SlideShare a Scribd company logo

iotsecurity-171108154118.pdf

K
KerimBozkanli

iot

Technology
1 of 42
Download to read offline
IoT Security IoT Security Narudom Roongsiriwong, CISSP Narudom Roongsiriwong, CISSP November 8, 2017 November 8, 2017
WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Embedded System since 2002 ● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Consulting Team Member for National e-Payment project ● Contact: narudom@owasp.org
My Journey to IoT Security
Microcontroller and Assembly Language ● 1986 Studied Electrical Engineering, Chulalongkorn University ● 1987 Worked Part-Time, Controllers Using Zilog Z80 ● 1989 Was Apprenticed at Intronics, Using Intel 8048 ● 1989 Designed Heat Exchanger Controller as a Senior Project, Using Intel 8031 (My Favorite 8051)
Network Security ● 1995 Started Working at Information and Telecommunication Services (ITS) as Business Development ● Was Assigned to Market a Firewall, “Eagle Raptor” ● Started My Life in Information Security
Embedded System and C/C++ ● 2002 Started a Company, Structure and Composites, Embedded System Design for Bridge and Building Structure Monitoring ● 2004 First WiFi IP Based Bridge Structure Monitoring System ● 2004 Became a Special Instructor in Embedded System Design at Faculty of Engineering, Thammasat University ● 2006 My Company Went Broke ● 2007 Joined Incotec Automation (Thailand) ● 2009 Joined Chanwanich, Project Implementation on Smart Card, PLC and Information Security
Information Security Fundamental
What is Security?  “The quality or state of being secure—to be free from danger”  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security
What is Information Security?  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
Security Concepts Security Concepts Core Design Confidentiality Integrity Availibility Authentication Authorization Accountability Need to Know Least Privilege Separation of Duties Defense in Depth Fail Safe / Fail Secure Economy of Mechanisms Complete Mediation Open Design Least Common Mechanisms Psychological Acceptability Weakest Link Leveraging Existing Components
Confidentiality-Integrity-Availability (CIA) To ensure that information and vital services are accessible for use when required To ensure the accuracy and completeness of information to protect business processes To ensure protection against unauthorized access to or use of confidential information
Security vs. Usability Security Usability
Security vs. Safety (General Usage) ● Security is concerned with malicious humans that actively search for and exploit weaknesses in a system. ● Safety is protection against mishaps that are unintended (such as accidents)
Why Secure IoT Ecosystems
Problems of IoT Security ● Initial design was for private communication network then moved to IP network and later on the Internet ● Firmware updates are hard or nearly impossible after installations ● Started with basic security then found the security flaws and attached more complex security requirements later ● Low security devices from early design are still out there and used in compatible fall-back mode
Flaw in Design https://thehackernews.com/2017/08/car-safety-hacking.html
Flaw in Library https://threatpost.com/bad-code-library-triggers-devils-ivy-vulnerability-in-millions-of- iot-devices/126913/
Rises of Threats Target IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
Types of IoT Classified by Communication ● Client Type – Most of implementation – e.g. payment terminal, IP Camera (call back to server), Smart Cars ● Server Type – e.g. IP Camera (built-in web interface) ● Peer-to-Peer or Mesh
Typical IoT Infrastructure Control Server IoT Device Private or Public Internet Public Internet Configuration App Callback and wait for commands Remote control Remote Control App Configure or Update Firmware Configure
Typical Attack: Fake Control Server Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Fake Control Server
Typical Attack: Attack on Device Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
Typical Attack: Attack on Server Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Attack
Typical Attack: Steal Credential Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
Typical Attack: Inject Bad Configuration or Firmware Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Inject Bad Configuration or Firmware Inject Bad Configuration
Typical Attack: Sniff Data on Private Network IoT Device Private Internet Public Internet Callback and wait for commands Remote control Remote Control App Control Server
Other Attack Surface Areas → See OWASP ● Ecosystem ● Device Memory ● Device Physical Interfaces ● Device Web Interface ● Device Firmware ● Device Network Services ● Administrative Interface ● Local Data Storage ● Cloud Web Interface ● Third-party Backend APIs ● Update Mechanism ● Mobile Application ● Vendor Backend APIs ● Ecosystem Communication ● Network Traffic ● Authentication/Authorization ● Privacy ● Hardware (Sensors) https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP Top 10 IoT Vulnerabilities 2014 I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
Secure IoT Devices That We Use
Mirai Malware ● Malware that turns networked devices running Linux into Malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks botnet in large-scale network attacks ● Primarily targets online consumer devices such as IP cameras Primarily targets online consumer devices such as IP cameras and home routers using a table of more than 60 common and home routers using a table of more than 60 common factory default usernames and passwords, and logs into them factory default usernames and passwords, and logs into them to infect them with the Mirai malware to infect them with the Mirai malware ● First found in August 2016 First found in August 2016 ● Use in DDoS attacks Use in DDoS attacks – 20 September 2016 on the Krebs on Security site which reached 620 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s and 1 Tbit/s attack on French web host OVH Gbit/s and 1 Tbit/s attack on French web host OVH – 21 October 2016 multiple major DDoS attacks in DNS services of DNS 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn service provider Dyn – November 2016 attacks on Liberia's Internet infrastructure November 2016 attacks on Liberia's Internet infrastructure ● The source code for Mirai has been published in hacker forums The source code for Mirai has been published in hacker forums as open-source as open-source
What Can We Learn from Mirai Attacks? ● Do not use default passwords for all default usernames ● If possible, do not allow configuration interface from Internet side ● If the IoT devices are used only in the organization, do not expose to the public Internet ● If there is a need to use from the Internet, open only necessary ports and use non-default ports where possible
iotsecurity-171108154118.pdf

