SlideShare a Scribd company logo

Iot security amar prusty

Download as PPTX, PDF
A
amarprusty

The document provides information from a presentation on IoT security given by Amar Prusty of DXC Technology. It begins with biographical information about the speaker and an overview of what IoT is. It then discusses some of the key security challenges with IoT, including that IoT devices often have weak default credentials, lack of ability to update firmware, and vulnerabilities in web interfaces. The document outlines potential attacks against different components of an IoT system like edge devices, gateways, cloud infrastructure and mobile devices. It proposes using the OWASP IoT security framework to help address vulnerabilities and concludes by discussing the challenges in securing IoT given the current state of tools and methodologies available to builders.

Technology
1 of 109
Downloaded 45 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
IOT Security Name of the Speaker : Amar Prusty Company Name : DXC Technology Place: Bangalore Confidential – For Training Purposes Only
WHO AM I ◆ Cloud & Data Center Architect ◆ Worked for Global Clients across Industry Verticals ◆ Been in IT 17+ years ◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC ◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics ◆ Hobbies– Cooking, Cycling, Reading, Travelling ◆ https://www.linkedin.com/in/amar-prusty-07913028/ Confidential – For Training Purposes Only
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
Education – Partnership – Solutions Information Security Office of Budget and Finance
What is IoT? • The Internet of Things (IoT) is the network of physical objects—devices, vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity—that enables these objects to collect and exchange data. Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
Education – Partnership – Solutions Information Security Office of Budget and Finance
Various Names, One Concept • M2M (Machine to Machine) • “Internet of Everything” (Cisco Systems) • “World Size Web” (Bruce Schneier) • “Skynet” (Terminator movie) Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Where is IoT? Education – Partnership – Solutions Information Security Office of Budget and Finance It’s everywhere!
Smart Appliances Healthcare Education – Partnership – Solutions Information Security Office of Budget and Finance Wearable Tech
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
The Challenge of IoT Security • IoT is an evolutionary technology Hardware Operating System Network Web Mobile Cloud IoT
Why be concerned about IoT? • It’s just another computer, right? – All of the same issues we have with access control, vulnerability management, patching, monitoring, etc. – Imagine your network with 1,000,000 more devices – Any compromised device is a foothold on the network Education – Partnership – Solutions Information Security Office of Budget and Finance
Does IoT add additional risk? • Are highly portable devices captured during vulnerability scans? • Where is your network perimeter? • Are consumer devices being used in areas – like health care – where reliability is critical? • Do users install device management software on other computers? Is that another attack vector? Education – Partnership – Solutions Information Security Office of Budget and Finance
Attacking IoT • Default, weak, and hardcoded credentials • Difficult to update firmware and OS • Lack of vendor support for repairing vulnerabilities • Vulnerable web interfaces (SQL injection, XSS) • Coding errors (buffer overflow) • Clear text protocols and unnecessary open ports • DoS / DDoS • Physical theft and tampering Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Framework assessment • Based on a prototypical IoT deployment model • Designed like a checklist or benchmark
Example Edge Considerations • Are communications encrypted? • Is storage encrypted? • How is logging performed? • Is there an updating mechanism? • Are there default passwords? • What are the offline security features? • Is transitive ownership addressed?
Iot security amar prusty
Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
Example Gateway Considerations • Is encryption interrupted? • Is there replay and denial of service defensive capabilities? • Is there local storage? Is it encrypted? • Is there anomaly detection capability? • Is there logging and alerting?
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Example Cloud Considerations • Is there a secure web interface? • Is there data classification and segregation? • Is there security event reporting? • How are 3rd party components tracked/updated? • Is there an audit capability? • Is there interface segregation? • Is there complex, multifactor authentication allowed?
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Example Mobile Considerations • What countermeasures are in place for theft or loss of device? • Does the mobile authentication degrade other component security? • Is local storage done securely? • Is there an audit trail of mobile interactions? • Can mobile be used to enhance authentication for other components?
Iot security amar prusty
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
Iot security amar prusty
Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
Iot security amar prusty
Why it Looks so Bad • Breakers have a long history and robust tools – Automated network attack tools – Exploits for most segments of IoT stack – Physical access and hardware hacking • Builders are still searching for – Secure toolkits – Proven methodologies – Successful models • Result: – Builders cobble together components – Build very fragile full stack solutions – No visibility into security or attack surface – Attackers have a field day
Education – Partnership – Solutions Information Security Office of Budget and Finance
