1 / 42

19-10-4- IoT Security Overview

This slides provide overview on IoT security

Omar144
Download Presentation

19-10-4- IoT Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certified Internet of things security(CIOts) IOT Security Overview

  2. We wish to inform that this CIoTS course materials and its content is solely for the purpose of CIoTS examination and it shall not be made available to any other parties without our written consent. All material in this course material is, unless otherwise stated, the property of ITU/MUST IoT and IPv6 Expertise Centre and protected by Copyright Law. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of ITU/MUST IoT and IPv6 Expertise Centre, is a violation of copyright law. Disclaimer

  3. Overview of IOT Security IoT Threats Types of IoT Attacks Challenges to Secure IoT Deployments iot security overview

  4. What is Security ? “The quality or state of being secure – to be free from danger” A successful organisation should have multiple layers of security in place : Physical security Personal security Operation security Communication security Network security Information security Overview of iot security

  5. What is Information Security ? The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education and technology information security

  6. security concepts https://www.slideshare.net/narudomr/iot-security-81762130

  7. security concepts https://www.slideshare.net/narudomr/iot-security-81762130

  8. security concepts Problem of IoT Security ? • Initial design was for private communication network then moved to IP network and later on the Internet • Firmware updated are hard or nearly impossible after installation • Started with basic security the security flaws and attached more complex security requirement later • Low security devices from early design are still out there and used in compatible-back mode

  9. design flaw

  10. design flaw

  11. iot threats

  12. IoT Classified by Communication Types of IoT Classified by Communication • Client Type • Most of implementation • e.g. payment terminal, IP Camera (call back to server), Smart Cars • Server Type • IP Camera (built-n web interface) • Peer-to-Peer or Mesh

  13. iot threats https://www.slideshare.net/narudomr/iot-security-81762130

  14. iot attack https://www.slideshare.net/narudomr/iot-security-81762130

  15. iot attack https://www.slideshare.net/narudomr/iot-security-81762130

  16. iot attack https://www.slideshare.net/narudomr/iot-security-81762130

  17. iot attack https://www.slideshare.net/narudomr/iot-security-81762130

  18. iot attack https://www.slideshare.net/narudomr/iot-security-81762130

  19. iot attack https://www.slideshare.net/narudomr/iot-security-81762130

  20. iot attack

  21. OWASP’S TOP 10 IOT vulnerabilities 2018 • Weak, guessable, or hardcoded passwords • Insecure network services • Insecure ecosystem interfaces • Lack of secure update mechanisms • Use of insecure or outdated components • Insufficient privacy protection • Insecure data transfer and storage • Lack of device management • Insecure default settings • Lack of physical hardening https://www.networkworld.com/article/3332032/top-10-iot-vulnerabilities.html

  22. Weak, guessable, or hardcoded passwords “Use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.”

  23. Insecure network services “Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.”

  24. Insecure ecosystem interfaces “Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.”

  25. Lack of secure update mechanisms “Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”

  26. Use of insecure or outdated components “Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.”

  27. Insufficient privacy protection “User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission."

  28. Insecure data transfer and storage “Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.”

  29. Lack of device management “Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.”

  30. Insecure default settings “Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.”

  31. Lack of physical hardening “Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.”

  32. Challenges to Secure IoT Deployments Possible consequences of an information breach: • Loss of reputation/credibility • Loss of revenue and time • Lead to legal challenges

  33. Risks to Information Security Direct cyber incidents: • Remote control and monitoring • From head office, to supply chain, to customers Indirect cyber incidents (viral threats, malware): • Downstream effects on IT security infrastructure • A malware attack on the IoT device manufacturer could affect your IoT devices

  34. Risks to Privacy Business, employee, and client information could be: • Destroyed • Altered • Stolen and exposed • Held for ransom

  35. Risks to Privacy Understand IoT device data collection policies: • What information is gathered? • How long is data kept? • What is your data used for (marketing research, etc.)?

  36. Risks to Safety IoT device malfunction or manipulation could cause: • Physical damage to data • Physical damage to equipment • Physical harm

  37. Risks to Safety Possible consequences of IoT device malfunction or manipulation: • Costly repairs to systems, assets, and equipment • Legal impact of harm to staff, customers or public • Loss of reputation

  38. IOT Security checklist Before implementation: • Research devices before you purchase. Read reviews and get recommendations; research their security capabilities. • Have a point of contact with the manufacturers for any issues down the road. • Read device materials: operator’s manuals, instructions, support forums. • Create a Bring Your Own Device (BYOD) and IoT policies for employees. • Assess against your existing IT security policies and standards.

  39. IOT Security checklist During implementation: • Secure your wireless network. • Change device default usernames and passwords, and use strong passwords. • Keep networks with sensitive information isolated. Consider using separate networks for IoT devices. • Ensure the device has system reset capability in order to permanently eliminate sensitive configuration information. • Control who can access your network and from where. • Encrypt data, commands and communications, both at rest and in transit. • Where possible, set operating system, software, and firmware to update automatically. Establish periodic manual updates as required.

  40. IOT Security checklist After implementation: • Implement a repeatable process to validate all safeguard and countermeasures in your implementation. • Conduct ‘cyber incident’ tests and audits regularly to ensure the integrity of your network. • Backup data regularly using secure and redundant storage solutions, such as multiple storage units and/or the cloud. Test your recovery process regularly.

  41. IOT Security checklist Adhere to your company’s Bring Your Own Device/ IoT policy • Understand what information is being collected by devices and why, before you download or buy. • Use a lock screen password, use strong passwords. • Backup data regularly on multiple storage units and the cloud. • Connect only to secure Wi-Fi networks. • Use safe websites, cloud storage, etc.

  42. Q & A

More Related