SlideShare ist ein Scribd-Unternehmen logo

IoT Security

Narudom Roongsiriwong, CISSP
Narudom Roongsiriwong, CISSP

The growth of embedded systems connecting to the Internet or "Internet of Things" (IoT) increases year by year. Thus, the IoT ecosystems become new targets of the attackers. This presentation will talk about the basic principle of information security, why we need to secure IoT ecosystems, and also the vulnerabilities and solutions from OWASP.

Technologie
1 von 42
Downloaden Sie, um offline zu lesen
IoT SecurityIoT Security Narudom Roongsiriwong, CISSPNarudom Roongsiriwong, CISSP November 8, 2017November 8, 2017
WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Embedded System since 2002 ● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Consulting Team Member for National e-Payment project ● Contact: narudom@owasp.org
My Journey to IoT Security
Microcontroller and Assembly Language ● 1986 Studied Electrical Engineering, Chulalongkorn University ● 1987 Worked Part-Time, Controllers Using Zilog Z80 ● 1989 Was Apprenticed at Intronics, Using Intel 8048 ● 1989 Designed Heat Exchanger Controller as a Senior Project, Using Intel 8031 (My Favorite 8051)
Network Security ● 1995 Started Working at Information and Telecommunication Services (ITS) as Business Development ● Was Assigned to Market a Firewall, “Eagle Raptor” ● Started My Life in Information Security
Embedded System and C/C++ ● 2002 Started a Company, Structure and Composites, Embedded System Design for Bridge and Building Structure Monitoring ● 2004 First WiFi IP Based Bridge Structure Monitoring System ● 2004 Became a Special Instructor in Embedded System Design at Faculty of Engineering, Thammasat University ● 2006 My Company Went Broke ● 2007 Joined Incotec Automation (Thailand) ● 2009 Joined Chanwanich, Project Implementation on Smart Card, PLC and Information Security
Information Security Fundamental
What is Security?  “The quality or state of being secure—to be free from danger”  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security
What is Information Security?  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
Security Concepts Security Concepts Core Design Confidentiality Integrity Availibility Authentication Authorization Accountability Need to Know Least Privilege Separation of Duties Defense in Depth Fail Safe / Fail Secure Economy of Mechanisms Complete Mediation Open Design Least Common Mechanisms Psychological Acceptability Weakest Link Leveraging Existing Components
Confidentiality-Integrity-Availability (CIA) To ensure that information and vital services are accessible for use when required To ensure the accuracy and completeness of information to protect business processes To ensure protection against unauthorized access to or use of confidential information
Security vs. Usability Security Usability
Security vs. Safety (General Usage) ● Security is concerned with malicious humans that actively search for and exploit weaknesses in a system. ● Safety is protection against mishaps that are unintended (such as accidents)
Why Secure IoT Ecosystems
Problems of IoT Security ● Initial design was for private communication network then moved to IP network and later on the Internet ● Firmware updates are hard or nearly impossible after installations ● Started with basic security then found the security flaws and attached more complex security requirements later ● Low security devices from early design are still out there and used in compatible fall-back mode
Flaw in Design https://thehackernews.com/2017/08/car-safety-hacking.html
Flaw in Library https://threatpost.com/bad-code-library-triggers-devils-ivy-vulnerability-in-millions-of- iot-devices/126913/
Rises of Threats Target IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
Types of IoT Classified by Communication ● Client Type – Most of implementation – e.g. payment terminal, IP Camera (call back to server), Smart Cars ● Server Type – e.g. IP Camera (built-in web interface) ● Peer-to-Peer or Mesh
Typical IoT Infrastructure Control Server IoT Device Private or Public Internet Public Internet Configuration App Callback and wait for commands Remote control Remote Control App Configure or Update Firmware Configure
Typical Attack: Fake Control Server Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control AppFake Control Server
Typical Attack: Attack on Device Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
Typical Attack: Attack on Server Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Attack
Typical Attack: Steal Credential Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
Typical Attack: Inject Bad Configuration or Firmware Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Inject Bad Configuration or Firmware Inject Bad Configuration
Typical Attack: Sniff Data on Private Network IoT Device Private Internet Public Internet Callback and wait for commands Remote control Remote Control App Control Server
Other Attack Surface Areas → See OWASP ● Ecosystem ● Device Memory ● Device Physical Interfaces ● Device Web Interface ● Device Firmware ● Device Network Services ● Administrative Interface ● Local Data Storage ● Cloud Web Interface ● Third-party Backend APIs ● Update Mechanism ● Mobile Application ● Vendor Backend APIs ● Ecosystem Communication ● Network Traffic ● Authentication/Authorization ● Privacy ● Hardware (Sensors) https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP Top 10 IoT Vulnerabilities 2014 I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
Secure IoT Devices That We Use
Mirai Malware ● Malware that turns networked devices running Linux intoMalware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of aremotely controlled "bots" that can be used as part of a botnet in large-scale network attacksbotnet in large-scale network attacks ● Primarily targets online consumer devices such as IP camerasPrimarily targets online consumer devices such as IP cameras and home routers using a table of more than 60 commonand home routers using a table of more than 60 common factory default usernames and passwords, and logs into themfactory default usernames and passwords, and logs into them to infect them with the Mirai malwareto infect them with the Mirai malware ● First found in August 2016First found in August 2016 ● Use in DDoS attacksUse in DDoS attacks – 20 September 2016 on the Krebs on Security site which reached 62020 September 2016 on the Krebs on Security site which reached 620 Gbit/s and 1 Tbit/s attack on French web host OVHGbit/s and 1 Tbit/s attack on French web host OVH – 21 October 2016 multiple major DDoS attacks in DNS services of DNS21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dynservice provider Dyn – November 2016 attacks on Liberia's Internet infrastructureNovember 2016 attacks on Liberia's Internet infrastructure ● The source code for Mirai has been published in hacker forumsThe source code for Mirai has been published in hacker forums as open-sourceas open-source
What Can We Learn from Mirai Attacks? ● Do not use default passwords for all default usernames ● If possible, do not allow configuration interface from Internet side ● If the IoT devices are used only in the organization, do not expose to the public Internet ● If there is a need to use from the Internet, open only necessary ports and use non-default ports where possible
IoT Security