OWASP IoT Project • An overall IoT security effort – Attack surfaces (present) – Vulnerability lists (working) – Reference solutions (coming) • Aggregates community resources • Guidance for developers • IoT specific security principles • IoT framework assessment
OWASP IoT Top 10 Category IoT Security Consideration Recommendations I1: Insecure Web Interface •Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization •Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services •Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption •Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns •Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface •Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability •Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware •Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security •Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands...
Principles of IoT Security • Assume a hostile edge • Test for scale • Internet of lies • Exploit autonomy • Expect isolation • Protect uniformly • Encryption is tricky • System hardening • Limit what you can • Lifecycle support • Data in aggregate is unpredictable • Plan for the worst • The long haul • Attackers target weakness • Transitive ownership • N:N Authentication
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Education – Partnership – Solutions Information Security Office of Budget and Finance
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Iot security amar prusty
Potential Points of Vulnerability ● Coffee makers ● Crock pots ● Refrigerators ● Dishwashers ● Thermostats ● Garage door openers ● Webcams ● Baby monitors ● Smart TVs ● Adjustable beds ● Heart monitors ● Breathing ventilators
...Additional Unique Risk Factors... This market is driven by consumers who DO NOT associate IT risk with their purchases Susceptible device vendors are led by executives focused on sales, profit margin, and market share – NOT IT Security This market sector has little or no experience with, knowledge of, or sensitivity to... IT Security
Potential Damage Theft and exploitation of banking and credit card account numbers and logins Theft and exploitation of business information, including information corruption Utilization of access and credentials to proliferate spam & DoS attacks via home appliance botnets Utilization of access to alter IoT device settings, including medical devices Violation of user privacy, including access to baby monitors
Add'l Threat Information Per “Massive Media” 10/31/16 – Other Mirai exploits have since been identified Universal Plug & Play (UPnP) poses a security risk: - NO form of user authentification is required - ANY app can ask the router to forward a port over UPnP – probably NOT secure... Firmware updates delivered through WeMo- paired devices commonly use non-encrypted channels
So, Where Do We Stand? NO federal laws, policies, or guidelines exist Vendor efforts are focused primarily on providing “legalese” disclaimers...protecting THEM Third-party components in products may constitute a significant – and HIDDEN – threat It may NOT BE POSSIBLE to change passwords in some products OR disable the IoT features IoT capable devices CAN BE SUSCEPTIBLE to tampering, return, re-sale, and exploitation by hackers
What Can We Do? VERIFY the IoT capabilities and associated risks with ALL existing ...and new...products Consider MOVING AWAY from devices which CANNOT be readily or practically secured MONITOR THE MEDIA for information about IoT exploits and risks Investigate products such as “Dojo” to block access and “Shodan” to monitor devices Be careful DISPOSING OF IoT appliances – Remember what we all learned about printers ???
...Worst Case Scenario... ● Your “smart” bed folds up and traps you... ● The thermostat drives up the temperature... ● The IoT vacuum cleaner blocks the door... ● Your SmartPhone answers that you are “out”... ● Your webcam broadcasts the whole thing while the coffee pot, the crock pot, and the microwave bubble over and celebrate in the kitchen while the garage door happily opens and closes...
Recommendations Accommodate IoT with existing practices: – Policies, Procedures, & Standards – Awareness Training – Risk Management – Vulnerability Management – Forensics Education – Partnership – Solutions Information Security Office of Budget and Finance
Recommendations • Plan for IoT growth: – Additional types of logging, log storage: Can you find the needle in the haystack? – Increased network traffic: will your firewall / IDS / IPS be compatible and keep up? – Increased demand for IP addresses both IPv4 and IPv6 – Increased network complexity – should these devices be isolated or segmented? Education – Partnership – Solutions Information Security Office of Budget and Finance
Recommendations • Strengthen partnerships with researchers, vendors, and procurement department Education – Partnership – Solutions Information Security Office of Budget and Finance
Threat vs. Opportunity • If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety • If understood and secured, IoT will enhance communications, lifestyle, and delivery of services Education – Partnership – Solutions Information Security Office of Budget and Finance
Final Thoughts • Privacy in realms of big data is a problem – No real technical solution to this one • Regulation is probably coming – FTC set to release guidelines next year • Consumers may eschew security but business won’t • Security can be a differentiator
...Other Options.. Buy a Dumb Car... Learn to cook over a campfire... Learn to love “dumb” devices - some of us can relate to them pretty easily... NEVER leave your IoT devices together in the dark where they can conspire against you!
Questions and Discussion Education – Partnership – Solutions Information Security Office of Budget and Finance

