Скачать презентацию ALGIM Annual Conference Wednesday Stream 3 Technology Скачать презентацию ALGIM Annual Conference Wednesday Stream 3 Technology

4067f1bbc41fcfbe43af81d84450fe2b.ppt

  • Количество слайдов: 62

ALGIM Annual Conference: Wednesday Stream 3 ALGIM Annual Conference: Wednesday Stream 3

Technology Worthy of Our Trust Alisdair Mc. Kenzie, Principal Consultant, I S Assurance Services Technology Worthy of Our Trust Alisdair Mc. Kenzie, Principal Consultant, I S Assurance Services

Technology Worthy of our Trust Security and the Internet of Things ALGIM 2017 Technology Worthy of our Trust Security and the Internet of Things ALGIM 2017

I Am The Cavalry • Established Aug 2013 • Mission – Promote improved Cyber I Am The Cavalry • Established Aug 2013 • Mission – Promote improved Cyber Security • Focus • • medical devices, automobiles, home electronics public infrastructure. • Five Star Automotive Cyber Safety Framework • Hippocratic Oath for Connected Medical Devices ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 4

Agenda • The Internet of Things – What, How, Why • • • What Agenda • The Internet of Things – What, How, Why • • • What Goes Wrong What can be done What are Governments & Industry doing Local issues Questions? ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 5

The Internet of Things How? Why? What? The Internet of Things How? Why? What?

The Internet of Things AKA The Internet of Everything Internet of All things Industrial The Internet of Things AKA The Internet of Everything Internet of All things Industrial Internet M 2 M: The Internet of Things Internet of Targets The Internet of Bad Things ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 7

How/why did it happen Computer performance improves rapidly Moore’s Law - Transistors Kryder’s Law How/why did it happen Computer performance improves rapidly Moore’s Law - Transistors Kryder’s Law - Storage Gilder’s Law - Bandwidth Metcalfe’s Law – members Uninformed willingness to take risks Reckless desire to exploit Technology ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 8

What is this Internet of Things • The Internet • Connecting a myriad of What is this Internet of Things • The Internet • Connecting a myriad of sensors and devices • not all devices will be addressable • Masses of data • Falls into several broad domains Io. T Domains • • • Industry Smart Cities Transport Health Smart Homes Leisure/Wearables ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 9

ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 10 ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 10

What could go Wrong? How long have you got? What could go Wrong? How long have you got?

Io. T Nightmare - Smart Home ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Io. T Nightmare - Smart Home ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 12

Wake up Call !! ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 13 Wake up Call !! ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 13

The offending message ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 14 The offending message ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 14

Woops! Sorry • • • • • • With New Zealand Twitter getting pretty Woops! Sorry • • • • • • With New Zealand Twitter getting pretty warm about the topic, the nation's civil defence agency Tweeted its “sorry”: Follow MCDEM ✔@NZcivildefence Hi everyone. Apologies to those of you who have received tests for Emergency Mobile Alerts at an inconvenient hour. 2: 56 AM - Oct 4, 2017 7373 Replies 3030 Retweets 109109 likes Twitter Ads info and privacy Follow MCDEM ✔@NZcivildefence Replying to @NZcivildefence We have looked into it, and will make sure all testing happens in daylight hours from now on. 2: 57 AM - Oct 4, 2017 2727 Replies 1212 Retweets 4949 likes ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 15

The Internet of Bad Things • Ross Anderson • Talk to Virus Bulletin Conference The Internet of Bad Things • Ross Anderson • Talk to Virus Bulletin Conference 30 Sep 2015 • The Internet of Bad Things, Observed • Serious implementation shortcomings for EMV “Chip & Pin” • Serious Security flaws in mobile phones • Standardisation and Certification of the ‘Internet of Things’ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 16

Complexity v Security • Bruce Schneier • Complexity is the worst enemy of Security Complexity v Security • Bruce Schneier • Complexity is the worst enemy of Security • Io. T Cybersecurity: What’s Plan B • RSA 2017 “Regulating the Internet of Things” 14 Feb 2017 • Infosecurity Europe 2017, 8 June 2017 ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 17

