Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© 2015. All rights reserved. Online Trust Alliance (OTA)
1
Welcome
• Security
• Privacy
• Sustainability
11:00 Introductions, Who You Are? Why do you care?
Goals - Thea Singer Spitzer, Principle, Critical-change
11:30 Overview of Online Trust Audit - IoT Segment performance
11:45 IoT Security research - Geoff Noakes - Symantec
12:00 Lunch - Glenn Derene, Editor Consumer Reports Magazine
1:00 Review of draft framework / Breakouts
4:00 Breakouts report back to group
5:00 Considerations of a possible seal / certification program
5:45 Wrap Up & Reception
Agenda
• Chatham House Rule
• Introductions
▫ Who are You & Why do You Care?
• Listen, Learn + Collaboration = Innovation
Reminders
© 2015. All rights reserved. Online Trust Alliance (OTA)
2
501c3 charitable organization with a mission to enhance online
trust, while promoting innovation and the vitality of the
internet.
• Goal to help educate businesses, policy makers and stakeholders
while developing and advancing best practices and tools to
enhance the protection of users' security, privacy and identity.
• OTA supports collaborative public-private partnerships, benchmark
reporting, meaningful self-regulation and data stewardship.
OTA
© 2015. All rights reserved. Online Trust Alliance (OTA) Slide 4
Focused On Collaboration
© 2015. All rights reserved. Online Trust Alliance (OTA) Slide 6
© 2015. All rights reserved. Online Trust Alliance (OTA)
3
What Do We Want to Achieve Today
• Review framework progress to date
• How can we collaborate with others?
• Critique, validate and prioritize criteria
▫ What are we missing?
▫ How can it be validated and measured
▫ Is it applicable for all device categories?
Working Group Goals
1. Provide guidance to manufacturers and developers to help reduce attack surface and
vulnerabilities, and adopt responsible privacy and data stewardship practices.
2. Drive the adoption of best practices; embracing “privacy and security by design”, as a
model for the development of a voluntary, yet enforceable code of conduct.
3. Provide positive affirmation and recognition to companies, products, and retailers who
embrace the code of conduct and meet minimum standards.
4. Provide retailers / commerce sites criteria to aid in their product merchandising and
promotion decisions.
5. Where possible, apply existing standards from NIST, NTIA, ISO and other industry
working groups.
6. Encourage collaboration, sharing of best practices and threat intelligence.
7. Evaluate and identify gating issues and considerations which may lead to the
development of a seal or certification program which could become an incentive to adopt
best practices.
Unique IoT Challenges
1. Highly personal, dynamic, persistent
collection and transfer of data.
2. Reliance on a combination of devices,
apps, platforms and cloud services.
3. Multiple data flows.
4. Multiple touch points and disclosures.
5. Sustainability / lifecycle issues.
6. Lack of defined standards.
7. Non-traditional market players and rush
to market.
© 2015. All rights reserved. Online Trust Alliance (OTA)
4
Concerns
1. Unknown and future secondary data usages; unintended consequences
2. Unique devices which impact disclosures
3. Compatibility; ability to roll back updates and patches?
4. Impact to core functionality of the product purchased of changes in policies
5. Product warranty / support, beyond traditional guarantees (aka auto recalls vs repairs)
6. Reliance on installers / third parties. What are they doing and setting on behalf of the consumer?
7. Similarity to PCI, If you handle, touch, store or transfer cc info you must be compliant
8. AV for IoT? They will be hacked and compromised!
9. Consent; does it transfer with home ownership?
10.What happens to my data? Portability, compatibility with other devices. Can I retract my data?
User Device
Cloud Service
Mobile App
Connected Device
Mobile Platform
Services Provider(s)
?