More Related Content

PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
PPTX
IoT security
YashKesharwani2
 
PDF
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
PPTX
IoT Security Training, IoT Security Awareness 2019
Tonex
 
PDF
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
PDF
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
PPTX
IoT Security Awareness Training : Tonex Training
Bryan Len
 
PPTX
Presentation on IOT SECURITY
The Avi Sharma
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
Koenig Solutions Ltd.
 
IoT security
YashKesharwani2
 
Internet of Things (IoT) Security and Privacy Recommendations by Jason Living...
CableLabs
 
IoT Security Training, IoT Security Awareness 2019
Tonex
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
IoT Security Awareness Training : Tonex Training
Bryan Len
 
Presentation on IOT SECURITY
The Avi Sharma
 

What's hot (20)

PPTX
Security Testing for IoT Systems
Security Innovation
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
PPTX
Iot Security, Internet of Things
Bryan Len
 
PPTX
A survey in privacy and security in Internet of Things IOT
University of Ontario Institute of Technology (UOIT)
 
PDF
IoT Security Elements
Eurotech
 
PPTX
Iot(security)
Shreya Pohekar
 
PDF
IoT Security Challenges and Solutions
Intel® Software
 
PPTX
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
PPTX
Internet & iot security
Usman Anjum
 
PPTX
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
PDF
Security Aspects in IoT - A Review
Asiri Hewage
 
PDF
IoT security and privacy: main challenges and how ISOC-OTA address them
Radouane Mrabet
 
PPTX
Iot Security
MAITREYA MISRA
 
PPTX
security and privacy-Internet of things
sreelekha appakondappagari
 
PDF
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
PPTX
Internet of things security "Hardware Security"
Ahmed Mohamed Mahmoud
 
DOCX
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
PPTX
Introduction to IoT Security
CAS
 
PPTX
Introduction to IOT security
Priyab Satoshi
 
PPTX
IoT security patterns
Exosite
 
Security Testing for IoT Systems
Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Iot Security, Internet of Things
Bryan Len
 
A survey in privacy and security in Internet of Things IOT
University of Ontario Institute of Technology (UOIT)
 
IoT Security Elements
Eurotech
 
Iot(security)
Shreya Pohekar
 
IoT Security Challenges and Solutions
Intel® Software
 
IoT Security Imperative: Stop your Fridge from Sending you Spam
Amit Rohatgi
 
Internet & iot security
Usman Anjum
 
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
Security Aspects in IoT - A Review
Asiri Hewage
 
IoT security and privacy: main challenges and how ISOC-OTA address them
Radouane Mrabet
 
Iot Security
MAITREYA MISRA
 
security and privacy-Internet of things
sreelekha appakondappagari
 
Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Stanford School of Engineering
 
Internet of things security "Hardware Security"
Ahmed Mohamed Mahmoud
 
Security and Privacy considerations in Internet of Things
Somasundaram Jambunathan
 
Introduction to IoT Security
CAS
 
Introduction to IOT security
Priyab Satoshi
 
IoT security patterns
Exosite
 
Ad

Similar to Iot security amar prusty (20)