The Internet of Scary Things • A talk by Christopher Biggs to to the The Internet of Scary Things • A talk by Christopher Biggs to to the Security and Privacy miniconf at linux. conf. au, • Reported in The Register - a reliable source of Cyber Security news. • “Biting the hand that feeds IT” ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 18

What are the risks • • Complexity – Players, endpoints Borderless, increased exposure Volumes What are the risks • • Complexity – Players, endpoints Borderless, increased exposure Volumes of data Sensitive data Software Quality Data Governance Accountability ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 19

Security Issues • • Heightened Threat Multiple Parties System Quality Software Quality Vulnerable Architecture Security Issues • • Heightened Threat Multiple Parties System Quality Software Quality Vulnerable Architecture Privacy of information Diversity of endpoints ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 20

What can be Done Plenty What can be Done Plenty

Help Desk Issues with Io. T https: //xkcd. com/1912/ ALGIM 2017 - 15 Nov Help Desk Issues with Io. T https: //xkcd. com/1912/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 22

Not a simply a technology issue • Governance and Management must ensure that an Not a simply a technology issue • Governance and Management must ensure that an enterprise wide approach is taken • Appropriate accountability • Enterprise and environment Risk management • People, process and technology • System Development Good practice • Training and education ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 23

ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 24 ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 24

Structure • • Smart Cities Irish cities as smart cities Urban big data and Structure • • Smart Cities Irish cities as smart cities Urban big data and open data Perils of smart cities and data-driven urbanism Smart cities & data privacy & protection concerns Smart cities and data security concerns Addressing data privacy and data security concerns with respect to the smart city ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 25

OWASP Internet of Things Project ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie OWASP Internet of Things Project ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 26

Some useful resources • IEEE Computer Society – Avoiding the Top 10 Software Security Some useful resources • IEEE Computer Society – Avoiding the Top 10 Software Security Design Flaws – IEEE Computer Society Center for Secure Design • CMU/SEI – Top 10 Secure Coding Practices – Research and Education • FTC – US Federal Trade Commission – Privacy & Security in a Connected World -Nov 2013 – Data Security - Business Resource ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 27

Tips for Developing Secure Io. T Apps • • • Use Developers with the Tips for Developing Secure Io. T Apps • • • Use Developers with the Right Skills Use Proven Io. T Application Platforms Watch Io. T Firmware Security Ensure Data is Secure from Physical Attacks Use Secure Hardware Components Apply Standard Security Best Practices ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 28

What are Governments and Industry Doing Some progress What are Governments and Industry Doing Some progress

USA this year • The Io. T Cybersecurity improvement Act 2017 – 1 August USA this year • The Io. T Cybersecurity improvement Act 2017 – 1 August 2017 – Bipartisan – Vendor Commitments • • Io. T devices are patchable Devices don’t have known vulnerabilities Devices rely on standard protocols Devices do not contain hard coded passwords – Watch this space ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 30

Analyst Comments on the Bill ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie Analyst Comments on the Bill ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 31

NIST Cyber Security Colloquium • Last month - 19 October 2017 • Pre read NIST Cyber Security Colloquium • Last month - 19 October 2017 • Pre read paper “"Security and Privacy Considerations for Io. T" (4 sides) • All on Video Intro + 3 X 90 min sessions (captioned) ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 32

Europe - ENISA • European Commission proposes more powers for EU's infosec agency – Europe - ENISA • European Commission proposes more powers for EU's infosec agency – Sep 2017 • Cross-border cybersecurity certification scheme planned • Become a centre of expertise for cybersecurity certification and standardisation of ICT products and services. • Support implementing of Network and Information Security (NIS) Directive ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 33

UK Govt – Automated Vehicles ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie UK Govt – Automated Vehicles ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 34

Structure ITS/CAV System Security Principles ITS/CAV System Design Principles: • 1. Organisational security • Structure ITS/CAV System Security Principles ITS/CAV System Design Principles: • 1. Organisational security • 4. Organisations working together • 5. System Defence • 6. Software Security • 7. Data storage and transmission • 8. Resiliently designed system • 2. Security risks are assessed • 3. Organisations product aftercare ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 35

