Security and Wearables: Success starts with security

14
Starts with Security Stephen Cobb, CISSP Sr. Security

Transcript of Security and Wearables: Success starts with security

Page 1: Security and Wearables: Success starts with security

Starts with SecurityStephen Cobb, CISSPSr. Security Researcher

Page 2: Security and Wearables: Success starts with security

What’s the biggest threat to the success of your wearable project?A. Lack of fundingB. CompetitionC. Skills shortageD. Technical challengesE. Bad press and brand damage due to a

data breach that could have been prevented with better security and stricter adherence to privacy policies

Page 3: Security and Wearables: Success starts with security

This is not successShares in Hong Kong toy maker VTech Halted after customer data stolen

Page 4: Security and Wearables: Success starts with security

Worrying IoT survey results52% believe most IoT devices on the market right now DO NOT have the necessary security in place49% don’t trust having personal / private data tied to IoT devices, but still use themOnly 18% of people trust having their personal data tied to IoT devices90% of developers think current IoT devices lack necessary security

Auth0, November 2015

Page 5: Security and Wearables: Success starts with security

A Tale of Two IndustriesWearable TechTech to help peopleGather and analyze dataImprove health, lifestyleInform decision-makingEnhance experience

Criminal TechTech to help themselvesSteal data, sell stolen dataRansom dataRent/sell tools to steal dataEnhance earnings

Page 6: Security and Wearables: Success starts with security

Data crime is an industryFueled by information about people

Wearables = information about peopleTargets endpoints and servers

Wearables = endpointsWearables will be targeted

By data thievesWearables will be scrutinized

By the Federal Trade Commission

Page 7: Security and Wearables: Success starts with security

Attack surface challenges for Wearables

SMARTPHONE:WI-FI, BLUETOOTH4G, SMS, USB, NFCOPERATING SYSTEMOS PROVIDERAPP FRAMEWORKSAPP SOFTWAREAPP PROVIDERAPP ANALYTICSUTILITY APICRM/MARKETINGLOCATION SERVICEEMAIL, WEB BROWSERPHYSICAL ACCESS

COMMS SERVICES:WIRELESS AND CABLENOC FACILITIESHVACEAVESDROPPINGRETENTION POLICIESTRAFFIC MONITORINGDIAGNOSTICSSERVICE UPDATESPROTOCOLSPHYSICAL SECURITY

WEARABLE DEVICE:BLUETOOTHUSBOPERATING SYSTEMOS PROVIDERAPP FRAMEWORKSAPP SOFTWAREAPP PROVIDERAPP ANALYTICSUTILITY APICRM/MARKETINGLOCATION SERVICEPHYSICAL ACCESS

WIRELESS AP/ROUTER:FIRMWAREOPERATING SYSTEMWI-FI CONNECTIONSWIRED CONNECTIONSWEB INTERFACESUPPORT SERVICESUSB, WPSPHYSICAL ACCESS

THE CLOUD:OPERATING SYSTEMSHYPERVISOR DATABASE MANAGERSSHARDINGENCRYPTIONREPLICATION SERVICESSHARED HOSTSMULTIPLE LOCATIONSDATA CENTER SECURITYTRANSNATIONAL FLOWSSHARED FACILITIESMAINTENANCETHIRD PARTIES

WWW

COMPANY WEBSITE:CUSTOMER DATAUPGRADESADD-ONS

Page 8: Security and Wearables: Success starts with security

What’s the FTC got to do with it?Consumer protection agencyPolices data privacy and security in the U.S.50 law enforcement actions and countingMonitors emerging technology Suggests appropriate behavior Looks for inappropriate outcomesTakes cases to set precedentsImposes onerous settlements

Page 9: Security and Wearables: Success starts with security

FTC model for success

Page 10: Security and Wearables: Success starts with security

FTC 10 security commandments1. Start with security2. Control access to data sensibly3. Require secure passwords and authentication4. Store sensitive personal information securely and protect it

during transmission5. Segment your network, monitor who’s trying to get in/out6. Secure remote access to your network7. Apply security practices when developing new products8. Make sure your service providers implement reasonable

security measures9. Put procedures in place to keep your security current and

address vulnerabilities that may arise10.Secure paper, physical media, and devices

