In this presentation from his webinar, Rob Black, CISSP, Founder and Managing Principal of Fractional CISO, explores IoT architectures, the different types of credentials in an IoT system, the common challenges with IoT credential management, and what you can do to mitigate the risks of credential-based attacks.
You can also watch the full webinar on-demand here: https://www.beyondtrust.com/resources/webinar/5-crazy-mistakes-administrators-make-iot-system-credentials/
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
1. The 5 crazy
mistakes
administrators
make with IoT
system
credentials
Rob Black, CISSP
Managing Principal
Fractional CISO
RBlack@FractionalCISO.com
@IoTSecurityGuy
13. Market Device Operator Cloud Operator
Automotive Car owner/ fleet owner Car manufacturer
Building Automation Building management Camera / HVAC / Lighting /
Security system manufacturer
Financial Bank ATM manufacturer
Home Automation Homeowner Camera / Smart speaker / Garage
door / Doorbell / Lightbulb
manufacturer
Medical Devices Hospital Medical Device manufacturer
Smart City Municipality Parking meters / Street lights /
Camera manufacturer
Smart Energy Homeowner / Business owner Electric utility
IoT Market Examples
15. • Every device MUST have a diversified key
from every other device (private key,
shared secret, or inferred key)
• Need scripted process to be able to
execute at IoT scale (time of manufacturing
or provisioning)
Bootstrapping Trust in the Device
16. • Network key – secures broadcast communication. It is a shared
secret between every node for network communication.
• Zigbee is based on all elements of the solution trusting each other
• Most Home Automation devices operate in the least secure mode
Zigbee – Smart Home / Home Automation
17.
18. You have a great password: i_hv*A-gr8-p$$w0rD
But you use the same password everywhere:
What happens when one of them is hacked?
All are compromised!
19. Five Crazy Mistakes
01 Default / Common Passwords
02 Non-Diversified Keys
03 Unaccounted for Credentials
04
05
20. Scale Many unmanned devices
Operating
Environment
Crosses organizational boundaries
Technology
Variance
Many small devices / different
operating systems / mixed technology
Consequences Things that go boom
Why IoT Security is Different
21. Device Credential Sources
Local Remote
ApplicationsUsers
Local User
Local Admin
Database
Local Application
Cloud Application
Third-Party Vendor
Remote User
Remote Admin
22. Unaccounted for Credentials
• Many credentials
• Owned by different organizations
• Do you have them mapped out?
• Do you have strong keys / passwords for all of those credentials?
• Are you rotating the keys / passwords appropriately?
23. Five Crazy Mistakes
01 Default / Common Passwords
02 Non-Diversified Keys
03 Unaccounted for Credentials
04 Non-Expiring / Long Expiring Credentials
05
24.
25. Credential type Length
Typical Corporate Password 90 days
Newly issued SSL Certificates 2 years
Typical Credit Card 2-4 years
Massachusetts Driver’s License 5 years
US Passport 10 years
AWS IoT x.509 certificate 30+ years!
Common Credential Expiration
26. • More convenient to leave non/long-expiring credentials
• IoT credential expiration can be difficult to manage
• Unmanned devices
• Many could expire at the same time
• Requires a deliberate plan for managing credentials
Credential Expiration
27. Five Crazy Mistakes
01 Default / Common Passwords
02 Non-Diversified Keys
03 Unaccounted for Credentials
04 Non-Expiring / Long Expiring Credentials
05 Not Turning Off Former Employee Access
31. 1. Disable ex-employee accounts
2. Change system passwords upon administrative employee’s
departure
3. Audit authorized VPN users
4. Use Privileged Access Management (PAM)
What should you do to minimize damage
from ex-employees?
32. Five Crazy Mistakes
01 Default / Common Passwords
02 Non-Diversified Keys
03 Unaccounted for Credentials
04 Non-Expiring / Long Expiring Credentials
05 Not Turning Off Former Employee Access
33. Read the white paper!
https://www.beyondtrust.com/resources/white-
paper/iiot-security-managing-identities-privileges/
For help putting an IoT cybersecurity plan in place,
please contact us:
Rob Black, CISSP
Fractional CISO
+1 617.658.3276
RBlack@FractionalCISO.com
@IoTSecurityGuy
Next Steps
35. The Cyber Attack Chain – Where is the Risk?
Vulnerable Assets & Users
Unmanaged Credentials
Excessive Privileges
Limited Visibility
of compromises used definable
patterns established as early as 2014.188%
of data breaches involve the use or
abuse of privileged credentials on the
endpoint.2
80%
average days to detect a data
breach.3206
1Verizon 2017 Data Breach Investigations Report
2Forrester Wave: Privileged Identity Management, Q3 2016
3Ponemon 2017 Cost of a Data Breach Study
36. The Cyber Attack Chain – Getting More Complex
Virtual & Cloud
IoT
DevOps
Connected Systems
growth of hybrid cloud adoption in the
last year, increasing from 19% to 57% of
organizations surveyed.1
3X
billion connected things will be in use
worldwide in by 2020, according to
Gartner. 2
20.4
of organizations implementing DevOps
– it has reached “Escape Velocity.”350%
1Forbes 2017 State of Cloud Adoption & Security
2Gartner Press Release, Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31% From 2016, Feb 7, 2017
3Forrester Q1 2017 Global DevOps Benchmark Online Survey
37. Our Mission: Stop Privilege Abuse. Prevent Breaches.
• Reduce attack surfaces by eliminating
credential sharing, enforcing least privilege,
and prioritizing and patching system
vulnerabilities
• Monitor and audit sessions for unauthorized
access, changes to files and directories, and
compliance
• Analyze behavior to detect suspicious user,
account and asset activity
40. Cloud
Hybrid Cloud
IoT
DevOps
On-Premise
Privilege Management – The New Perimeter
Reduce Insider Threats
• Discover, manage
& monitor all
privileged
accounts & keys
• Enforce least
privilege across
all Windows, Mac,
Unix, Linux and
network endpoints
• Gain control and
visibility over
privileged
activities
Stop External Hacking
• Discover network,
web, mobile, cloud
and virtual
infrastructure
• Remediate
vulnerabilities
through
prescriptive
reporting
• Protect endpoints
against client-side
attacks
Reveal Hidden Threats
• Aggregate users &
asset data to
baseline and track
behavior
• Correlate diverse
asset, user & threat
activity to reveal
critical risks
• Dynamically adjust
access policies
based on user and
asset risk
41. IoT & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
42. IoT & PAM: Best Practices
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
DISCOVER & INVENTORY
Continuous discovery of IoT assets
across physical, virtual and cloud
environments.
43. IoT & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
SCAN FOR VULNERABILITIES
Continuous vulnerability assessment and
remediation guidance of the IoT infrastructure
and across adjacent physical, virtual and cloud
environments.
44. IoT & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
ENSURE CONFIGURATION
COMPLIANCE
Continuous configuration and hardening
baseline scanning across physical, virtual and
cloud deployed assets.
Ensure configurations are consistent and
properly hardened.
45. IoT & PAM: Best Practices
DISCOVER &
INVENTORY
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
Control and audit access to shared
accounts and ensure that all audited
activity is associated with a unique identity.
Ensure that all passwords are properly
managed and rotated across the IoT
environment.
46. IoT & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
ELIMINATE HARD-CODED
PASSWORDS
Control scripts, files, code, embedded IoT
passwords.
Eliminate hard-coded credentials and
replace with dynamic API/CLI calls
47. IoT & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
SEGMENT
NETWORKS
ENFORCE APPROPRIATE
CREDENTIAL USAGE
Eliminate administrator privileges on end-
user machines
Securely store privileged IoT credentials
Require a simple workflow process for
check-out, and monitor privileged sessions.
48. IoT & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT NETWORKS
Group IoT assets into logical units to
reduce “line of sight” access
Utilize a secured jump server with MFA,
adaptive access and session monitoring
Segment access based on context of the
user, role, IoT device and data being
requested.
49. IoT & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
RESTRICT PRIVILEGES
Enforce least privilege across
physical, virtual and cloud deployed
assets.
50. BeyondTrust Secures IoT
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
POWERBROKER
Single Platform that Unites
IoT Security
Retina Vulnerability
Management
PowerBroker
Password Safe
PowerBroker Desktop &
Server Privilege Management
Retina Vulnerability
Management
Retina Vulnerability
Management
PowerBroker
Password Safe
PowerBroker
Password Safe
PowerBroker
Password Safe
POWERBROKER
Single Platform that Unites
IoT Security
51. Why BeyondTrust? The PAM Industry Leader
Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017