IOT & BYOD – The New Security Risks (v1.1)
-
Upload
rui-miguel-feio -
Category
Internet
-
view
191 -
download
0
Transcript of IOT & BYOD – The New Security Risks (v1.1)
Deliveringthebestinzservices,so2ware,hardwareandtraining.Deliveringthebestinzservices,so2ware,hardwareandtraining.
WorldClasszSpecialists
IoT&BYOD-TheNewSecurityRisks
RuiMiguelFeio–SecurityLead
Agenda• Introduc:on• TheInternetOfThings(IoT)• BringYourOwnDevice(BYOD)• ExposingtheMainframe• OnaniceSundaymorning…• WhattoDo?• ReferencesandResources• Ques:ons?
Introduc:on-RuiFeio– SecurityleadatRSMPartners
– Beenworkingwithmainframesforthepast17years
– StartedasanMVSSystemsProgrammerwithIBM
– Specialisesinmainframesecurity
– Experienceinnon-mainframeplaUormsaswell
– Beengivenpresenta:onsallovertheworld
TheInternetofThings
IoT–Whatisit?– IoTstandsforInternetofThings
– Termusedtodescribephysicalobjectsthatcancommunicatewitheachotherandcompletetaskswithoutanyhumaninvolvementhavingtotakeplace.
– Examples:• Vehicles,appliances,buildings,…• Anyitemembeddedwithelectronics,so2ware,sensors,andnetworkconnec:vity
IoT–Somenumbers• AstudyconductbytheGartnersays:
– Morethan4.9billionIoTconnecteddevicesin2015
– 6.4billionIoTconnecteddevicesin2016
– Morethan20billionIoTconnecteddevicesin2020
• ACISCOreportpredictstherewillbe50billionIoTconnecteddevicesin2020!
IoT–It’sheretostay
IoT–Theproblem• Trendyfashionabledevicesareproducedtoappealtothetechnical
savvyconsumers
• ButthemanufacturersofIoTdevicestendnottohavesecurityinmind
• Somedeviceslikerouters,havethefirmwarecustomisedbytheInternetServiceProviders(ISP):– Don’tallowfirmwareupdatesdirectlyfromthemanufacturer– Don’tprovidecustomisedupdatedversionsofthefirmware
IoT–Thisleadsto…
IoT–Andto…
IoT–Andevento…
IoTandCyberCrime• HPstudyreveals70%ofIoTdevicesarevulnerabletoafacks
• Cybercriminalsareworkingonnewtechniquesforgehngthroughthesecurityofestablishedorganisa:onsfocusingonIoT:– Homeappliances– Officeequipment– Smartdevices
• IoTdevicesareeasiertohackastheydon’thaverobustsecuritymeasures
IoT–Howtohack?• Thereareseveralresourcesavailableintheinternetanddarkweb:
– Websites– Blogs– Forums– So2waretools– Scripts– Vulnerabili:es– Specialisedsearchengines
Shodan–TheIoTSearchEngine
hAps://www.shodan.io/
Shodan–AnExample
IoT-TheHeadofUSintelligence
IoT–TheNSAChiefofTAO
IoT–TheRisk• YourhomenetworkcanbecompromisedbyoneofyourownIoT
devices• HowsecureareyourIoTdevices?• Howfrequentlydoyouupdatethefirmwareandso2wareofthe
devices?• AretheIoTdevicess:llsupportedbythemanufacturer?• Youconnectfromhometoyourcompany’snetwork• Whatwillithappenifyourhomenetworkiscompromised?• Howlongwillittakeforahackertoexploitthissecurityflaw?
IoT–TheRisk@Home
BringYourOwnDevice
BYOD–Whatisit?• BYODstandsforBringYourOwn
Device• It’sbecomingthestandardwhich
allowsemployeestousetheirownpersonaldevicestoaccessthecompany’snetworkremotely,eitherfromtheirhomeloca:onorfromtheworkplace
• Seenbycompaniesasawaytoreducecosts
BYOD–SomenumbersAstudyfromGartner:
• 38%ofUSCIOswereexpectedtosupportBYODbytheendof2012
• 82%ofsurveyedcompaniesin2013allowedsomeorallworkerstouseemployee-owneddevices
• By2017halfofallemployerswillu:liseBYODdevicestoreducecostsandincreaseusabilityintheworkplace.