Empfohlen

IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
CAS
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of things
sreelekha appakondappagari
 
Overview of IoT and Security issues
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issues
Anastasios Economides
 
The Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approachThe Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approach
Deloitte United States
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT Security
SHAAMILIVARSAGV
 
Iot
IotIot
Iot
Priti Banya Mohanty
 

Empfohlen

IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
CAS
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.PrabhakaranIoT Security, Threats and Challenges By V.P.Prabhakaran
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
security and privacy-Internet of things
security and privacy-Internet of thingssecurity and privacy-Internet of things
security and privacy-Internet of things
sreelekha appakondappagari
 
Overview of IoT and Security issues
Overview of IoT and Security issuesOverview of IoT and Security issues
Overview of IoT and Security issues
Anastasios Economides
 
The Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approachThe Internet of Things (IoT) and cybersecurity: A secure-by-design approach
The Internet of Things (IoT) and cybersecurity: A secure-by-design approach
Deloitte United States
 
Fundamentals of IoT Security
Fundamentals of IoT SecurityFundamentals of IoT Security
Fundamentals of IoT Security
SHAAMILIVARSAGV
 
Iot
IotIot
Iot
Priti Banya Mohanty
 
IoT Communication Protocols
IoT Communication ProtocolsIoT Communication Protocols
IoT Communication Protocols
Pradeep Kumar TS
 
Artificial intelligence and IoT
Artificial intelligence and IoTArtificial intelligence and IoT
Artificial intelligence and IoT
Veselin Pizurica
 
IOT Security
IOT SecurityIOT Security
IOT Security
Sylvain Martinez
 
IoT security
IoT securityIoT security
IoT security
YashKesharwani2
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
Intel® Software
 
IOT PROTOCOLS.pptx
IOT PROTOCOLS.pptxIOT PROTOCOLS.pptx
IOT PROTOCOLS.pptx
DRREC
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
Bryan Len
 
Iot architecture
Iot architectureIot architecture
Iot architecture
Anam Iqbal
 
Internet of Things and its applications
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applications
Pasquale Puzio
 
DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)
Abdullah Ozturk
 
IoT Networking
IoT NetworkingIoT Networking
IoT Networking
Hitesh Mohapatra
 
IoT architecture
IoT architectureIoT architecture
IoT architecture
Sumit Sharma
 
Sensors in IOT
Sensors in IOTSensors in IOT
Sensors in IOT
ATS SBGI MIRAJ
 
Internet of Things (IOT)
Internet of Things (IOT)Internet of Things (IOT)
Internet of Things (IOT)
Kunal Adhikari
 
Introduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsIntroduction to IoT Architectures and Protocols
Introduction to IoT Architectures and Protocols
Abdullah Alfadhly
 
Security challenges in IoT
Security challenges in IoTSecurity challenges in IoT
Security challenges in IoT
Vishnupriya T H
 
IoT ecosystem
IoT ecosystemIoT ecosystem
IoT ecosystem
Md. Shamsul Haque
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
gr9293
 
Internet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digitalInternet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digital
Eslam Nader
 
Internet of things(IoT)
Internet of things(IoT)Internet of things(IoT)
Internet of things(IoT)
NAGUR SHAREEF SHAIK
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
KerimBozkanli
 
Network security
Network securityNetwork security
Network security
Sri Manakula Vinayagar Engineering College
 

Weitere ähnliche Inhalte

Was ist angesagt?

Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
Bryan Len
 

Was ist angesagt? (20)

IoT Communication Protocols
IoT Communication ProtocolsIoT Communication Protocols
IoT Communication Protocols
 
Artificial intelligence and IoT
Artificial intelligence and IoTArtificial intelligence and IoT
Artificial intelligence and IoT
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
IoT security
IoT securityIoT security
IoT security
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
 
IOT PROTOCOLS.pptx
IOT PROTOCOLS.pptxIOT PROTOCOLS.pptx
IOT PROTOCOLS.pptx
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
 
Iot architecture
Iot architectureIot architecture
Iot architecture
 
Internet of Things and its applications
Internet of Things and its applicationsInternet of Things and its applications
Internet of Things and its applications
 
DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)DDS for Internet of Things (IoT)
DDS for Internet of Things (IoT)
 
IoT Networking
IoT NetworkingIoT Networking
IoT Networking
 
IoT architecture
IoT architectureIoT architecture
IoT architecture
 
Sensors in IOT
Sensors in IOTSensors in IOT
Sensors in IOT
 
Internet of Things (IOT)
Internet of Things (IOT)Internet of Things (IOT)
Internet of Things (IOT)
 
Introduction to IoT Architectures and Protocols
Introduction to IoT Architectures and ProtocolsIntroduction to IoT Architectures and Protocols
Introduction to IoT Architectures and Protocols
 
Security challenges in IoT
Security challenges in IoTSecurity challenges in IoT
Security challenges in IoT
 
IoT ecosystem
IoT ecosystemIoT ecosystem
IoT ecosystem
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
 
Internet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digitalInternet of things (IOT) connects physical to digital
Internet of things (IOT) connects physical to digital
 
Internet of things(IoT)
Internet of things(IoT)Internet of things(IoT)
Internet of things(IoT)
 

Ähnlich wie IoT Security

iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
KerimBozkanli
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Rachel Wandishin
 
Information Security
Information SecurityInformation Security
Information Security
Mohit8780
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
IJCSIS Research Publications
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 

Ähnlich wie IoT Security (20)

iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
 
Network security
Network securityNetwork security
Network security
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
 
Cyber Security Careerera
Cyber Security CareereraCyber Security Careerera
Cyber Security Careerera
 
Securing Devices at Home
Securing Devices at HomeSecuring Devices at Home
Securing Devices at Home
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
 
Information Security
Information SecurityInformation Security
Information Security
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
12 IoT Cyber Security Threats to Avoid - CyberHive.pdf
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg
 
Day4
Day4Day4
Day4
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
OSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint SecurityOSB180: Learn More About Ivanti Endpoint Security
OSB180: Learn More About Ivanti Endpoint Security
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 

Mehr von Narudom Roongsiriwong, CISSP

Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
Narudom Roongsiriwong, CISSP
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 

Mehr von Narudom Roongsiriwong, CISSP (20)

Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software Development
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
 
Blockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for DummiesBlockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for Dummies
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical Forum
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