Multi-Dimension Landscape & Issues
• Data Security
• Privacy
• Sustainability
▫ Lifecycle issues
▫ Supportability
▫ Data retention / ownership
• Data In use, transit & rest
Security – Top 10 OWASP
1. Insecure Web Interface
2. Insufficient Authentication/Authorization
3. Insecure Network Services
4. Lack of Transport Encryption
5. Privacy Concerns
6. Insecure Cloud Interface
7. Insecure Mobile Interface
8. Insufficient Security Configurability
9. Insecure Software/Firmware
10. Poor Physical Security
The Open Web Application Security Project (OWASP), https://www.owasp.org
© 2015. All rights reserved. Online Trust Alliance (OTA)
5
Working Group Review & Priorities
Key Questions/topics from working paper Possible Dimension to measure/validate
Possible
metric/value/score
Is measurement most
l ikely an objective
test or a vendor
assertion doc?
Rank Importance of
including in Seal
v1.0 1 = vi ta l , 2 =
good to have, 3 =
poss ible future
vers ions
Validation Type Home Wearables Rank
Is the privacy policy publically available to review prior to product purchase or
activation? (Is it visible on packaging, POS materials…)Yes/No
Testing
Is the privacy policy display optimized for the user interface. For example is a short-
layered notice applicable and discoverability and with access to the complete notice. Yes/No Review of policy
Is data sharing limited to third parties / service providers who agree to confidentiality
and limit usage to support product features/ functionality and or product improvement?
Yes/No Review of policy
Can a user opt-In for any third party data sharing; not contingent on utilizing of core
features or updates?Opt In/Opt Out/No Option Review of policy
Can the consumer see or request access to the data and analytics (and the specific data
attributes) that has been collected from their device? Are all data elements attributed to
a user clearly disclosed and explained? What is feasible to provide?
Testing
Is a data retention policy disclosed, including the provision of user information being
deleted upon termination of product usage or product end-of-life?Yes/No Review of policy
Does the vendor make a commitment to not transfer any consumer data if the company
is sold or liquidated unless the consumer is provided notice and gives express consent
(with the exception of data required to perform product support and functionality as
specified in the original product terms of use and privacy policy)?
Yes/No Review of policy
Is it COPPA compliant? Who is the user? When does it apply? Do user profiles need to be
created?Yes/No Review of policy
What steps are taken to help prevent anonymous data being from being re-identified?Review of policy
Can a consumer return a product without any charge after reviewing the privacy practices
that might be presented during set up? (retailer or product policy).Yes/No
Can the company materially change privacy policies after the product is purchased? What
is the primary function of the device and how might it be impacted? Is the history of
changes available for review and or comparison?
Yes/No
Is the device compliant with regulations where the device is being sold or being used?
(US vs Canada, UK, Australia and or EU?
Does this i tem perta in to
Home Automation,
Wearables (check)?
IoT Trustworthy Framework - Privacy
What Consumers Need To Know
1. Does my device / application have a posted privacy policy which respects my data and
privacy?
2. Can I opt-in or opt-out and what will the impact be to the product functionality?
3. Does the manufacturer and app developer follow a Security Development Lifecycle (SDL).
4. Is my data protected at rest and in transit?
5. Does my device have a published support policy including end of life?
6. How will my device be upgraded to address security vulnerabilities? How will I be notified?
7. How can my data be deleted if the device is lost, stolen or sold?
8. How can I compare security and privacy practices as part of my purchase decision?
9. Does the manufacturer (and retailers) share or monetize my data?
10.What is the risk my personal data could be re-identified?