Across the ditch Cyber Security rating for Io. T Devices 360 Cyber Security Game Across the ditch Cyber Security rating for Io. T Devices 360 Cyber Security Game 2016 ANU Report 2017 Assistant Minister for Cyber Security Dan Tehan said the aim was for the private sector to develop the best model itself, rather than the government imposing mandatory ratings. • Early days ; -) • • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 36

Locally Locally

Cyber Security Advice from NZ Govt • Andrew Hampton - Canterbury Institute of Directors Cyber Security Advice from NZ Govt • Andrew Hampton - Canterbury Institute of Directors – 6 Oct 2017 • Emerging Trends – – Io. T Control Systems (SCADA) People Supply Chain • Embedding cyber resilience in organisation culture – – Whole of Business approach Understand you assets and network Have a response plan Reliance on MSPs ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 38

NZ Govt Cyber Security Entities • GSCB, NCSC, CERTNZ - NZISM • NZSIS – NZ Govt Cyber Security Entities • GSCB, NCSC, CERTNZ - NZISM • NZSIS – PSR • GCIO, GCPO • Privacy Commission • DPMC – NCPO - Connect Smart Events • Cyber Smart Week ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 39

Cyber Smart Week • 27 Nov – 1 Dec 2017 • Connect Smart and Cyber Smart Week • 27 Nov – 1 Dec 2017 • Connect Smart and CERT NZ • www. cert. govt. nz/cybersmart ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 40

NZ Cyber Security Strategy ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 41 NZ Cyber Security Strategy ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 41

The Value of Science To every man is given the key to the gates The Value of Science To every man is given the key to the gates of heaven; the same key opens the gates of hell. Told the Richard Feynman by a Buddhist monk ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 42

Please remember S The in Io. T stands for Security If you don’t build Please remember S The in Io. T stands for Security If you don’t build it in It won’t be Secure! ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 43

? Questions ? Alisdair@mcdindotcodotnz ? Questions ? [email protected]

Info Sec Fail Info Sec Fail

Smart cities? Tell it like it is, they're surveillance cities • Lots of lovely Smart cities? Tell it like it is, they're surveillance cities • Lots of lovely data, less of lovely privacy • By Chris Mellor 7 Sep 2017 at 08: 07 https: //www. theregister. co. uk/2017/09/07/smart_cities_are_surveillance_cities/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 46

Hey, Io. T vendors. When a paediatric nurse tells you to fix security, you Hey, Io. T vendors. When a paediatric nurse tells you to fix security, you definitely screwed up Jelena Milosevic says what we're all thinking By John Leyden 5 Oct 2017 at 16: 35 'This won't hurt. . . much. ' VB 2017 A children's nurse told delegates at the Virus Bulletin conference in Madrid on Thursday to get a grip on Internet of Things security. • https: //www. theregister. co. uk/2017/10/05/nurs e_iot/ • • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 47

Dangle a DVR online and it'll be cracked in two minutes • Army of Dangle a DVR online and it'll be cracked in two minutes • Army of web scum constantly testing insecure things' wellknown default passwords • By Simon Sharwood, APAC Editor 29 Aug 2017 at 06: 58 https: //www. theregister. co. uk/2017/08/29/san s_mirai_dvr_research/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 48

Smart streetlight bods Telensa nearly double full-year revenues • Firm also moved production from Smart streetlight bods Telensa nearly double full-year revenues • Firm also moved production from Asia back to Wales • https: //www. theregister. co. uk/2017/08/08/te lensa_fy 2016_full_year_results/ • https: //www. theregister. co. uk/2016/11/16/te lensa_gets_bauble_from_mystic_mage_outfit / • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 49

Grab a fork! Unravelling the Internet of Things' standards spaghetti • 'Just switch it Grab a fork! Unravelling the Internet of Things' standards spaghetti • 'Just switch it on and watch it connect. ' Yeah, right • By Danny Bradbury 2 Aug 2017 at 09: 36 • https: //www. theregister. co. uk/2017/08/02/io t_standards_spaghetti/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 50