PPTX
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
PPTX
Internet of Things(IOT)
University of Potsdam
 
PDF
Module 6.pdf
Sitamarhi Institute of Technology
 
PDF
Module 6.Security in Evolving Technology
Sitamarhi Institute of Technology
 
PDF
Security for the IoT - Report Summary
Accenture Technology
 
PDF
IoT – Breaking Bad
NUS-ISS
 
PPTX
Security aspect of IOT.pptx
PrinceGupta789219
 
PDF
Cybersecurity in the Age of IoT - Skillmine
Skillmine Technology Consulting
 
PPTX
Practical analytics hands-on to cloud & IoT cyber threats
Jorge Sebastiao
 
PDF
Security in the Internet of Things
ForgeRock
 
PDF
Lecture 1-2.pdf
FumikageTokoyami4
 
PDF
[TestWarez 2017] Securing the Internet of Things
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
PDF
Harbor Research: IoT Investment Report - June 2017
Harbor Research
 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
PDF
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
PDF
Internet
hetal001
 
PDF
Ten Expert Tips on Internet of Things Security
Dean Bonehill ♠Technology for Business♠
 
PDF
expert tips
Mcolisi Tineth Ngwenya
 
PPTX
Security of IOT,OT And IT.pptx
MohanPandey31
 
PDF
mypresentation.pdf
HamzaELKarmaoui
 
Emerging Trends in Cybersecurity by Amar Prusty
Cysinfo Cyber Security Community
 
Internet of Things(IOT)
University of Potsdam
 
Module 6.pdf
Sitamarhi Institute of Technology
 
Module 6.Security in Evolving Technology
Sitamarhi Institute of Technology
 
Security for the IoT - Report Summary
Accenture Technology
 
IoT – Breaking Bad
NUS-ISS
 
Security aspect of IOT.pptx
PrinceGupta789219
 
Cybersecurity in the Age of IoT - Skillmine
Skillmine Technology Consulting
 
Practical analytics hands-on to cloud & IoT cyber threats
Jorge Sebastiao
 
Security in the Internet of Things
ForgeRock
 
Lecture 1-2.pdf
FumikageTokoyami4
 
[TestWarez 2017] Securing the Internet of Things
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
Harbor Research: IoT Investment Report - June 2017
Harbor Research
 
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
Internet
hetal001
 
Ten Expert Tips on Internet of Things Security
Dean Bonehill ♠Technology for Business♠
 
expert tips
Mcolisi Tineth Ngwenya
 
Security of IOT,OT And IT.pptx
MohanPandey31
 
mypresentation.pdf
HamzaELKarmaoui
 
Ad

Recently uploaded (20)

PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
A Presentation on Touch Screen Technology
memembruh336
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Encapsulation theory and applications.pdf
gurumoop
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 