Online Trust Audit & Honor Roll
Craig Spiezle
Executive Director & President
Online Trust Alliance
https://otalliance.org/HonorRoll
© 2015. All rights reserved. Online Trust Alliance (OTA)
6
BrandProtection
PrivacySecurity
Honor Roll Overview
• Analysis of ~1,000 web sites
▫ FDIC Banking 100
▫ Internet Retailer 500
▫ Top 50 Social
▫ Top 50 News/Media
▫ Top 50 Federal Gov’t
▫ OTA Members
▫ IoT 50 (Home automation, Wearables)
• Scoring
▫ Up to 100 points in each category
▫ Bonus points for emerging practices
▫ Penalty points for
Data loss incident
Fines/settlement
▫ Honor Roll = 80% of total points, 55% or better in each category
Privacy
• Base points
▫ Privacy policy
▫ Third-party trackers on site
• Bonus points
▫ Layered privacy policies
▫ Bilingual policies
▫ Use of Icons
▫ Do Not Track status, policy
▫ Tag mgmt. or privacy solution
• Penalty points
▫ WHOIS (if Private vs Public)
▫ Data Breach Incidents
▫ FTC / State Settlements
BrandProtection
PrivacySecurity
Italics = new in 2015
Consumer & Brand Protection
• Base points
▫ Email authentication
SPF and DKIM at top-level
and subdomains
▫ DMARC record and policy
• Bonus points
▫ TLS for email
▫ DMARC reject policy
• Penalty points
▫ Domain locking (not locked )
BrandProtection
PrivacySecurity
Italics = new in 2015
• Can the app or web site be spoofed fooling a consumer
to open or download an update, open an attachment or
simply open an email with a drive-by exploit?
• Does the site or app exercise best practice to help
prevent brand-jacking and domain abuse?
© 2015. All rights reserved. Online Trust Alliance (OTA)
7
Infrastructure Security
• Base points
▫ Server & SSL implementation
• Bonus points
▫ EV SSL
▫ AOSSL
▫ DNSSEC
• Penalty points
▫ XSS / iFrame vulnerabilities
▫ Malware
▫ Malicious links
▫ Bot risk
BrandProtection
PrivacySecurity
Italics = new in 2015
Overall Achievement
Review By Segment
© 2015. All rights reserved. Online Trust Alliance (OTA)
8
Top of The Class
#1 of all Online Retailers
Ranked #1
across all sectors
IoT - Highlights
Who Made The Grade for IoT?
Top of the Class #1
© 2015. All rights reserved. Online Trust Alliance (OTA)
9
Failing
IoT – Lowlights
Failing
© 2015. All rights reserved. Online Trust Alliance (OTA)
10
Range & Median
Widest
Range
IoT Key Metrics
Privacy Scoring
© 2015. All rights reserved. Online Trust Alliance (OTA)
11
Privacy Polices
Case Study – IoT Security
Geoffrey Noakes
Senior Director, Business Development
+1-415-370-5980
Many consumer products are now Internet-connected
33Oral-B / ndtv.com Smart Bra / philly.com
sensoriafitness.com
Co
pyr
igh
t ©
20
14
Sym
ante
c C
orp
ora
tio
n
Imgur.com
© 2015. All rights reserved. Online Trust Alliance (OTA)
12
Remember the fridge that sends out spam?
Copyright © 2014 Symantec Corporation34
Co
pyr
igh
t ©
20
14
Sym
ante
c C
orp
ora
tio
n
The IoT device was behind a NAT router
A typical PC, infected with malware, was sending out spam
The fridge was behind the same NAT router
It is technically possible to have fridges send spam
35
Co
pyr
igh
t ©
20
15
Sym
ante
c C
orp
ora
tio
n
Let’s consider some "health wearables"
Co
pyr
igh
t ©
20
14
Sym
ante
c C
orp
ora
tio
n
© 2015. All rights reserved. Online Trust Alliance (OTA)
13
123 BPM
23.56 KM
15.8
RISK RISK
RISK RISK
RISK
Where are the risks?
37
Co
pyr
igh
t ©
20
14
Sym
ante
c C
orp
ora
tio
n
IoT devices are Internet-connected and have all the same risks as typical PCs and smartphones
PII/LOGINCLEAR TEXT
20%*
NO PRIVACYPOLICY
52%
*Services that required a login
Symantec analysis of health apps
38
We analysed the top 100 free health applications
Co
pyr
igh
t ©
20
15
Sym
ante
c C
orp
ora
tio
n
APP ANALYTICS
AD NETWORKS
APP PROVIDER
SOCIAL MEDIA
APP FRAMEWORKS
CRM/MARKETING
UTILITY API
OS PROVIDER
MAX DOMAINSCONTACTED
14
AVG DOMAINSCONTACTED
5
Who do health apps share data with?
