Emerging Trends in Cybersecurity by Amar Prusty

Emerging Security Trends
Name of the Speaker : Amar Prusty
Company Name : DXC Technology
Place: Bangalore
Confidential – For Training Purposes Only

Speaker Experience
◆ Cloud & Data Center Architect
◆ Worked for Global Clients across Industry Verticals
◆ Been in IT 17+ years
◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC
◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics
◆ Hobbies– Cooking, Cycling, Reading, Travelling
◆ https://www.linkedin.com/in/amar-prusty-07913028/
Confidential – For Training Purposes Only

Education – Partnership – Solutions
Information Security
Office of Budget and Finance

Smart Appliances
Healthcare
Wearable
Tech

Why it Looks so Bad
• Breakers have a long history and robust tools
– Automated network attack tools
– Exploits for most segments of IoT stack
– Physical access and hardware hacking
• Builders are still searching for
– Secure toolkits
– Proven methodologies
– Successful models
• Result:
– Builders cobble together components
– Build very fragile full stack solutions
– No visibility into security or attack surface
– Attackers have a field day

OWASP IoT Project
• An overall IoT security effort
– Attack surfaces (present)
– Vulnerability lists (working)
– Reference solutions (coming)
• Aggregates community resources
• Guidance for developers
• IoT specific security principles
• IoT framework assessment

OWASP IoT Top 10
Category IoT Security Consideration Recommendations
I1: Insecure Web Interface •Ensure that any web interface coding is written to
prevent the use of weak passwords …
When building a web interface consider implementing
lessons learned from web application security. Employ a
framework that utilizes security …
I2: Insufficient
Authentication/Authorization
•Ensure that applications are written to require
strong passwords where authentication is needed …
Refer to the OWASP Authentication Cheat Sheet
I3: Insecure Network Services •Ensure applications that use network services don't
respond poorly to buffer overflow, fuzzing …
Try to utilize tested, proven, networking stacks and
interfaces that handle exceptions gracefully...
I4: Lack of Transport Encryption •Ensure all applications are written to make use of
encrypted communication between devices…
Utilize encrypted protocols wherever possible to protect
all data in transit…
I5: Privacy Concerns •Ensure only the minimal amount of personal
information is collected from consumers …
Data can present unintended privacy concerns when
aggregated…
I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security
vulnerabilities (e.g. API interfaces and cloud-based
web interfaces) …
Cloud security presents unique security considerations, as
well as countermeasures. Be sure to consult your cloud
provider about options for security mechanisms…
I7: Insecure Mobile Interface •Ensure that any mobile application coding is
written to disallows weak passwords …
Mobile interfaces to IoT ecosystems require targeted
security. Consult the OWASP Mobile …
I8: Insufficient Security
Configurability
•Ensure applications are written to include
password security options (e.g. Enabling 20
character passwords or enabling two-factor
authentication)…
Security can be a value proposition. Design should take
into consideration a sliding scale of security
requirements…
I9: Insecure Software/Firmware •Ensure all applications are written to include
update capability and can be updated quickly …
Many IoT deployments are either brownfield and/or have
an extremely long deployment cycle...
I10: Poor Physical Security •Ensure applications are written to utilize a minimal
number of physical external ports (e.g. USB ports)
on the device…
Plan on having IoT edge devices fall into malicious hands...

Principles of IoT Security
• Assume a hostile edge
• Test for scale
• Internet of lies
• Exploit autonomy
• Expect isolation
• Protect uniformly
• Encryption is tricky
• System hardening
• Limit what you can
• Lifecycle support
• Data in aggregate is
unpredictable
• Plan for the worst
• The long haul
• Attackers target weakness
• Transitive ownership
• N:N Authentication

Framework assessment
• Based on a prototypical IoT
deployment model
• Designed like a checklist or
benchmark

Example Edge Considerations
• Are communications encrypted?
• Is storage encrypted?
• How is logging performed?
• Is there an updating mechanism?
• Are there default passwords?
• What are the offline security features?
• Is transitive ownership addressed?

Example Gateway Considerations
• Is encryption interrupted?
• Is there replay and denial of service defensive
capabilities?
• Is there local storage? Is it encrypted?
• Is there anomaly detection capability?
• Is there logging and alerting?

Example Cloud Considerations
• Is there a secure web interface?
• Is there data classification and segregation?
• Is there security event reporting?
• How are 3rd party components tracked/updated?
• Is there an audit capability?
• Is there interface segregation?
• Is there complex, multifactor authentication
allowed?