Recommended

IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
Network security
Network securityNetwork security
Network securitySri Manakula Vinayagar Engineering College
 
IoT security
IoT securityIoT security
IoT securityYashKesharwani2
 
Cyber Security Careerera
Cyber Security CareereraCyber Security Careerera
Cyber Security CareereraDaniel Caesar
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 
Securing Devices at Home
Securing Devices at HomeSecuring Devices at Home
Securing Devices at HomeSymptai Consulting Limited
 

Recommended

IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
Network security
Network securityNetwork security
Network securitySri Manakula Vinayagar Engineering College
 
IoT security
IoT securityIoT security
IoT securityYashKesharwani2
 
Cyber Security Careerera
Cyber Security CareereraCyber Security Careerera
Cyber Security CareereraDaniel Caesar
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 
Securing Devices at Home
Securing Devices at HomeSecuring Devices at Home
Securing Devices at HomeSymptai Consulting Limited
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxssuserfb92ae
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking BadNUS-ISS
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with FedoraUditha Bandara Wijerathna
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...IJCSIS Research Publications
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael FirstenbergTI Safe
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdfonline Marketing
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of ThingsLohith Haravu Chandrashekar
 
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sally's Special Services
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
 
Day4
Day4Day4
Day4Jai4uk
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 

More Related Content

Similar to iotsecurity-171108154118.pdf

IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranKoenig Solutions Ltd.
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxssuserfb92ae
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking BadNUS-ISS
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...IJCSIS Research Publications
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael FirstenbergTI Safe
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdfonline Marketing
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sally's Special Services
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
 

Similar to iotsecurity-171108154118.pdf (20)

IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Information Security
Information SecurityInformation Security
Information Security
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of Things
 
Day4
Day4Day4
Day4
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT Security
 
Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security Using Your Network as a Sensor for Enhanced Visibility and Security
Using Your Network as a Sensor for Enhanced Visibility and Security
 