Each of these vendors could share your data again
Co
pyr
igh
t ©
20
15
Sym
ante
c C
orp
ora
tio
n
© 2015. All rights reserved. Online Trust Alliance (OTA)
14
Your data is already being analysed
40
Jawbone: Who’s asleep during San Francisco earthquake 2014?
40
Co
pyr
igh
t ©
20
15
Sym
ante
c C
orp
ora
tio
n
The IoT is raising the interest of attackers
Infects routers
PHP vulnerabilities
Default passwords
LINUX.DARLLOZ
Mine cryptocurrencies
Many proof of concepts around, but attackers are currentlyfinding it difficult to make the activity profitable
Smart TVs
Set top boxes
IP/baby cams
Home automation
Light bulbs
OTHER DEVICES
Cars
Co
pyr
igh
t ©
20
15
Sym
ante
c C
orp
ora
tio
n
A very real example: Smart hub devices
• Unsigned firmware update (MITM attack possible)• Passwords sent in clear text (no SSL encryption)• 4-digit PIN code in the cloud enforced (blind SQL injection)
42
Co
pyr
igh
t ©
20
14
Sym
ante
c C
orp
ora
tio
n
© 2015. All rights reserved. Online Trust Alliance (OTA)
15
Common issues we found when analysing devices
43
Weak authentication (or no password at all) No encryption Prone to web vulnerabilities (66% had OWASP vulnerabilities ) Privacy concerns Firmware updates: either missing or unsigned Full trust to any local device Insufficient security configurability Simple physical attacks are possible
Co
pyr
igh
t ©
20
15
Sym
ante
c C
orp
ora
tio
n
Brave New World of Smart Devices
Glenn Derene
Editor
Consumer Reports Magazine
INTERNET OF THINGSGlenn Derene
Director of Content Development
Consumer Reports
© 2015. All rights reserved. Online Trust Alliance (OTA)
16
In the Privacy of Your Own Home (June 2015 Issue)
In the Privacy of Your Own Home (June 2015 Issue)
Even Mr. Coffee is
watching you
What makes an object “smart”?
• Sensors
• Internet connectivity
• A degree of autonomy
• Can be part of an ecosystem
© 2015. All rights reserved. Online Trust Alliance (OTA)
17
Which of these is an IoT device?
Computer? Smartphone? Navigation Device?
Bluetooth Speaker? Amazon Echo?Game Console?
The landscape
of IoT devices
How big is the
Internet of Things?
• FTC report
estimates 25 billion
connected devices
this year
• By 2020, that
number is expected
to grow to 50 billion
What kinds of
data are
collected?
• Many IoT
devices are
meant to be
integrated into
the intimate
spaces of our
homes and lives.
• The data-
collection
becomes a
passive by-
product of our
interaction with
the device
© 2015. All rights reserved. Online Trust Alliance (OTA)
18
The creepiness
factor.
• When consumers don’t know
what their devices are doing,
they freak out
• If data collection isn’t made
explicit, people jump to the
worst possible conclusions
about motive
The creepiness
factor.
• Samsung was caught off
guard by public reaction, and
had to respond to public
outcry
Hidden in the fine
print.
• The uproar hid a more
disturbing trend in the industry
• Many smart TVs are collecting
data on everything you watch
and sending it to third parties
© 2015. All rights reserved. Online Trust Alliance (OTA)
19
Where, precisely, is
your data going?
• We investigated the data
stream from smart TVs
• Third-party companies most
consumers have never heard
of, such as Cognitive Networks
and Enswers
What does consent
look like?
• People don’t read privacy
policies
• It’s even more onerous to
expect them to do so for an
appliance
What’s the potential
harm?
• In 2014, hackers took over
baby monitors and screamed at
sleeping infants.