Example Mobile Considerations
• What countermeasures are in place for theft
or loss of device?
• Does the mobile authentication degrade other
component security?
• Is local storage done securely?
• Is there an audit trail of mobile interactions?
• Can mobile be used to enhance
authentication for other components?

Potential Points of Vulnerability
● Coffee makers
● Crock pots
● Refrigerators
● Dishwashers
● Thermostats
● Garage door
openers
● Webcams
● Baby monitors
● Smart TVs
● Adjustable beds
● Heart monitors
● Breathing
ventilators

...Additional Unique Risk Factors...
This market is driven by consumers who DO NOT
associate IT risk with their purchases
Susceptible device vendors are led by executives
focused on sales, profit margin, and market
share – NOT IT Security
This market sector has little or no experience with,
knowledge of, or sensitivity to... IT Security

Potential Damage
Theft and exploitation of banking and credit card
account numbers and logins
Theft and exploitation of business information,
including information corruption
Utilization of access and credentials to proliferate
spam & DoS attacks via home appliance botnets
Utilization of access to alter IoT device settings,
including medical devices
Violation of user privacy, including access to baby
monitors

Add'l Threat Information
Per “Massive Media” 10/31/16 – Other Mirai
exploits have since been identified
Universal Plug & Play (UPnP) poses a security
risk:
- NO form of user authentification is required
- ANY app can ask the router to forward a port
over UPnP – probably NOT secure...
Firmware updates delivered through WeMo-
paired devices commonly use non-encrypted
channels

So, Where Do We Stand?
NO federal laws, policies, or guidelines exist
Vendor efforts are focused primarily on providing
“legalese” disclaimers...protecting THEM
Third-party components in products may constitute
a significant – and HIDDEN – threat
It may NOT BE POSSIBLE to change passwords in
some products OR disable the IoT features
IoT capable devices CAN BE SUSCEPTIBLE to
tampering, return, re-sale, and exploitation by
hackers

What Can We Do?
VERIFY the IoT capabilities and associated risks
with ALL existing ...and new...products
Consider MOVING AWAY from devices which
CANNOT be readily or practically secured
MONITOR THE MEDIA for information about IoT
exploits and risks
Investigate products such as “Dojo” to block access
and “Shodan” to monitor devices
Be careful DISPOSING OF IoT appliances –
Remember what we all learned about printers ???

...Worst Case Scenario...
● Your “smart” bed folds up and traps you...
● The thermostat drives up the temperature...
● The IoT vacuum cleaner blocks the door...
● Your SmartPhone answers that you are “out”...
● Your webcam broadcasts the whole thing while
the coffee pot, the crock pot, and the microwave
bubble over and celebrate in the kitchen while
the garage door happily opens and closes...

Recommendations
Accommodate IoT with existing
practices:
– Policies, Procedures, & Standards
– Awareness Training
– Risk Management
– Vulnerability Management
– Forensics

Recommendations
• Plan for IoT growth:
– Additional types of logging, log storage:
Can you find the needle in the haystack?
– Increased network traffic: will your
firewall / IDS / IPS be compatible and keep
up?
– Increased demand for IP addresses both
IPv4 and IPv6
– Increased network complexity – should
these devices be isolated or segmented?

Recommendations
• Strengthen partnerships with researchers,
vendors, and procurement department

Threat vs. Opportunity
• If misunderstood and misconfigured, IoT
poses risk to our data, privacy, and safety
• If understood and secured, IoT will enhance
communications, lifestyle, and delivery of
services

Final Thoughts
• Privacy in realms of big data is a problem
– No real technical solution to this one
• Regulation is probably coming
– FTC set to release guidelines next year
• Consumers may eschew security but business
won’t
• Security can be a differentiator

...Other Options..
Buy a Dumb Car...
Learn to cook over a campfire...
Learn to love “dumb” devices - some
of us can relate to them pretty easily...
NEVER leave your IoT devices
together in the dark where they can
conspire against you!

Questions and Discussion

Emerging Trends in Cybersecurity by Amar Prusty

More Related Content

What's hot (20)

Similar to Emerging Trends in Cybersecurity by Amar Prusty (20)

More from Cysinfo Cyber Security Community (20)

Recently uploaded (20)

Emerging Trends in Cybersecurity by Amar Prusty

Editor's Notes