4067f1bbc41fcfbe43af81d84450fe2b.ppt
- Количество слайдов: 62
ALGIM Annual Conference: Wednesday Stream 3
Technology Worthy of Our Trust Alisdair Mc. Kenzie, Principal Consultant, I S Assurance Services
Technology Worthy of our Trust Security and the Internet of Things ALGIM 2017
I Am The Cavalry • Established Aug 2013 • Mission – Promote improved Cyber Security • Focus • • medical devices, automobiles, home electronics public infrastructure. • Five Star Automotive Cyber Safety Framework • Hippocratic Oath for Connected Medical Devices ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 4
Agenda • The Internet of Things – What, How, Why • • • What Goes Wrong What can be done What are Governments & Industry doing Local issues Questions? ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 5
The Internet of Things How? Why? What?
The Internet of Things AKA The Internet of Everything Internet of All things Industrial Internet M 2 M: The Internet of Things Internet of Targets The Internet of Bad Things ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 7
How/why did it happen Computer performance improves rapidly Moore’s Law - Transistors Kryder’s Law - Storage Gilder’s Law - Bandwidth Metcalfe’s Law – members Uninformed willingness to take risks Reckless desire to exploit Technology ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 8
What is this Internet of Things • The Internet • Connecting a myriad of sensors and devices • not all devices will be addressable • Masses of data • Falls into several broad domains Io. T Domains • • • Industry Smart Cities Transport Health Smart Homes Leisure/Wearables ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 9
ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 10
What could go Wrong? How long have you got?
Io. T Nightmare - Smart Home ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 12
Wake up Call !! ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 13
The offending message ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 14
Woops! Sorry • • • • • • With New Zealand Twitter getting pretty warm about the topic, the nation's civil defence agency Tweeted its “sorry”: Follow MCDEM ✔@NZcivildefence Hi everyone. Apologies to those of you who have received tests for Emergency Mobile Alerts at an inconvenient hour. 2: 56 AM - Oct 4, 2017 7373 Replies 3030 Retweets 109109 likes Twitter Ads info and privacy Follow MCDEM ✔@NZcivildefence Replying to @NZcivildefence We have looked into it, and will make sure all testing happens in daylight hours from now on. 2: 57 AM - Oct 4, 2017 2727 Replies 1212 Retweets 4949 likes ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 15
The Internet of Bad Things • Ross Anderson • Talk to Virus Bulletin Conference 30 Sep 2015 • The Internet of Bad Things, Observed • Serious implementation shortcomings for EMV “Chip & Pin” • Serious Security flaws in mobile phones • Standardisation and Certification of the ‘Internet of Things’ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 16
Complexity v Security • Bruce Schneier • Complexity is the worst enemy of Security • Io. T Cybersecurity: What’s Plan B • RSA 2017 “Regulating the Internet of Things” 14 Feb 2017 • Infosecurity Europe 2017, 8 June 2017 ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 17
The Internet of Scary Things • A talk by Christopher Biggs to to the Security and Privacy miniconf at linux. conf. au, • Reported in The Register - a reliable source of Cyber Security news. • “Biting the hand that feeds IT” ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 18
What are the risks • • Complexity – Players, endpoints Borderless, increased exposure Volumes of data Sensitive data Software Quality Data Governance Accountability ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 19
Security Issues • • Heightened Threat Multiple Parties System Quality Software Quality Vulnerable Architecture Privacy of information Diversity of endpoints ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 20
What can be Done Plenty
Help Desk Issues with Io. T https: //xkcd. com/1912/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 22
Not a simply a technology issue • Governance and Management must ensure that an enterprise wide approach is taken • Appropriate accountability • Enterprise and environment Risk management • People, process and technology • System Development Good practice • Training and education ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 23
ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 24
