going to have to start thinking about what sensors can perceive, how that data can be leaked, and the implications thereof. ‣ Installed systems ‣ Wearables ‣ Are they recording video? ‣ Are they recording audio? ‣ How easy is it to share that content outside? ‣ What could happen if that content went public? > New sensor project that connects to electrical sockets and tells you what’s happening inside your house.
- 38. Enterprise IoT (ransomware) 38 •The way to think about ransomware is this: if it’s important to you, they’re coming for it. ‣ Infrastructure ‣ Data ‣ Connectivity ‣ Devices ‣ Systems ‣ IoT
- 39. Enterprise IoT (three trends) 39 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business
- 40. Enterprise IoT (three trends) 40 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business 2. You gain business efficiency when those things are network enabled (IoT)
- 41. Enterprise IoT (three trends) 41 1. We depend on everyday things (lights, cars, factories, cameras, logistics) to do business 2. You gain business efficiency when those things are network enabled (IoT) 3. Attackers now have a new way to harm your business.
- 42. Takeaways 42
- 43. Takeaways 43 1. IoT is about everyday objects becoming interactive.
- 44. Takeaways 44 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated.
- 45. Takeaways 45 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem.
- 46. Takeaways 46 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what’s being captured, via what methods, and how it’s being stored and accessed.
- 47. Takeaways 47 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what’s being captured, via what methods, and how it’s being stored and accessed. 5. Be prepared for that system to be compromised or unavailable.
- 48. Takeaways 48 1. IoT is about everyday objects becoming interactive. 2. The IoT attack surface is vastly underestimated. 3. Before you deploy IoT internally, you need a risk assessment on that specific ecosystem. 4. Consider what’s being captured, via what methods, and how it’s being stored and accessed. 5. Be prepared for that system to be compromised or unavailable. 6. Expect ransomware attacks, because IoT means putting our critical dependencies on the network.
- 49. Thanks & Contact 49 Daniel Miessler IOActive daniel.miessler@ioactive.com @danielmiessler danielmiessler.com/podcast
Notes de l'éditeur
- Ok, thanks for having me today. We’re going to talk about IoT Security and how it affects the enterprise.
- So I wanted to break my comments today into four main areas. A definition of IoT, the IoT Attack Surface, Securing IoT in the Enterprise, and Ransomware
- Let’s start with defining IoT.
- So with that out of the way, let’s talk about the attack surface that IoT presents.
- The central question I had when I got into this was, “How do I conceptualize an approach to hacking a given IoT thing, regardless of what it is?”
- People think they have this device.
- But it really has a web interface on it.
- Oh, and a mobile app.
- Oh, and the mobile app works from the internet, so there’s cloud functionality as well.
- So after doing a bunch of research on products I created the OWASP Internet of Things project back in like 2010 or so.
- So it has a number of sub-projects, each of which lives on its own tab and has its own project leader. The one I want to focus on is the Attack Surfaces.
- So here’s the complete list of them, and let’s look very lighting fast at a few of them.
- So that was a few of the attack surfaces, but let’s return back to the network. This is what most people assume they have.
- But this what the traffic really looks like.
- I want to see as many conversations as possible, and know what’s in them, so I built a lab that allowed me to see as many parts of the conversation as possible. I then exercise the app in every way possible, touching every component. Web app, mobile, internet, etc. And what I do is put a HONEY TOKEN into my interactions. Something like Wombat27!
- And here’s a tap you can use for this, by the way, if you don’t do it through a virtual network.
- So what I did was wrote a tool that automates a lot of this, called Caparser. What it does is: (slide)
- A lot of the magic is in this tshark syntax, which finds every IP.
- I then use tcpdump to break every conversation out individually into its own pcap. Then I grep for sensitive content in each connection!
- So let’s talk about how all this pertains to the enterprise.
- You can’t defend what you don’t understand.
- New system that plugs sensors into wall outlets and can infer through AI/ML what’s happening in the office.
- Maybe you have a system that reads serial numbers. Maybe you have cameras that do OCR. Maybe it’s a heating and lighting system. If you lose money if it’s down, then there’s a good chance you’ll pay for it to be up. Expect ransomware for it. Remember the definition of IoT: Everyday objects put on the network.
- As a business, we depend on everyday things.
- You make more money when you can control these things using computers.
- And attackers can now use these two facts to make billions. This is the simplest way to understand IoT security as it pertains to business.
- So here’s a quick encapsulation of what we talked about.
- At the highest most important level, IoT means taking things that used to be analog and making them digital.
- Most people vastly underestimate how easy it is to attack IoT systems.
- You need to assess any IoT system you’re considering putting in your environment across multiple dimensions.
- We also need to be thinking about the sensor capabilities of these IoT systems, and how the data they collect will be accessed and used.
- We absolutely must be prepared for these essentials to become unavailable or insecure. How do we respond? We can’t wait until it happens to figure that out.
- And finally, expect ransom-based attacks to increase as the dependence on IoT increases. The more valuable IoT systems become, the more dependent we’ll be on them, and the more valuable they’ll become to attackers.
- So that’s what I wanted to talk about today. I hope you got some value from it, feel free to reach out if you’d like to chat about anything, and I’m happy to take any questions.