Iot security amar prusty

  • 1. IOT Security Name of the Speaker : Amar Prusty Company Name : DXC Technology Place: Bangalore Confidential – For Training Purposes Only
  • 2. WHO AM I ◆ Cloud & Data Center Architect ◆ Worked for Global Clients across Industry Verticals ◆ Been in IT 17+ years ◆ TOGAF, ITIL, CCNA, Cloud, Storage, Virtualization, EUC ◆ Interests - Security, DevOps, AI, IOT, Blockchain, Analytics ◆ Hobbies– Cooking, Cycling, Reading, Travelling ◆ https://www.linkedin.com/in/amar-prusty-07913028/ Confidential – For Training Purposes Only
  • 3. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 4. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 6. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 7. What is IoT? • The Internet of Things (IoT) is the network of physical objects—devices, vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity—that enables these objects to collect and exchange data. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 9. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 10. Various Names, One Concept • M2M (Machine to Machine) • “Internet of Everything” (Cisco Systems) • “World Size Web” (Bruce Schneier) • “Skynet” (Terminator movie) Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 11. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 12. Where is IoT? Education – Partnership – Solutions Information Security Office of Budget and Finance It’s everywhere!
  • 13. Smart Appliances Healthcare Education – Partnership – Solutions Information Security Office of Budget and Finance Wearable Tech
  • 14. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 15. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 16. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 17. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 18. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 19. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 20. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 21. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 23. The Challenge of IoT Security • IoT is an evolutionary technology Hardware Operating System Network Web Mobile Cloud IoT
  • 24. Why be concerned about IoT? • It’s just another computer, right? – All of the same issues we have with access control, vulnerability management, patching, monitoring, etc. – Imagine your network with 1,000,000 more devices – Any compromised device is a foothold on the network Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 25. Does IoT add additional risk? • Are highly portable devices captured during vulnerability scans? • Where is your network perimeter? • Are consumer devices being used in areas – like health care – where reliability is critical? • Do users install device management software on other computers? Is that another attack vector? Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 26. Attacking IoT • Default, weak, and hardcoded credentials • Difficult to update firmware and OS • Lack of vendor support for repairing vulnerabilities • Vulnerable web interfaces (SQL injection, XSS) • Coding errors (buffer overflow) • Clear text protocols and unnecessary open ports • DoS / DDoS • Physical theft and tampering Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 27. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 28. Framework assessment • Based on a prototypical IoT deployment model • Designed like a checklist or benchmark
  • 29. Example Edge Considerations • Are communications encrypted? • Is storage encrypted? • How is logging performed? • Is there an updating mechanism? • Are there default passwords? • What are the offline security features? • Is transitive ownership addressed?
  • 31. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 33. Example Gateway Considerations • Is encryption interrupted? • Is there replay and denial of service defensive capabilities? • Is there local storage? Is it encrypted? • Is there anomaly detection capability? • Is there logging and alerting?
  • 38. Example Cloud Considerations • Is there a secure web interface? • Is there data classification and segregation? • Is there security event reporting? • How are 3rd party components tracked/updated? • Is there an audit capability? • Is there interface segregation? • Is there complex, multifactor authentication allowed?
  • 42. Example Mobile Considerations • What countermeasures are in place for theft or loss of device? • Does the mobile authentication degrade other component security? • Is local storage done securely? • Is there an audit trail of mobile interactions? • Can mobile be used to enhance authentication for other components?
  • 44. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 45. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 46. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 47. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 48. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 49. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 50. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 51. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 52. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 53. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 55. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 56. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 57. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 59. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 60. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 61. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 62. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 63. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 64. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 65. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 66. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 69. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 72. Why it Looks so Bad • Breakers have a long history and robust tools – Automated network attack tools – Exploits for most segments of IoT stack – Physical access and hardware hacking • Builders are still searching for – Secure toolkits – Proven methodologies – Successful models • Result: – Builders cobble together components – Build very fragile full stack solutions – No visibility into security or attack surface – Attackers have a field day
