Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
Transcript of Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
1/37
Internet of ThingsTop Ten
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
2/37
Agenda
- Introduction
- Misconception
- Considerations
- The OWASP Internet ofThings Top 10 Project
- The Top 10 Walkthrough
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
3/37
26 Billionby 2020
- 30 fold increase from 2009 in
Internet of Things install base
- Revenue exceeding $300
billion in 2020- $1.9 trillion in global
economic impact
*Gartner Internet of Things
Report 2013
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
4/37
Misconception | Its all about the device
Its not just about the device, orthe network, or the clients
There are MANY surface areasinvolved
Each of these need to beevaluated
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
5/37
Considerations | A holistic approach is required
All elements need to be considered The Internet of Things Device The Cloud The Mobile Application
The Network Interfaces The Software Use of Encryption Use of Authentication Physical Security USB ports
Enter the OWASP Internet of Things Top TenProject
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
6/37
Internet of Things Top Ten Project | A complete IoT Review
Review all aspects of Internet of Things
Top Ten Categories
Covers the entire device
Without comprehensive coverage like this itwould be like getting your physical but onlychecking one arm
We must cover all surface area to get a goodassessment of overall security
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
7/37
I1 | Insecure Web Interface
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
8/37
I1 | Insecure Web Interface | Testing
Account Enumeration Weak Default Credentials Credentials Exposed in Network Traffic Cross-site Scripting (XSS) SQL-Injection Session Management Account Lockout
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
9/37
I1 | Insecure Web Interface | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
10/37
I2 | Insufficient Authentication/Authorization
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
11/37
I2 | Insufficient Authentication/Authorization | Testing
Lack of Password Complexity Poorly Protected Credentials Lack of Two Factor Authentication Insecure Password Recovery Privilege Escalation Lack of Role Based Access Control
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
12/37
I2 | Insufficient Authentication/Authorization | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
13/37
I3 | Insecure Network Services
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
14/37
I3 | Insecure Network Services | Testing
Vulnerable Services Buffer Overflow
Open Ports via UPnP Exploitable UDP Services Denial-of-Service DoS via Network Device Fuzzing
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
15/37
I3 | Insecure Network Services | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
16/37
I4 | Lack of Transport Encryption
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
17/37
I4 | Lack of Transport Encryption | Testing
Unencrypted Services via the Internet Unencrypted Services via the Local
Network Poorly Implemented SSL/TLS Misconfigured SSL/TLS
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
18/37
I4 | Lack of Transport Encryption | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
19/37
I5 | Privacy Concerns
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
20/37
I5 | Privacy Concerns | Testing
Collection of Unnecessary PersonalInformation
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
21/37
I5 | Privacy Concerns | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
22/37
I6 | Insecure Cloud Interface
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
23/37
I6 | Insecure Cloud Interface | Testing
Account Enumeration No Account Lockout Credentials Exposed in Network
Traffic
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
24/37
I6 | Insecure Cloud Interface | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
25/37
I7 | Insecure Mobile Interface
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
26/37
I7 | Insecure Mobile Interface | Testing
Account Enumeration
No Account Lockout
Credentials Exposed in Network
Traffic
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
27/37
I7 | Insecure Mobile Interface | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
28/37
I8 | Insufficient Security Configurability
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
29/37
I8 | Insufficient Security Configurability | Testing
Lack of Granular Permission Model Lack of Password Security Options No Security Monitoring No Security Logging
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
30/37
I8 | Insufficient Security Configurability | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
31/37
I9 | Insecure Software/Firmware
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
32/37
I9 | Insecure Software/Firmware | Testing
Encryption Not Used to Fetch Updates Update File not Encrypted Update Not Verified before Upload Firmware Contains Sensitive Information No Obvious Update Functionality
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
33/37
I9 | Insecure Software/Firmware | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
34/37
I10 | Poor Physical Security
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
35/37
I10 | Poor Physical Security | Testing
Access to Software via USB Ports Removal of Storage Media
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
36/37
I10 | Poor Physical Security | Make It Secure
-
7/26/2019 Internet_of_Things_Top_Ten_2014-OWASP-3.pdf
37/37
Resources
OWASP Internet of Things Top Ten
Email List
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Projecthttps://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Projecthttps://lists.owasp.org/mailman/listinfo/owasp_internet_of_things_top_ten_projecthttps://lists.owasp.org/mailman/listinfo/owasp_internet_of_things_top_ten_projecthttps://lists.owasp.org/mailman/listinfo/owasp_internet_of_things_top_ten_projecthttps://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project