Security and Wearables: Success starts with security
-
Upload
stephen-cobb -
Category
Technology
-
view
953 -
download
3
Transcript of Security and Wearables: Success starts with security
Starts with SecurityStephen Cobb, CISSPSr. Security Researcher
What’s the biggest threat to the success of your wearable project?A. Lack of fundingB. CompetitionC. Skills shortageD. Technical challengesE. Bad press and brand damage due to a
data breach that could have been prevented with better security and stricter adherence to privacy policies
This is not successShares in Hong Kong toy maker VTech Halted after customer data stolen
Worrying IoT survey results52% believe most IoT devices on the market right now DO NOT have the necessary security in place49% don’t trust having personal / private data tied to IoT devices, but still use themOnly 18% of people trust having their personal data tied to IoT devices90% of developers think current IoT devices lack necessary security
Auth0, November 2015
A Tale of Two IndustriesWearable TechTech to help peopleGather and analyze dataImprove health, lifestyleInform decision-makingEnhance experience
Criminal TechTech to help themselvesSteal data, sell stolen dataRansom dataRent/sell tools to steal dataEnhance earnings
Data crime is an industryFueled by information about people
Wearables = information about peopleTargets endpoints and servers
Wearables = endpointsWearables will be targeted
By data thievesWearables will be scrutinized
By the Federal Trade Commission
Attack surface challenges for Wearables
SMARTPHONE:WI-FI, BLUETOOTH4G, SMS, USB, NFCOPERATING SYSTEMOS PROVIDERAPP FRAMEWORKSAPP SOFTWAREAPP PROVIDERAPP ANALYTICSUTILITY APICRM/MARKETINGLOCATION SERVICEEMAIL, WEB BROWSERPHYSICAL ACCESS
COMMS SERVICES:WIRELESS AND CABLENOC FACILITIESHVACEAVESDROPPINGRETENTION POLICIESTRAFFIC MONITORINGDIAGNOSTICSSERVICE UPDATESPROTOCOLSPHYSICAL SECURITY
WEARABLE DEVICE:BLUETOOTHUSBOPERATING SYSTEMOS PROVIDERAPP FRAMEWORKSAPP SOFTWAREAPP PROVIDERAPP ANALYTICSUTILITY APICRM/MARKETINGLOCATION SERVICEPHYSICAL ACCESS
WIRELESS AP/ROUTER:FIRMWAREOPERATING SYSTEMWI-FI CONNECTIONSWIRED CONNECTIONSWEB INTERFACESUPPORT SERVICESUSB, WPSPHYSICAL ACCESS
THE CLOUD:OPERATING SYSTEMSHYPERVISOR DATABASE MANAGERSSHARDINGENCRYPTIONREPLICATION SERVICESSHARED HOSTSMULTIPLE LOCATIONSDATA CENTER SECURITYTRANSNATIONAL FLOWSSHARED FACILITIESMAINTENANCETHIRD PARTIES
WWW
COMPANY WEBSITE:CUSTOMER DATAUPGRADESADD-ONS
What’s the FTC got to do with it?Consumer protection agencyPolices data privacy and security in the U.S.50 law enforcement actions and countingMonitors emerging technology Suggests appropriate behavior Looks for inappropriate outcomesTakes cases to set precedentsImposes onerous settlements
FTC model for success
FTC 10 security commandments1. Start with security2. Control access to data sensibly3. Require secure passwords and authentication4. Store sensitive personal information securely and protect it
during transmission5. Segment your network, monitor who’s trying to get in/out6. Secure remote access to your network7. Apply security practices when developing new products8. Make sure your service providers implement reasonable
security measures9. Put procedures in place to keep your security current and
address vulnerabilities that may arise10.Secure paper, physical media, and devices
FTC 7/13 IoT tips1. Start with the fundamentals.2. Take advantage of what experts have already
learned about security.3. Design product with authentication in mind.4. Protect the interfaces between your product
and other devices or services.5. Consider how to limit permissions.6. Take advantage of available security tools.7. Test security measures before launching
product.
FTC 8-13 IoT tips8. Select the secure choice as your default setting.9. Use your initial communications with
customers to educate them about the safest use of your product.
10. Establish an effective approach for updating your security procedures.
11. Keep your ear to the ground.12. Innovate how you communicate.13. Let prospective customers know what you’re
doing to secure consumer information.
Security is not about complianceForget HIPAA, PCI, COPPA: any wearable system handling personally identifiable information will be targeted
Whether it’s PHI, ePHI, or PIIWhether or not HIPAA applies
Bottom line: breaches are always bad news, and so a transparent, documented, good faith effort to protect user data is your best approach and your best defense
Thank you!
www.WeLiveSecurity.com
www.slideshare.net/zcobb
@zcobbStephen Cobb, CISSPSr. Security Researcher