Structure • • Smart Cities Irish cities as smart cities Urban big data and open data Perils of smart cities and data-driven urbanism Smart cities & data privacy & protection concerns Smart cities and data security concerns Addressing data privacy and data security concerns with respect to the smart city ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 25
OWASP Internet of Things Project ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 26
Some useful resources • IEEE Computer Society – Avoiding the Top 10 Software Security Design Flaws – IEEE Computer Society Center for Secure Design • CMU/SEI – Top 10 Secure Coding Practices – Research and Education • FTC – US Federal Trade Commission – Privacy & Security in a Connected World -Nov 2013 – Data Security - Business Resource ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 27
Tips for Developing Secure Io. T Apps • • • Use Developers with the Right Skills Use Proven Io. T Application Platforms Watch Io. T Firmware Security Ensure Data is Secure from Physical Attacks Use Secure Hardware Components Apply Standard Security Best Practices ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 28
What are Governments and Industry Doing Some progress
USA this year • The Io. T Cybersecurity improvement Act 2017 – 1 August 2017 – Bipartisan – Vendor Commitments • • Io. T devices are patchable Devices don’t have known vulnerabilities Devices rely on standard protocols Devices do not contain hard coded passwords – Watch this space ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 30
Analyst Comments on the Bill ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 31
NIST Cyber Security Colloquium • Last month - 19 October 2017 • Pre read paper “"Security and Privacy Considerations for Io. T" (4 sides) • All on Video Intro + 3 X 90 min sessions (captioned) ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 32
Europe - ENISA • European Commission proposes more powers for EU's infosec agency – Sep 2017 • Cross-border cybersecurity certification scheme planned • Become a centre of expertise for cybersecurity certification and standardisation of ICT products and services. • Support implementing of Network and Information Security (NIS) Directive ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 33
UK Govt – Automated Vehicles ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 34
Structure ITS/CAV System Security Principles ITS/CAV System Design Principles: • 1. Organisational security • 4. Organisations working together • 5. System Defence • 6. Software Security • 7. Data storage and transmission • 8. Resiliently designed system • 2. Security risks are assessed • 3. Organisations product aftercare ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 35
Across the ditch Cyber Security rating for Io. T Devices 360 Cyber Security Game 2016 ANU Report 2017 Assistant Minister for Cyber Security Dan Tehan said the aim was for the private sector to develop the best model itself, rather than the government imposing mandatory ratings. • Early days ; -) • • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 36
Locally
Cyber Security Advice from NZ Govt • Andrew Hampton - Canterbury Institute of Directors – 6 Oct 2017 • Emerging Trends – – Io. T Control Systems (SCADA) People Supply Chain • Embedding cyber resilience in organisation culture – – Whole of Business approach Understand you assets and network Have a response plan Reliance on MSPs ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 38
NZ Govt Cyber Security Entities • GSCB, NCSC, CERTNZ - NZISM • NZSIS – PSR • GCIO, GCPO • Privacy Commission • DPMC – NCPO - Connect Smart Events • Cyber Smart Week ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 39
Cyber Smart Week • 27 Nov – 1 Dec 2017 • Connect Smart and CERT NZ • www. cert. govt. nz/cybersmart ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 40
NZ Cyber Security Strategy ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 41
The Value of Science To every man is given the key to the gates of heaven; the same key opens the gates of hell. Told the Richard Feynman by a Buddhist monk ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 42
Please remember S The in Io. T stands for Security If you don’t build it in It won’t be Secure! ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 43
? Questions ? Alisdair@mcdindotcodotnz
Info Sec Fail
Smart cities? Tell it like it is, they're surveillance cities • Lots of lovely data, less of lovely privacy • By Chris Mellor 7 Sep 2017 at 08: 07 https: //www. theregister. co. uk/2017/09/07/smart_cities_are_surveillance_cities/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 46
