IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT ...
Transcript of IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT ...
CARVE SYSTEMS LLCSECURITY IS A PROCESS, NOT A STATE •
IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015
Carve’s Roots (tl;dr)
<1998: Grew up with Dad who tinkered with electronics
1998-2004: Software developer
2004-2007: Security Appliance Vendor
2007-2008: Corporate Application Security
2008-2011: Security Consulting (aka pen testing)
2011 - Founded Carve Systems
Carve’s Clients & Services
Fortune 500 and Small/Mid-sized Firms
Telecom - Finance - Agriculture - Health Care - eCommerce - SaaS/Cloud Providers - Device Manufactures
Risk Assessment - Penetration Testing - Advisory
Take Aways
• Security is mostly a People problem
• Every organization needs a custom strategy andTechnology Risk Management Process
Carve’s simplified logical asset classification:
1. People - the folks who create, manage, and use applications & infrastructure
2. Applications - the software that governs our business processes
3. Infrastructure - the systems that allow our applications to function
Take Aways
Vulnerability Scanning
IS NOT
Penetration Testing
Recommendations
1. Create an Information Security Office role, and performTechnology-focused Risk Assessment annually
2. Practice Continual Risk Assessment
3. Create a Data Classification Policy and Identify Assets, Vendors
4. Train users and generate awareness about security
5. Manage your vendors (vendor questionnaires)
6. Look into Data Breach / Cyber Liability insurance
2004 vs 2015
2004
Software facts credit: Jeff Williams
2004 vs 2015
2014
2004 vs 2015
2015
Is IoT really new?
IoT: proliferation of Internet connected software.
A case study
•M2M Internet Gateway •Vehicle Trackers
The Bad News
Producing secure software is REALLY hard.
Microsoft has written a number of books on the subject.
There is a huge talent gap when it comes to software security.
There are more high quality marketing campaigns than there are high quality security products.
Top 3 Risks
The Top 3 Risks we identify at most clients:
1. Phishing, and spear-phishing
2. Uncontrolled external network perimeter (includes applications, IoT/M2M)
3. Insufficient internal access control
(I’m sneaking in a 4th risk)
4. Insufficient security leadership & culture (changing, for the better)
Why is the state of security so bad?
Faith-based security
“My programmer used to work at the NSA, and he says we’re secure…” - former client
“Our nextgen firewalls stop advanced attacks!” - security product marketers
Willful ignorance
“We don’t do anything for security unless our customers make us.” - un-named IOT vendor
Why is the state of security so bad?
Organizations are rarely compelled to act unless something bad has already happened.
Chrysler to customers : “We’re mailing you a USB drive…you know where to stick it!”
Not everyone is that bad, right?
Right.
But “good security” is as much about dealing with successful attacks as it is prevention.
We’re seeing increased scrutiny in a variety of B2B transactions.
Customers ask us for letters of attestation.
A case study
•Hi-Tech engineering firm (~250 people) •Writes “cloud” software (appliances phone home) •Perform hardware installations •Engineers, software developers, admin staff
•High-value Espionage Target
•They leaked their biggest client’s sensitive information
A case study
•Our Engagement
•Risk Assessment •Phishing Simulation •Software Assessment
• “ethical hacking”
• aka penetration testing
•Morning, Day 1 •Our consultants arrive •Unlocked, empty reception area •Blue prints open, on table
•Email used in phishing simulation
A case study
•Phishing Simulation / Assessment Results
•26% of users clicked link, and submitted network access credentials
A case study
•Phishing Simulation / Assessment Results
A case study
•Penetration Test Results
•Software Security flaws lead to complete compromise of portal
• OWASP Top 10 Risks for Web Apps (since 2004) • All customer credentials and IP addresses • Engineering firm internal network • We connected to the CEO’s printer at his desk from
the Internet
A case study
A case study
•Manufacturing firm •Thousands of employees •Hired us to perform an “external penetration test” on a
few hundred IP addresses
•We identified a web site vulnerable to SQL Injection •Extracted credentials and a list of IPs from the web site
data base
•These IPs had a Java application and Telnet exposed to the Internet
•Gateways for IOT devices in the field
A case study
Security is process, not a state
NIST Cybersecurity Framework …consists of standards, guidelines, and practices to promote the protection of critical infrastructure.
IDENTIFY - assets*, threats, obligations, vulnerabilities PROTECT - assets DETECT - incidents (attempted or successful attacks) RESPOND - handle the incident RECOVER - business continuity, client relations, PR,
Most Orgs Fail at Asset Identification
…meanwhile, attackers are really good at it.
Attack Surface Mapping
IoT stands to make Asset Identification even harder.
You need to track logical assets, too!
Data Classification Policy
What does an attacker see?
What does an attacker see?
What does an attacker see?
A case study
•Publicly traded firm •~300 employees •SOX compliant
•External Penetration Test Year 1: access gained via Jenkins
•External Penetration Test Year 2: access gained via video conferencing appliance
Take Aways
• Every organization needs a custom strategy andTechnology Risk Management Process
• Know the difference between a Risk Assessment, Penetration Test, and Vulnerability Scanning
Carve’s simplified attack surface (asset) map:
1. People - the folks who create, manage, and use applications & infrastructure
2. Applications - the software that governs our business processes
3. Infrastructure - the systems that allow our applications to function
General Recommendations
1. Create an Information Security Office role, and performTechnology-focused Risk Assessment annually
2. Practice Continual Risk Assessment
3. Create a Data Classification Policy and Identify Assets, Vendors
4. Train users and generate awareness
5. Manage your vendors
6. Look into Data Breach / Cyber Liability insurance
IoT Specific Recommendations
1. Assess the risk of your IoT deployment ahead of time.
2. Understand data flows and connectivity requirementsof the devices.
3. Understand your ability to harden default device configurations.
4. Assess the device vendors process for addressing security.
5. Isolate untrusted devices from your sensitive assets.
THANK YOU • @CARVESYSTEMS • [email protected]