IoT Security

  • 1. IoT SecurityIoT Security Narudom Roongsiriwong, CISSPNarudom Roongsiriwong, CISSP November 8, 2017November 8, 2017
  • 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Embedded System since 2002 ● Head of IT Security and Solution Architecture, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Consulting Team Member for National e-Payment project ● Contact: narudom@owasp.org
  • 3. My Journey to IoT Security
  • 4. Microcontroller and Assembly Language ● 1986 Studied Electrical Engineering, Chulalongkorn University ● 1987 Worked Part-Time, Controllers Using Zilog Z80 ● 1989 Was Apprenticed at Intronics, Using Intel 8048 ● 1989 Designed Heat Exchanger Controller as a Senior Project, Using Intel 8031 (My Favorite 8051)
  • 5. Network Security ● 1995 Started Working at Information and Telecommunication Services (ITS) as Business Development ● Was Assigned to Market a Firewall, “Eagle Raptor” ● Started My Life in Information Security
  • 6. Embedded System and C/C++ ● 2002 Started a Company, Structure and Composites, Embedded System Design for Bridge and Building Structure Monitoring ● 2004 First WiFi IP Based Bridge Structure Monitoring System ● 2004 Became a Special Instructor in Embedded System Design at Faculty of Engineering, Thammasat University ● 2006 My Company Went Broke ● 2007 Joined Incotec Automation (Thailand) ● 2009 Joined Chanwanich, Project Implementation on Smart Card, PLC and Information Security
  • 8. What is Security?  “The quality or state of being secure—to be free from danger”  A successful organization should have multiple layers of security in place:  Physical security  Personal security  Operations security  Communications security  Network security  Information security
  • 9. What is Information Security?  The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information  Necessary tools: policy, awareness, training, education, technology
  • 10. Security Concepts Security Concepts Core Design Confidentiality Integrity Availibility Authentication Authorization Accountability Need to Know Least Privilege Separation of Duties Defense in Depth Fail Safe / Fail Secure Economy of Mechanisms Complete Mediation Open Design Least Common Mechanisms Psychological Acceptability Weakest Link Leveraging Existing Components
  • 11. Confidentiality-Integrity-Availability (CIA) To ensure that information and vital services are accessible for use when required To ensure the accuracy and completeness of information to protect business processes To ensure protection against unauthorized access to or use of confidential information
  • 13. Security vs. Safety (General Usage) ● Security is concerned with malicious humans that actively search for and exploit weaknesses in a system. ● Safety is protection against mishaps that are unintended (such as accidents)
  • 14. Why Secure IoT Ecosystems
  • 15. Problems of IoT Security ● Initial design was for private communication network then moved to IP network and later on the Internet ● Firmware updates are hard or nearly impossible after installations ● Started with basic security then found the security flaws and attached more complex security requirements later ● Low security devices from early design are still out there and used in compatible fall-back mode
  • 18. Rises of Threats Target IoT Devices https://securelist.com/honeypots-and-the-internet-of-things/78751/
  • 19. Types of IoT Classified by Communication ● Client Type – Most of implementation – e.g. payment terminal, IP Camera (call back to server), Smart Cars ● Server Type – e.g. IP Camera (built-in web interface) ● Peer-to-Peer or Mesh
  • 20. Typical IoT Infrastructure Control Server IoT Device Private or Public Internet Public Internet Configuration App Callback and wait for commands Remote control Remote Control App Configure or Update Firmware Configure
  • 21. Typical Attack: Fake Control Server Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control AppFake Control Server
  • 22. Typical Attack: Attack on Device Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
  • 23. Typical Attack: Attack on Server Open Ports Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Attack
  • 24. Typical Attack: Steal Credential Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App
  • 25. Typical Attack: Inject Bad Configuration or Firmware Control Server IoT Device Private or Public Internet Public Internet Callback and wait for commands Remote control Remote Control App Inject Bad Configuration or Firmware Inject Bad Configuration
  • 26. Typical Attack: Sniff Data on Private Network IoT Device Private Internet Public Internet Callback and wait for commands Remote control Remote Control App Control Server
  • 27. Other Attack Surface Areas → See OWASP ● Ecosystem ● Device Memory ● Device Physical Interfaces ● Device Web Interface ● Device Firmware ● Device Network Services ● Administrative Interface ● Local Data Storage ● Cloud Web Interface ● Third-party Backend APIs ● Update Mechanism ● Mobile Application ● Vendor Backend APIs ● Ecosystem Communication ● Network Traffic ● Authentication/Authorization ● Privacy ● Hardware (Sensors) https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
  • 28. OWASP Top 10 IoT Vulnerabilities 2014 I1 Insecure Web Interface I2 Insufficient Authentication/Authorization I3 Insecure Network Services I4 Lack of Transport Encryption/Integrity Verification I5 Privacy Concerns I6 Insecure Cloud Interface I7 Insecure Mobile Interface I8 Insufficient Security Configurability I9 Insecure Software/Firmware I10 Poor Physical Security
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39. Secure IoT Devices That We Use
  • 40. Mirai Malware ● Malware that turns networked devices running Linux intoMalware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of aremotely controlled "bots" that can be used as part of a botnet in large-scale network attacksbotnet in large-scale network attacks ● Primarily targets online consumer devices such as IP camerasPrimarily targets online consumer devices such as IP cameras and home routers using a table of more than 60 commonand home routers using a table of more than 60 common factory default usernames and passwords, and logs into themfactory default usernames and passwords, and logs into them to infect them with the Mirai malwareto infect them with the Mirai malware ● First found in August 2016First found in August 2016 ● Use in DDoS attacksUse in DDoS attacks – 20 September 2016 on the Krebs on Security site which reached 62020 September 2016 on the Krebs on Security site which reached 620 Gbit/s and 1 Tbit/s attack on French web host OVHGbit/s and 1 Tbit/s attack on French web host OVH – 21 October 2016 multiple major DDoS attacks in DNS services of DNS21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dynservice provider Dyn – November 2016 attacks on Liberia's Internet infrastructureNovember 2016 attacks on Liberia's Internet infrastructure ● The source code for Mirai has been published in hacker forumsThe source code for Mirai has been published in hacker forums as open-sourceas open-source
  • 41. What Can We Learn from Mirai Attacks? ● Do not use default passwords for all default usernames ● If possible, do not allow configuration interface from Internet side ● If the IoT devices are used only in the organization, do not expose to the public Internet ● If there is a need to use from the Internet, open only necessary ports and use non-default ports where possible