  • 73. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 74. OWASP IoT Project • An overall IoT security effort – Attack surfaces (present) – Vulnerability lists (working) – Reference solutions (coming) • Aggregates community resources • Guidance for developers • IoT specific security principles • IoT framework assessment
  • 75. OWASP IoT Top 10 Category IoT Security Consideration Recommendations I1: Insecure Web Interface •Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization •Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services •Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption •Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns •Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface •Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface •Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability •Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware •Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security •Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands...
  • 76. Principles of IoT Security • Assume a hostile edge • Test for scale • Internet of lies • Exploit autonomy • Expect isolation • Protect uniformly • Encryption is tricky • System hardening • Limit what you can • Lifecycle support • Data in aggregate is unpredictable • Plan for the worst • The long haul • Attackers target weakness • Transitive ownership • N:N Authentication
  • 80. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 81. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 82. Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 96. Potential Points of Vulnerability ● Coffee makers ● Crock pots ● Refrigerators ● Dishwashers ● Thermostats ● Garage door openers ● Webcams ● Baby monitors ● Smart TVs ● Adjustable beds ● Heart monitors ● Breathing ventilators
  • 97. ...Additional Unique Risk Factors... This market is driven by consumers who DO NOT associate IT risk with their purchases Susceptible device vendors are led by executives focused on sales, profit margin, and market share – NOT IT Security This market sector has little or no experience with, knowledge of, or sensitivity to... IT Security
  • 98. Potential Damage Theft and exploitation of banking and credit card account numbers and logins Theft and exploitation of business information, including information corruption Utilization of access and credentials to proliferate spam & DoS attacks via home appliance botnets Utilization of access to alter IoT device settings, including medical devices Violation of user privacy, including access to baby monitors
  • 99. Add'l Threat Information Per “Massive Media” 10/31/16 – Other Mirai exploits have since been identified Universal Plug & Play (UPnP) poses a security risk: - NO form of user authentification is required - ANY app can ask the router to forward a port over UPnP – probably NOT secure... Firmware updates delivered through WeMo- paired devices commonly use non-encrypted channels
  • 100. So, Where Do We Stand? NO federal laws, policies, or guidelines exist Vendor efforts are focused primarily on providing “legalese” disclaimers...protecting THEM Third-party components in products may constitute a significant – and HIDDEN – threat It may NOT BE POSSIBLE to change passwords in some products OR disable the IoT features IoT capable devices CAN BE SUSCEPTIBLE to tampering, return, re-sale, and exploitation by hackers
  • 101. What Can We Do? VERIFY the IoT capabilities and associated risks with ALL existing ...and new...products Consider MOVING AWAY from devices which CANNOT be readily or practically secured MONITOR THE MEDIA for information about IoT exploits and risks Investigate products such as “Dojo” to block access and “Shodan” to monitor devices Be careful DISPOSING OF IoT appliances – Remember what we all learned about printers ???
  • 102. ...Worst Case Scenario... ● Your “smart” bed folds up and traps you... ● The thermostat drives up the temperature... ● The IoT vacuum cleaner blocks the door... ● Your SmartPhone answers that you are “out”... ● Your webcam broadcasts the whole thing while the coffee pot, the crock pot, and the microwave bubble over and celebrate in the kitchen while the garage door happily opens and closes...
  • 103. Recommendations Accommodate IoT with existing practices: – Policies, Procedures, & Standards – Awareness Training – Risk Management – Vulnerability Management – Forensics Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 104. Recommendations • Plan for IoT growth: – Additional types of logging, log storage: Can you find the needle in the haystack? – Increased network traffic: will your firewall / IDS / IPS be compatible and keep up? – Increased demand for IP addresses both IPv4 and IPv6 – Increased network complexity – should these devices be isolated or segmented? Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 105. Recommendations • Strengthen partnerships with researchers, vendors, and procurement department Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 106. Threat vs. Opportunity • If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety • If understood and secured, IoT will enhance communications, lifestyle, and delivery of services Education – Partnership – Solutions Information Security Office of Budget and Finance
  • 107. Final Thoughts • Privacy in realms of big data is a problem – No real technical solution to this one • Regulation is probably coming – FTC set to release guidelines next year • Consumers may eschew security but business won’t • Security can be a differentiator
  • 108. ...Other Options.. Buy a Dumb Car... Learn to cook over a campfire... Learn to love “dumb” devices - some of us can relate to them pretty easily... NEVER leave your IoT devices together in the dark where they can conspire against you!
  • 109. Questions and Discussion Education – Partnership – Solutions Information Security Office of Budget and Finance