No vulns. No hardwired passwords. Patchable. Congress dreams of Io. T: Impossible Online Tech No vulns. No hardwired passwords. Patchable. Congress dreams of Io. T: Impossible Online Tech • We all want totally secure gear. And flying cars. And $1 m. And. . . • By Iain Thomson in San Francisco 1 Aug 2017 at 23: 47 • https: //www. theregister. co. uk/2017/08/01/c ongress_finally_pulls_its_finger_out_with_legi slation_on_iot_security/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 51

'Millions of Io. T gizmos' wide open to hijackers after devs drop g. SOAP 'Millions of Io. T gizmos' wide open to hijackers after devs drop g. SOAP • Likelihood of patching for every affected system is zero • By Iain Thomson in San Francisco 19 Jul 2017 at 21: 58 • https: //www. theregister. co. uk/2017/07/19/io t_systems_open_to_hackers_gsoap/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 52

Internet hygiene still stinks despite botnet and ransomware flood • Millions of must-be-firewalled services Internet hygiene still stinks despite botnet and ransomware flood • Millions of must-be-firewalled services sitting wide open • By John Leyden 14 Jun 2017 at 14: 05 • https: //www. theregister. co. uk/2017/06/14/ra pid 7_device_scanning_audit/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 53

White-box webcam scatters vulnerabilities through multiple OEMs • Hands up anyone who tests what White-box webcam scatters vulnerabilities through multiple OEMs • Hands up anyone who tests what they stick their labels on. Anyone? We thought not • By Richard Chirgwin 8 Jun 2017 at 03: 57 • https: //www. theregister. co. uk/2017/06/08/w hitebox_webcam_scatters_vulnerabilities_thr ough_multiple_oems/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 54

Internet of snitches: Anyone who can sniff 'Thing' traffic knows what you're doing • Internet of snitches: Anyone who can sniff 'Thing' traffic knows what you're doing • Smart' home Io. T devices reveal dumb amounts of what they're up to every time they go online • By Richard Chirgwin 29 May 2017 at 22: 38 • https: //www. theregister. co. uk/2017/05/29/in ternet_of_snitches_anyone_who_can_get_yo ur_traffic_knows_what_youre_doing/ ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 55

EU security think tank ENISA looks for Io. T security, can't find any • EU security think tank ENISA looks for Io. T security, can't find any • Proposes baseline security spec, plus stickers to prove thing-makers have complied • By Richard Chirgwin 23 May 2017 at 05: 02 • https: //www. theregister. co. uk/2017/05/23/e nisa_proposes_internet_of_things_security_st andards/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 56

Io. T needs security, says Microsoft without even a small trace of irony • Io. T needs security, says Microsoft without even a small trace of irony • Sysadmins, don't hurt your necks shaking your heads • By Richard Chirgwin 17 May 2017 at 04: 58 • https: //www. theregister. co. uk/2017/05/17/m icrosoft_iot_security_proposal/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 57

Infosec guru Schneier: Govts WILL intervene to regulate Internet of Sh!t • Crappy software Infosec guru Schneier: Govts WILL intervene to regulate Internet of Sh!t • Crappy software everywhere means we face a world of pain • By Kat Hall 8 Jun 2017 at 08: 03 • https: //www. theregister. co. uk/2017/06/08/governments_will_intervene_insecure_iot/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 58

Io. T standards? We've got 'em. And if you don't like those, we got Io. T standards? We've got 'em. And if you don't like those, we got more • Cities sick of being used as techies' sandboxes • By Gareth Corfield 23 May 2017 at 15: 35 • https: //www. theregister. co. uk/2017/05/23/lpwa_conference_london/ • ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 59

Be part of the phenomenon ALGIM 2015 - 25 Nov 2015 Alisdair Mc. Kenzie Be part of the phenomenon ALGIM 2015 - 25 Nov 2015 Alisdair Mc. Kenzie 60

Io. T – Nightmare – Driverless Cars ALGIM 2015 - 25 Nov 2015 Alisdair Io. T – Nightmare – Driverless Cars ALGIM 2015 - 25 Nov 2015 Alisdair Mc. Kenzie 61

XKCD explains AI ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 62 XKCD explains AI ALGIM 2017 - 15 Nov 2017 Alisdair Mc. Kenzie 62