Hey, Io. T vendors. When a paediatric nurse tells you to fix security, you definitely screwed up Jelena Milosevic says what we're all thinking By John Leyden 5 Oct 2017 at 16: 35 'This won't hurt. . . much. ' VB 2017 A children's nurse told delegates at the Virus Bulletin conference in Madrid on Thursday to get a grip on Internet of Things security. • https: //www. theregister. co. uk/2017/10/05/nurs e_iot/ • • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 47
Dangle a DVR online and it'll be cracked in two minutes • Army of web scum constantly testing insecure things' wellknown default passwords • By Simon Sharwood, APAC Editor 29 Aug 2017 at 06: 58 https: //www. theregister. co. uk/2017/08/29/san s_mirai_dvr_research/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 48
Smart streetlight bods Telensa nearly double full-year revenues • Firm also moved production from Asia back to Wales • https: //www. theregister. co. uk/2017/08/08/te lensa_fy 2016_full_year_results/ • https: //www. theregister. co. uk/2016/11/16/te lensa_gets_bauble_from_mystic_mage_outfit / • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 49
Grab a fork! Unravelling the Internet of Things' standards spaghetti • 'Just switch it on and watch it connect. ' Yeah, right • By Danny Bradbury 2 Aug 2017 at 09: 36 • https: //www. theregister. co. uk/2017/08/02/io t_standards_spaghetti/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 50
No vulns. No hardwired passwords. Patchable. Congress dreams of Io. T: Impossible Online Tech • We all want totally secure gear. And flying cars. And $1 m. And. . . • By Iain Thomson in San Francisco 1 Aug 2017 at 23: 47 • https: //www. theregister. co. uk/2017/08/01/c ongress_finally_pulls_its_finger_out_with_legi slation_on_iot_security/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 51
'Millions of Io. T gizmos' wide open to hijackers after devs drop g. SOAP • Likelihood of patching for every affected system is zero • By Iain Thomson in San Francisco 19 Jul 2017 at 21: 58 • https: //www. theregister. co. uk/2017/07/19/io t_systems_open_to_hackers_gsoap/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 52
Internet hygiene still stinks despite botnet and ransomware flood • Millions of must-be-firewalled services sitting wide open • By John Leyden 14 Jun 2017 at 14: 05 • https: //www. theregister. co. uk/2017/06/14/ra pid 7_device_scanning_audit/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 53
White-box webcam scatters vulnerabilities through multiple OEMs • Hands up anyone who tests what they stick their labels on. Anyone? We thought not • By Richard Chirgwin 8 Jun 2017 at 03: 57 • https: //www. theregister. co. uk/2017/06/08/w hitebox_webcam_scatters_vulnerabilities_thr ough_multiple_oems/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 54
Internet of snitches: Anyone who can sniff 'Thing' traffic knows what you're doing • Smart' home Io. T devices reveal dumb amounts of what they're up to every time they go online • By Richard Chirgwin 29 May 2017 at 22: 38 • https: //www. theregister. co. uk/2017/05/29/in ternet_of_snitches_anyone_who_can_get_yo ur_traffic_knows_what_youre_doing/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 55
EU security think tank ENISA looks for Io. T security, can't find any • Proposes baseline security spec, plus stickers to prove thing-makers have complied • By Richard Chirgwin 23 May 2017 at 05: 02 • https: //www. theregister. co. uk/2017/05/23/e nisa_proposes_internet_of_things_security_st andards/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 56
Io. T needs security, says Microsoft without even a small trace of irony • Sysadmins, don't hurt your necks shaking your heads • By Richard Chirgwin 17 May 2017 at 04: 58 • https: //www. theregister. co. uk/2017/05/17/m icrosoft_iot_security_proposal/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 57
Infosec guru Schneier: Govts WILL intervene to regulate Internet of Sh!t • Crappy software everywhere means we face a world of pain • By Kat Hall 8 Jun 2017 at 08: 03 • https: //www. theregister. co. uk/2017/06/08/governments_will_intervene_insecure_iot/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 58
Io. T standards? We've got 'em. And if you don't like those, we got more • Cities sick of being used as techies' sandboxes • By Gareth Corfield 23 May 2017 at 15: 35 • https: //www. theregister. co. uk/2017/05/23/lpwa_conference_london/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 59
Be part of the phenomenon ALGIM 2015 - 25 Nov 2015 Alisdair Mc. Kenzie 60
Io. T – Nightmare – Driverless Cars ALGIM 2015 - 25 Nov 2015 Alisdair Mc. Kenzie 61
XKCD explains AI ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 62