• We’ve discovered websites that
are search engines to
unprotected webcams—some
in people’s homes.
© 2015. All rights reserved. Online Trust Alliance (OTA)
20
Where is this going?
• Amazon’s Dash program let’s
participants install buttons to
automatically order brand-
name supplies
• Eventually appliances will order
the goods themselves.
How much
information do we
owe companies?
• Diagnostics
• Usage data
• Firmware updates
• Interactions with other
appliances
• John Hancock Vitality
What is Consumer
Reports’ role?
Investigating partnerships with
• NYU Polytechnic
• Georgetown Law Center for
Privacy and Technology
• Carnegie Mellon University
CHIMPS/CUPS Lab
© 2015. All rights reserved. Online Trust Alliance (OTA)
21
User Device
Cloud Service
Mobile App
Connected Device
Mobile Platform
Services Provider(s)
?
Multi-Dimension Landscape & Issues
• Data Security
• Privacy
• Sustainability
▫ Lifecycle issues
▫ Supportability
▫ Data retention / ownership
• Data In use, transit & rest
Working Group Update
• Security
• Sustainability
• Privacy Team Joanne
• Privacy Team Thea
Feedback
• Scope Changes
• Areas on consensus
• Open for debate
• Key Priorities
© 2015. All rights reserved. Online Trust Alliance (OTA)
22
Seal Program Discussion
Program Considerations
ITWG Workshop
June 16, 2015
• Neal Feather
▫ President, SiteLock
• Joanne Furtsch
▫ Director of Product Policy, TRUSTe
Panelists
• Program scope definition• What do the criteria apply to• Are there multiple levels of certification or different criteria or
programs based on data type or role in eco-system
• Certification model• Third party validation or self-attested
• Review/testing methodologies• Automated and manual testing approaches• Device version changes
• Criteria validation among industry stakeholders• Device manufacturers, Industry trade organizations, Retailers,
Consumers, Regulators
• Criteria adoption and program brand recognition building
Starts with clear, consistent, verifiable criteria
© 2015. All rights reserved. Online Trust Alliance (OTA)
23
• Seal usage guidelines• Where is the seal allowed to be displayed?
• Process to issue the seal
• Process to revoke seals
• Dispute process (manufacturer and consumer)• Define scope of dispute resolution
• Frequency of verification of criteria/renewal
• Survival• Controlling entity changes due to acquisition or merger
• Bankruptcy
Managing use of the Seal
• Seals must be dynamic • QR Code, RFID, hosted seal, or seal image
• Steps to prevent counterfeiting • Trademark protections
• Level of certification must be clear from seal
• Information on certification status accessible from the seal• Validation page
• Single, simple source with trusted chain of control for authenticity
• Ongoing monitoring of program compliance and proper seal usage
Trust in the Seal
Generalized certification process
• Review of device and
related Privacy Policies
Analyze
• Gap analysis of data
collection to
certification criteria
• Findings report
Advise
• Remediate identified gaps
Remedy
• Activate seals and
consumer validation pages
Award
• Ongoing monitoring for
compliance
• Consumer and
manufacturer feedback
loop and dispute
resolution
• Guidance on Emerging
Rules and Opportunities
Monitor
© 2015. All rights reserved. Online Trust Alliance (OTA)
24
Analyze – scanning technology
Advise & Remedy: - Findings Report
Award & Monitor: Validation Page
72
Your Company
© 2015. All rights reserved. Online Trust Alliance (OTA)
25
Certification is a business
Sales
Business Operations
Assessment/Service Delivery
Compliance Monitoring
Certification License Renewal
Tools and systems
are needed to
manage certification
lifecycle
Next Steps
• OTA IoT Initiative https://otalliance.org/IoT
▫ Send feedback to discussion draft by June 26th – [email protected]
July 1 – Member Working Group Call
Aug TBD
Nov 16 - DC Dinner with FTC / IoT Caucus
Nov 17 – Working meeting – DC