CARVE SYSTEMS LLCSECURITY IS A PROCESS, NOT A STATE •

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015

MIKE.ZUSMAN@CARVESYSTEMS.COM

Carve’s Roots (tl;dr)

<1998: Grew up with Dad who tinkered with electronics

1998-2004: Software developer

2004-2007: Security Appliance Vendor

2007-2008: Corporate Application Security

2008-2011: Security Consulting (aka pen testing)

2011 - Founded Carve Systems

Carve’s Clients & Services

Fortune 500 and Small/Mid-sized Firms

Telecom - Finance - Agriculture - Health Care - eCommerce - SaaS/Cloud Providers - Device Manufactures

Risk Assessment - Penetration Testing - Advisory

Take Aways

• Security is mostly a People problem

• Every organization needs a custom strategy andTechnology Risk Management Process

Carve’s simplified logical asset classification:

1. People - the folks who create, manage, and use applications & infrastructure

2. Applications - the software that governs our business processes

3. Infrastructure - the systems that allow our applications to function

Take Aways

Vulnerability Scanning

IS NOT

Penetration Testing

Recommendations

1. Create an Information Security Office role, and performTechnology-focused Risk Assessment annually

2. Practice Continual Risk Assessment

3. Create a Data Classification Policy and Identify Assets, Vendors

4. Train users and generate awareness about security

5. Manage your vendors (vendor questionnaires)

6. Look into Data Breach / Cyber Liability insurance

2004 vs 2015

2004

Software facts credit: Jeff Williams

2004 vs 2015

2014

2004 vs 2015

2015

Is IoT really new?

IoT: proliferation of Internet connected software.

A case study

•M2M Internet Gateway •Vehicle Trackers

The Bad News

Producing secure software is REALLY hard.

Microsoft has written a number of books on the subject.

There is a huge talent gap when it comes to software security.

There are more high quality marketing campaigns than there are high quality security products.

Top 3 Risks

The Top 3 Risks we identify at most clients:

1. Phishing, and spear-phishing

2. Uncontrolled external network perimeter (includes applications, IoT/M2M)

3. Insufficient internal access control

(I’m sneaking in a 4th risk)

4. Insufficient security leadership & culture (changing, for the better)

Why is the state of security so bad?

Faith-based security

“My programmer used to work at the NSA, and he says we’re secure…” - former client

“Our nextgen firewalls stop advanced attacks!” - security product marketers

Willful ignorance

“We don’t do anything for security unless our customers make us.” - un-named IOT vendor

Why is the state of security so bad?

Organizations are rarely compelled to act unless something bad has already happened.

Chrysler to customers : “We’re mailing you a USB drive…you know where to stick it!”

Not everyone is that bad, right?

Right.

But “good security” is as much about dealing with successful attacks as it is prevention.

We’re seeing increased scrutiny in a variety of B2B transactions.

Customers ask us for letters of attestation.

A case study

•Hi-Tech engineering firm (~250 people) •Writes “cloud” software (appliances phone home) •Perform hardware installations •Engineers, software developers, admin staff

•High-value Espionage Target

•They leaked their biggest client’s sensitive information

A case study

•Our Engagement

•Risk Assessment •Phishing Simulation •Software Assessment

• “ethical hacking”

• aka penetration testing

•Morning, Day 1 •Our consultants arrive •Unlocked, empty reception area •Blue prints open, on table

•Email used in phishing simulation

A case study

•Phishing Simulation / Assessment Results

•26% of users clicked link, and submitted network access credentials

A case study

•Phishing Simulation / Assessment Results

A case study

•Penetration Test Results

•Software Security flaws lead to complete compromise of portal

• OWASP Top 10 Risks for Web Apps (since 2004) • All customer credentials and IP addresses • Engineering firm internal network • We connected to the CEO’s printer at his desk from

the Internet

A case study

A case study

•Manufacturing firm •Thousands of employees •Hired us to perform an “external penetration test” on a

few hundred IP addresses

•We identified a web site vulnerable to SQL Injection •Extracted credentials and a list of IPs from the web site

data base

•These IPs had a Java application and Telnet exposed to the Internet

•Gateways for IOT devices in the field

A case study

Security is process, not a state

NIST Cybersecurity Framework …consists of standards, guidelines, and practices to promote the protection of critical infrastructure.

IDENTIFY - assets*, threats, obligations, vulnerabilities PROTECT - assets DETECT - incidents (attempted or successful attacks) RESPOND - handle the incident RECOVER - business continuity, client relations, PR,

Most Orgs Fail at Asset Identification

…meanwhile, attackers are really good at it.

Attack Surface Mapping

IoT stands to make Asset Identification even harder.

You need to track logical assets, too!

Data Classification Policy

What does an attacker see?

What does an attacker see?

What does an attacker see?

A case study

•Publicly traded firm •~300 employees •SOX compliant

•External Penetration Test Year 1: access gained via Jenkins

•External Penetration Test Year 2: access gained via video conferencing appliance

Take Aways

• Every organization needs a custom strategy andTechnology Risk Management Process

• Know the difference between a Risk Assessment, Penetration Test, and Vulnerability Scanning

Carve’s simplified attack surface (asset) map:

1. People - the folks who create, manage, and use applications & infrastructure

2. Applications - the software that governs our business processes

3. Infrastructure - the systems that allow our applications to function

General Recommendations

1. Create an Information Security Office role, and performTechnology-focused Risk Assessment annually

2. Practice Continual Risk Assessment

3. Create a Data Classification Policy and Identify Assets, Vendors

4. Train users and generate awareness

5. Manage your vendors

6. Look into Data Breach / Cyber Liability insurance

IoT Specific Recommendations

1. Assess the risk of your IoT deployment ahead of time.

2. Understand data flows and connectivity requirementsof the devices.

3. Understand your ability to harden default device configurations.

4. Assess the device vendors process for addressing security.

5. Isolate untrusted devices from your sensitive assets.

THANK YOU • @CARVESYSTEMS • INFO@CARVESYSTEMS.COM