Editor's Notes

  • #4: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #5: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #6: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #7: Just what is this? Its components are: A Raspberry Pi, an external hard drive, a wireless router, a GSM device, a battery backup. What does it do, what is it for? An IoT mystery….
  • #8: The Internet of Things (IoT) definition.
  • #9: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #10: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #11: British entrepreneur Kevin Ashton first coined the term in 1999 while working at Auto-ID Labs (originally called Auto-ID centers - referring to a global network of Radio-frequency identification (RFID) connected objects).[10] Typically, IoT is expected to offer advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M) and covers a variety of protocols, domains, and applications.[11] The interconnection of these embedded devices (including smart objects), is expected to usher in automation in nearly all fields, while also enabling advanced applications like a Smart Grid,[12] and expanding to the areas such as smart cities. Cisco Systems refers to IoT as the “Internet of Everything”… Bruce Schinerer recently referred to two new colloquial terms – World Spanning Robot and Benign Organization. There is also the term “Skynet” in reference to the Terminator movies that is frequently discussed in Blog and online postings/jargon.
  • #12: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #13: IoT is everywhere! (Audience Participation)
  • #14: In our daily lives, we have become more reliant on IoT with our wearable tech, appliances, our cars, how we receive health care.
  • #15: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #16: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #17: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #18: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #19: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #20: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #21: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #22: M2M/IoT Sector Map :: Beecham Research http://www.beechamresearch.com/article.aspx?id=4 The following graphic from Beecham Research depicts how the Internet of Things may interact with various service sectors within the public/private sectors and ordinary consumers. Public sector entities (such as universities) may have some level of involvement and interaction within all service sectors depicted; ranging from the operation and industry elements of buildings, to levels of research, retail entities, transportation, and IT/Networks. **Place emphasis on service sectors, that it is likely that at least one example of devices may be found within university networks.
  • #23: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #25: Like all new technology, the Internet of Things brings both a beneficial and disruptive element. With the concept of “always-on”, such technology will require a change in mindset when considering implementation of products and services related to IoT. Since IoT is more and more an element in the daily lives of individuals and organizations, maintaining both privacy, security and business operations/opportunities will be more of a priority both today and in the future.
  • #26: How visible will IoT devices be considering identification through network vulnerability scans? What defines a network perimeter or “edge” How are consumer devices thorough BYOD policies used in sensitive areas? Since IoT is more and more an element in the daily lives of individuals and organizations, maintaining both privacy, security and business operations/opportunities will be more of a priority both today and in the future. : IoT are not generic items or auxiliary services like those that have been prevalent in business for years; rather, IoT devices should be considered as unique devices, each with a distinct set of security risks. Both security controls as well as security training necessary to effectively manage IoT devices may not yet be fully developed.
  • #27: Issues that are common when attacking IoT infrastructure is similar to current levels of attacks that are currently experienced today. The avenue of how attacks may occur may however be through untraditional methods: It may be more often to find default, weak, and hardcoded credentials (usernames passwords) within IoT devices The issue of upgrading firmware to counter vulnerabilities may be dependent both upon how devices are designed during development; issues may occur that upgrading may break functionality. For this reason, vendors may be hesitate or refuse to render support in product lines and make adjustments during the next design phase of projects. Certain IoT devices with embedded web services may also be subject to the same vulnerabilities that commonly plague web server platforms today; also with the premise that updating such functionality may run into the same issues such as Buffer overflows are quite common vulnerabilities within technology infrastructure, with IoT no exception. Devices may also at times use protocols that transmit credentials in the clear, in addition to having open ports DOS/DDOS attacks may be the results in hacking or hijacking IoT devices on network(s); it also possible that through misconfigurations of IoT devices that such “attacks” may be false positives and cause business disruption The issue of physical attacks of IoT devices may result in tampering to inject malicious code or make hardware modifivcations to IoT devices. In addition, impersonating or counterfeiting devices may be issues when safeguards are not in place to protect physical security. Infiltration through non-traditional communication protocols; such as Bluetooth, Zigbee, Zwave, Sigfox, NFC, 6LowPAN, and other types of non traditional wireless communication outside of Wifi. communication protocols as well that may not be within scope through common incident and forensic management tools. Cross-site scripting – certain IoT devices may have embedded web server technology, putting them at risk Buffer overflows – design flaws that may not be immediately corrected because of patching mechanisms, developmental issues during the SDLC process Open ports – common issue on device ports that are not locked down and may be used via reconnaissance.