BYOD–Theproblem• Therearealargenumberofsecurityrisks:
– Asthedeviceisownedbytheemployee,itisalsousedfortheirownpersonaluse
– Theorganisa:onhaslimitedcontrolovertheBYODdevicesandhowtheyareused
– IftheBYODdevicebecomesinfectedorcompromised,theafackercouldusethisasaplaUormtoafackthecompany’snetwork
BYOD–Thisleadsto…
BYOD–Andto…
BYODandCyberCrime• IntheUKinadocumenten:tled”10StepstoCyberSecurity”the
GCHQhasadvisedbusinessestoconsiderbanningbringyourowndevice(BYOD)becausestaffrepresentthe"weakestlinkinthesecuritychain”
• Approximately22%ofthetotalnumberofmobiledevicesproducedwillbelostorstolenduringtheirlife:me,andover50%ofthesewillneverberecovered
• AccordingtoKaspersky,98%ofiden:fiedmobilemalwaretargettheAndroidplaUorm,andthenumberofvariantsofmalwareforAndroidsgrew163%in2012comparedwith2011.
BYOD–TheRisk• A2015PonemonIns:tutestudyreports:
– Negligentemployeesareseenasthegreatestsourceofendpointrisk• IncreasednumberofBYODdevicesconnectedtothenetwork(includingmobiledevices)
• Useofcommercialcloudapplica:onsintheworkplace
• Securitymanagementcontroltasksbecomelessefficientandmoredifficulttoimplement,‘crea:ngholes’thatcanbeexploitedbyhackers
BYOD–TheRiskofMobiledevices
ExposingtheMainframe
IoT&BYODvsTheMainframe• Remember:themainframeisjustanotherplaUormresidinginthe
company’snetwork
• Ifthenetworkiscompromisedthemainframecanbedirectlyorindirectlyaffected
• UsingBYODcreateschallengestothecompany’ssecurityteamthatcanbedifficulttotackle
• Youmaythinkthatyourhomenetworkissecure;youupdateyourlaptopwiththelatestsecuritypatches,an:virusandfirewalldefini:ons,but…haveyoueverconsideredtheIoTdevices?
OnaniceSundayMorning…
OnaniceSundaymorning…
OnitsTVscreenfacingthestreet
Whattodo?
Whatcanbedone?• ManufacturersofIoTdevicesneedtostartfocusingmoreon
security
• GovernmentsmusttakeleadinIoTsecurity
• IsanIoTwatchdogneeded?
• Companiesandindividualsneedtobemoresecurityconsciousandconsidertheimplica:onsofBYODandIoT
• Reducingcostsontheshorttermcanleadtogreatfinanciallossesinthemediumandlongtermforeveryone
Whatcanbedone?• Strongsecuritypoliciesandrulesneedtobeinplacetoensurethat
anyBYODdeviceissecuritycompliant
• EmployeesneedtobeeducatedabouttherisksandchallengesofbothIoTandBYOD
• Managersanddirectorsalsoneedtobeeducated!!Moneysavingnow,canbeaverycostlythinginthefuture
• Haveyoueverimaginedhowacompany’simagewouldbeaffectedifit’sITsecurityhadbeenbreachedusinga…....
Whatif…..• AhackercompromisesyourIOTdevice….• YourFridge!!• TheyhaveaccesstoyourWiFinetwork• Thearescanningyournetworkandseeyourworklaptopconnected• Theymanagetocompromiseyourlaptop• YouVPNintoyourcoporatenetwork• Theyportscanandfindtelnetlisteningonport23foraDNSentrycalled
zOSProd• Andtheyjusthappentoknowwhatz/OSisortheygooglezOSProdorzOS
TELNET• Startreadingandenjoy!!!• Idontbelieveinscaringpeople,butthiscouldhappen!
Beingmorespecific• Evaluatedeviceusagescenariosandinves:gateleadingprac:cesto
mi:gateeachriskscenario.• Investinamobiledevicemanagement(MDM)solu:ontoenforce
policiesandmonitorusageandaccess.• Enforceindustrystandardsecuritypoliciesasaminimum• Setasecuritybaseline• Differen:atetrustedanduntrusteddeviseaccess• Introducemorestringentauthen:ca:onandaccesscontrolsfor
cri:calbusinessapps.• Addmobiledevicerisktotheorganisa:on’sawarenessprogram.
References&Resources
References&Resources
• “SixthingsyoushouldknowabouttheInternetofThings”,TechRadar• Gartner:hfp://www.gartner.com• ArsTechnica:hfp://arstechnica.com• MITTechnologyReview:hfps://www.technologyreview.com• Alphr:hfp://www.alphr.com/• HPCommunityEnterprise:hfp://community.hpe.com/• CIO:hfp://www.cio.co.uk• EETimes:hfp://www.ee:mes.com• ComputerWeekly:hfp://www.computerweekly.com• CISCO:hfp://www.cisco.com• ExactTrak:hfp://www.exacfrak.com• PonemonIns:tute:hfp://www.ponemon.org
Ques:ons?
RuiMiguelFeio,[email protected]:+44(0)7570911459linkedin:www.linkedin.com/in/rfeiowww.rsmpartners.com
Contact