Please Read
HACKING IoTTed Harrington, Executive Partner |
[email protected]
Security is a BUSINESS problem. Not an IT problem.
2 case studies: IoT Village, and Hacking Healthcare.
"this isnt about what could happen. this is about what HAS
happened. this is going on right now, as we speak. the implications
are far and wide. the issue is not that someone hacks your in-room
thermostat and figures out the temperature you like. the issue is
that someone hacks your in-room thermostat and gets guest credit
cards, home address, loyalty account info, etc.
Connected devices do not effectively have security built inHuge
adoption of connected devices is loomingThe industry needs a
radical shift or else we will all become exposedThere is a path to
success!
Lets make you smarter about connected devices, and help you
understand why these things are happening, so you can do something
about it.
Optional:
Cialis comparison.
Shark tank imagine pitching this to marc cuban. are there any
flaws? well yeah there are one or two things we didnt address like
security or privacy
mention legal ramification: target breach cost them $$$$ because
of attorneies; make no doubt, attornies will be coming for the
inevitable IoT breach
"all anyboyd needs is some ambitous lawyer to put you out
business
People who THINK they are smart wait for a problem to land, and
then deal with it. People who ARE smart get out ahead of the
problem and handle it poractively.
Fnd somewhere for people are stupid
1
ISE Proprietary2
2
Agenda3A)ContextB)ProblemsC) Solutions
Agenda4
5
Background on DEF CON, village concept, and IoT Village as
newest villageTo shine a spotlight on the security concerns in
connected devicesTo prove/disprove hypthesis that security flaws
are systemic5
6
0day demosHacking contestWorkshops6
IoT Village: Results7 113 zero-days 51 device types 39
manufacturers
7
Common IoT Security Flaws82015Denial of ServiceLack of
EncryptionKey ExposurePrivilege EscalationRemote Code
ExecutionBackdoorsRuns as Root
2016All of the previous!! PLUS:Buffer OverflowCommand
InjectionSession Management Etc etc etc
Describe that things are trending worse, not better. Outline the
types of issues relevant to IoT, setting up for a deeper dive into
some of the more significant items
Were going to talk about denial of service today8
Agenda9
Weaponizewep-uh-nahyz
- To convert to use as a weapon- To supply or equip with
weapons
Purpose of this slide is to define the key title term and
overall presentation theme. Set the groundwork for the disucssion
about how IoT can and is weaponized. Rest of the presentation ties
back to this concept.10
M&E Adversaries Could Use IoT to:PivotSteal
contentCircumvent/undermine monetization schemaDegrade the user
experienceDeny access Ensnare studio/vendor in DDoS botnet11
DDoS Attacks12
Stepping stone attacks
Everything is integrated12
Mirai Botnet13
Give context and background, for those who might be unfamiliar
with the Mirai botnet storyWhat is MiraiWhat is a BotnetWhat is
denial of service
Dyn published an amazing post in response. They did not hide
behind we take your security seriously, like so many others do;
they published a detailed discussion of the attack, their response,
and their analysis of the issue. For those unfamiliar with this
incident and looking for more info, I strongly recommend. Its on
the Dyn blog, easily found via a google search.
http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/13
Mirai Botnet14What is Mirai?Malware targeting Linux, that turns
systems into bots
A group of computing devices that can be centrally
controlledMirai Botnet15What is a botnet?
Often described as zombies, because the devices are unwittingly
malicious, just like how people who used to be otherwise normal
rational humans now have insatiable bloodthirst without cognitiion
15
Mirai BotnetWhat is DDoS?
Mirai BotnetWhat is DDoS?
Mirai Botnet18
So think about a DDoS attack as too many people trying to get
through a too small door.Service is unable to differentiate between
valid and malicuious trafficExacerbating the issue is that
legitimate traffic, once denied, will perform a retry, further
clogging the service. The service cannot differentiate between
valid and malicious retries18
Mirai Botnet19
Break down the attack anatomy19
Mirai Botnet20
Break down the attack anatomy20
Mirai Botnet
Mirai Botnet22
Victim Chain23
Discuss each victim type, what they care about, and how that
impacts the ultimate victim23
Agenda24
Recommendations25Those Who BuildThreat ModelingSecure Design
PrinciplesAdversarial PerspectiveSecurity AssessmentThose Who
UseReduce Attack SurfaceAudit / InventoryChange Default
CredentialsCheck for Updates
we are talking about IoT, but "those who build" applies to
anyone building tech, whether that'ss mobile apps, network
infrastructures, etc25
How Can ISE Help?ISE Proprietary26
SECURITYASSESSMENTvCISO
[email protected] YOU!!
Any questions?27