  • #28: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #31: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #32: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #33: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #35: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #36: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #37: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #38: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #40: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #41: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #42: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #44: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #45: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #46: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #47: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #48: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #49: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #50: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #51: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #52: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #53: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #54: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #55: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #56: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #57: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #58: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #59: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #60: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #61: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #62: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #63: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #64: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #65: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #66: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #67: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #68: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #69: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #70: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #71: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #72: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #74: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #78: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #79: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #80: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #81: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #82: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #83: And is there concern about IoT, given the concepts of privacy and security in today’s digital age? We may look at how media presents technology in both positive and negative lights.
  • #84: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #85: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #86: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #87: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #88: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #89: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #90: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #91: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #92: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #93: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #94: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #95: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #96: No of end devices that are connected to internet are expected to rise above 50+ billion by 2020. cloud computing architectures won’t be able to handle the demand of the Internet of things So only cloud is not the optimal solution to handle this massive explosion. Fog is needed in between to optimize – need for an interplay of cloud and fog.
  • #104: How do current UT165 and institutional policies, standards, and procedures take into account IoT? Are they sufficient to address areas of confidentiality of data? Does current BYOD policies address wearable tech items? Concerning the present might these policies also BYOx? bring your own device (BYOD)  bring your own apps (BYOA) bring your own encryption (BYOE) bring your own identity (BYOI) bring your own technology (BYOT) bring your own network (BYON) bring your own wearables (BYOW) Awareness building for IoT will involve similar approaches currently developed in University training. Relationship building with those departments, vendors and academia/research entities will perpetuate dialogue concerning the subject of IoT; whether within the marketing/sales/procurement of IoT devices and services and/or when internal development occurs, as in the case of research. Building relationships also assists in the awareness in the areas of privacy (both of data and individuals), what is logged when it comes to data and other transactional information, the reasons why items need to be logged (local, State, Federal laws and acts, industry-specified compliance requirements.) Training initiatives may need to be rethought in the areas of IoT; do University partners as well as Information Technology/Information Security How we assess for risk may change in certain retrospect. We may need to go “dig deeper” on our current risk assessments of networks, data centers, departments; to include how we assess in the areas of legal and regulatory requirements (e.g. HIPPA, PCI-DSS, FERPA). Considerations must be taken into account when system owners assume or transfer risk in relation to IoT. Different measurements may need to be considered when considering both risk formulation as well as risk acceptance when considering IoT; for system owners and data owners risk acceptance may involve additional measures IT and Security staffs must take to protect information/data. Security controls must be in place to leverage such risk acceptance in the overall network. There is the need to consider how we scan for vulnerabilities; while certain IoT Devices may show up on scans, others types of IoT devices may not. Forensic approach to IoT may require some retooling in the areas as to whether local Security staffs are equipped and trained to deal with incidents when they occur, as well forensics capabilities in the situations with forensics may be outsourced/required of by third party entities.
  • #105: With the incorporation of IoT in today’s networks, there will be an increase in the need for logging and monitoring capabilities Increasing need for log storage “Needle in a bigger haystack” will make incident response and forensics more challenging, are current capabilities sufficient? Logging in regards to compliance may involve a number of factors; to include storage of logs, relevance of logs, privacy concerns when dealing with University partners of logging. Considerations for the redesign of networks may come as more demand for traditional IPv4 addresses, with the contingency on planning for further IPv6 implementations in regards to IoT. Planning of network design may also require changes on how bandwidth as consumed, quality of service, and prioritizing network traffic through new designs. And further, the redesign of networks may also take into account of how firewalls and IDS/IPS may handle IoT traffic when considering IPv6
  • #106: What is the level of relationship with research departments on campus? What improvements can we make with researchers who may already be working with IoT and develop dialogue and partnership concerning security awareness and initiatives, while at the same time letting those same researchers build upon the opportunity that IoT offers? Consider how we might be doing business with vendors and reviewing items prior to implementations on campus. Build the relationships with Procurement departments, let them work with you when items may be purchased that spur a security review/assessment/questions/dialogue.
  • #107: In closing, while, how we as security professionals work, support, and provide the security expertise for Higher Education business initiatives is crucial to success in the scope of IoT.
  • #110: Questions and Answers section