Recently uploaded

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

iotsecurity-171108154118.pdf

  • 1. IoT Security IoT Security Narudom Roongsiriwong, CISSP Narudom Roongsiriwong, CISSP November 8, 2017 November 8, 2017
  • 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Embedded System since 2002 ● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Consulting Team Member for National e-Payment project ● Contact: narudom@owasp.org
  • 3. My Journey to IoT Security
  • 4. Microcontroller and Assembly Language ● 1986 Studied Electrical Engineering, Chulalongkorn University ● 1987 Worked Part-Time, Controllers Using Zilog Z80 ● 1989 Was Apprenticed at Intronics, Using Intel 8048 ● 1989 Designed Heat Exchanger Controller as a Senior Project, Using Intel 8031 (My Favorite 8051)
  • 5. Network Security ● 1995 Started Working at Information and Telecommunication Services (ITS) as Business Development ● Was Assigned to Market a Firewall, “Eagle Raptor” ● Started My Life in Information Security
  • 6. Embedded System and C/C++ ● 2002 Started a Company, Structure and Composites, Embedded System Design for Bridge and Building Structure Monitoring ● 2004 First WiFi IP Based Bridge Structure Monitoring System ● 2004 Became a Special Instructor in Embedded System Design at Faculty of Engineering, Thammasat University ● 2006 My Company Went Broke ● 2007 Joined Incotec Automation (Thailand) ● 2009 Joined Chanwanich, Project Implementation on Smart Card, PLC and Information Security
  • 8. What is Security?  “The quality or state of being secure—to be free from danger”  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security
  • 9. What is Information Security?  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
  • 10. Security Concepts Security Concepts Core Design Confidentiality Integrity Availibility Authentication Authorization Accountability Need to Know Least Privilege Separation of Duties Defense in Depth Fail Safe / Fail Secure Economy of Mechanisms Complete Mediation Open Design Least Common Mechanisms Psychological Acceptability Weakest Link Leveraging Existing Components
  • 11. Confidentiality-Integrity-Availability (CIA) To ensure that information and vital services are accessible for use when required To ensure the accuracy and completeness of information to protect business processes To ensure protection against unauthorized access to or use of confidential information
  • 13. Security vs. Safety (General Usage) ● Security is concerned with malicious humans that actively search for and exploit weaknesses in a system. ● Safety is protection against mishaps that are unintended (such as accidents)
  • 14. Why Secure IoT Ecosystems
  • 15. Problems of IoT Security ● Initial design was for private communication network then moved to IP network and later on the Internet ● Firmware updates are hard or nearly impossible after installations ● Started with basic security then found the security flaws and attached more complex security requirements later ● Low security devices from early design are still out there and used in compatible fall-back mode
  • 18. Rises of Threats Target IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
  • 19. Types of IoT Classified by Communication ● Client Type – Most of implementation – e.g. payment terminal, IP Camera (call back to server), Smart Cars ● Server Type – e.g. IP Camera (built-in web interface) ● Peer-to-Peer or Mesh
  • 20. Typical IoT Infrastructure Control Server IoT Device Private or Public Internet Public Internet Configuration App Callback and wait for commands Remote control Remote Control App Configure or Update Firmware Configure
  • 21. Typical Attack: Fake Control Server Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Fake Control Server
  • 22. Typical Attack: Attack on Device Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
  • 23. Typical Attack: Attack on Server Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Attack
  • 24. Typical Attack: Steal Credential Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
  • 25. Typical Attack: Inject Bad Configuration or Firmware Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Inject Bad Configuration or Firmware Inject Bad Configuration
  • 26. Typical Attack: Sniff Data on Private Network IoT Device Private Internet Public Internet Callback and wait for commands Remote control Remote Control App Control Server
  • 27. Other Attack Surface Areas → See OWASP ● Ecosystem ● Device Memory ● Device Physical Interfaces ● Device Web Interface ● Device Firmware ● Device Network Services ● Administrative Interface ● Local Data Storage ● Cloud Web Interface ● Third-party Backend APIs ● Update Mechanism ● Mobile Application ● Vendor Backend APIs ● Ecosystem Communication ● Network Traffic ● Authentication/Authorization ● Privacy ● Hardware (Sensors) https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
  • 28. OWASP Top 10 IoT Vulnerabilities 2014 I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39. Secure IoT Devices That We Use
  • 40. Mirai Malware ● Malware that turns networked devices running Linux into Malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks botnet in large-scale network attacks ● Primarily targets online consumer devices such as IP cameras Primarily targets online consumer devices such as IP cameras and home routers using a table of more than 60 common and home routers using a table of more than 60 common factory default usernames and passwords, and logs into them factory default usernames and passwords, and logs into them to infect them with the Mirai malware to infect them with the Mirai malware ● First found in August 2016 First found in August 2016 ● Use in DDoS attacks Use in DDoS attacks – 20 September 2016 on the Krebs on Security site which reached 620 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s and 1 Tbit/s attack on French web host OVH Gbit/s and 1 Tbit/s attack on French web host OVH – 21 October 2016 multiple major DDoS attacks in DNS services of DNS 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn service provider Dyn – November 2016 attacks on Liberia's Internet infrastructure November 2016 attacks on Liberia's Internet infrastructure ● The source code for Mirai has been published in hacker forums The source code for Mirai has been published in hacker forums as open-source as open-source
  • 41. What Can We Learn from Mirai Attacks? ● Do not use default passwords for all default usernames ● If possible, do not allow configuration interface from Internet side ● If the IoT devices are used only in the organization, do not expose to the public Internet ● If there is a need to use from the Internet, open only necessary ports and use non-default ports where possible