Page 11: Security and Wearables: Success starts with security

FTC 7/13 IoT tips1. Start with the fundamentals.2. Take advantage of what experts have already

learned about security.3. Design product with authentication in mind.4. Protect the interfaces between your product

and other devices or services.5. Consider how to limit permissions.6. Take advantage of available security tools.7. Test security measures before launching

product.

Page 12: Security and Wearables: Success starts with security

FTC 8-13 IoT tips8. Select the secure choice as your default setting.9. Use your initial communications with

customers to educate them about the safest use of your product.

10. Establish an effective approach for updating your security procedures.

11. Keep your ear to the ground.12. Innovate how you communicate.13. Let prospective customers know what you’re

doing to secure consumer information.

Page 13: Security and Wearables: Success starts with security

Security is not about complianceForget HIPAA, PCI, COPPA: any wearable system handling personally identifiable information will be targeted

Whether it’s PHI, ePHI, or PIIWhether or not HIPAA applies

Bottom line: breaches are always bad news, and so a transparent, documented, good faith effort to protect user data is your best approach and your best defense

Page 14: Security and Wearables: Success starts with security

Thank you!

www.WeLiveSecurity.com

[email protected]

www.slideshare.net/zcobb

@zcobbStephen Cobb, CISSPSr. Security Researcher


Health Wearables

Health Wearables

Stitched Wearables Lab

Stitched Wearables Lab

Tomorrow Starts Here - Security Everywhere

Tomorrow Starts Here - Security Everywhere

Android Wearables ii

Android Wearables ii

Automotive Cybersecurity Webinar · 2019-03-20 · Security Verification Security Mgmt in Production, Operation, Service Security Engineering Starts with Systematic TARA Practical

Automotive Cybersecurity Webinar · 2019-03-20 · Security Verification Security Mgmt in Production, Operation, Service Security Engineering Starts with Systematic TARA Practical

Simple wearables

Simple wearables

Wearables Europe 2015 - Designing for Wearables

Wearables Europe 2015 - Designing for Wearables

Authenticate everywhere - cisco.com · Authenticate everywhere modern security starts with identity GyorgyAcs Security Consulting Systems Engineer Cisco ConnectSlovenija2019

Authenticate everywhere - cisco.com · Authenticate everywhere modern security starts with identity GyorgyAcs Security Consulting Systems Engineer Cisco ConnectSlovenija2019

WTF Wearables

WTF Wearables

Best in class wearable security solutions. Hands down.wegatech.hu/wp-content/uploads/2015/05/Wearables-Brochure_May… · Fashion wearables require a security solution that allows

Best in class wearable security solutions. Hands down.wegatech.hu/wp-content/uploads/2015/05/Wearables-Brochure_May… · Fashion wearables require a security solution that allows

Wearables 101

Wearables 101

Inside wearables - the rocky path towards personalized, insightful wearables

Inside wearables - the rocky path towards personalized, insightful wearables

Privacy and Security Issues of Wearables in Healthcare

Privacy and Security Issues of Wearables in Healthcare

Session3 wearables

Session3 wearables

Crafting Wearables

Crafting Wearables

Los 'wearables'

Los 'wearables'

White Paper: Securing and Managing Wearables in the …€¦ · and security. Compared with mobile ... understand these threats and are working to build solutions; ... take security

White Paper: Securing and Managing Wearables in the …€¦ · and security. Compared with mobile ... understand these threats and are working to build solutions; ... take security

Wearables PPT

Wearables PPT

“Power for Wearables” Wearables Studio Spring 2009 Zach Eveland, 2009.

“Power for Wearables” Wearables Studio Spring 2009 Zach Eveland, 2009.

Wearables Publication

Wearables Publication