OWASP IoT Project The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues.

Slides:



Advertisements
Similar presentations
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Advertisements

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Security Controls – What Works
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
IOT5_ GISFI # 05, June 20 – 22, 2011, Hyderabad, India 1 Privacy Requirements of User Data in Smart Grids Jaydip Sen Tata Consultancy Services Ltd.
SEC835 Database and Web application security Information Security Architecture.
Lessons Learned in Smart Grid Cyber Security
Information Systems Security Computer System Life Cycle Security.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
IoTs Capabilities. IoTs Capabilities What is IoTs? Control / Information Internet Devices.
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Role Of Network IDS in Network Perimeter Defense.
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
IS3220 Information Technology Infrastructure Security
Internet of Things. Creating Our Future Together.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
If it’s not automated, it’s broken!
Documents. Process. Data. Payables
Security and resilience for Smart Hospitals Key findings
Verizon Intelligent Track and Trace: Serialization and Cold Chain
Tago Tago IoT DAY GRAIN BIN LEVEL? The epicenter of middleware
CS457 Introduction to Information Security Systems
Chapter 19: Network Management
What is it ? …all via a single, proven Platform-as-a-Service.
Chapter 7: Identifying Advanced Attacks
Security Testing Methods
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES NAMED AFTER MUHAMMAD AL-KHWARIZMI THE SMART HOME IS A BASIC OF SMART CITIES: SECURITY AND METHODS OF.
IoT at the Edge Technical guidance deck.
Securing the Network Perimeter with ISA 2004
Security and Encryption
OTA & IoT A Shared & Collaborative Responsibility 24 October 2017
Hello, Today we will look at cyber security and the Internet of Things and how it could impact our business.
Chapter 18 MobileApp Design
Introduction to Networking
I have many checklists: how do I get started with cyber security?
IoT at the Edge Technical guidance deck.
StorFly-IES Intelligent External Storage for Industrial-IoT ®
INTER-Iot kick-off meeting
Internet of Things (IoT)
Internet of Things Vulnerabilities
Securing the Internet of Things: Key Insights and Best Practices Across the Industry Theresa Bui Revon IoT Cloud Strategy.
Contact Center Security Strategies
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
IoT Security and Privacy
What’s new in the Fall Creators Update for Windows Defender ATP
How to Mitigate the Consequences What are the Countermeasures?
Technical Capabilities
Topic 5: Communication and the Internet
Internet of Things (IoT) for Industrial Development and Automation
ETSI Contribution to 3rd Meeting of EC Expert Group on RRS
IoT: Privacy and Security
Presentation transcript:

OWASP IoT Project The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

What is IoT? “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.” © Justin Klein Keane <justin@madirish.net>

IoT is More than Consumer “Junk hacking” “Stunt hacking” Hardware hacking © Justin Klein Keane <justin@madirish.net>

IoT Beyond the Hype Municipal IoT Industrial IoT Medical IoT Smart cities Smart grid Industrial IoT Connected factories Agriculture Logistics Medical IoT Smart hospitals Electronic medical records © Justin Klein Keane <justin@madirish.net>

The Power of IoT Big data provide analytics Business process optimizations Multiple concurrent access © Justin Klein Keane <justin@madirish.net>

The Challenge of IoT Security IoT is an evolutionary technology IoT Cloud Mobile Web Network Operating System Hardware © Justin Klein Keane <justin@madirish.net>

Why it Looks so Bad Breakers have a long history and robust tools Automated network attack tools Exploits for most segments of IoT stack Physical access and hardware hacking Builders are still searching for Secure toolkits Proven methodologies Successful models Result: Builders cobble together components Build very fragile full stack solutions No visibility into security or attack surface Attackers have a field day © Justin Klein Keane <justin@madirish.net>

Miserable Track Record Thus far Luckily most tests are of consumer IoT http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf Testing industrial, municipal, and other IoT is much trickier Most have heterogeneous brownfield deployments Testers can’t just pop down to Walmart to get access to these deployments SecuringSmartCities.org has done some testing If history is a guide though things probably aren’t good © Justin Klein Keane <justin@madirish.net>

OWASP IoT Project An overall IoT security effort Attack surfaces (present) Vulnerability lists (working) Reference solutions (coming) Aggregates community resources Guidance for developers IoT specific security principles IoT framework assessment © Justin Klein Keane <justin@madirish.net>

OWASP IoT Top 10 © Justin Klein Keane <justin@madirish.net> Category IoT Security Consideration Recommendations I1: Insecure Web Interface Ensure that any web interface coding is written to prevent the use of weak passwords … When building a web interface consider implementing lessons learned from web application security. Employ a framework that utilizes security … I2: Insufficient Authentication/Authorization Ensure that applications are written to require strong passwords where authentication is needed … Refer to the OWASP Authentication Cheat Sheet I3: Insecure Network Services Ensure applications that use network services don't respond poorly to buffer overflow, fuzzing … Try to utilize tested, proven, networking stacks and interfaces that handle exceptions gracefully... I4: Lack of Transport Encryption Ensure all applications are written to make use of encrypted communication between devices… Utilize encrypted protocols wherever possible to protect all data in transit… I5: Privacy Concerns Ensure only the minimal amount of personal information is collected from consumers … Data can present unintended privacy concerns when aggregated… I6: Insecure Cloud Interface Ensure all cloud interfaces are reviewed for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) … Cloud security presents unique security considerations, as well as countermeasures. Be sure to consult your cloud provider about options for security mechanisms… I7: Insecure Mobile Interface Ensure that any mobile application coding is written to disallows weak passwords … Mobile interfaces to IoT ecosystems require targeted security. Consult the OWASP Mobile … I8: Insufficient Security Configurability Ensure applications are written to include password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication)… Security can be a value proposition. Design should take into consideration a sliding scale of security requirements… I9: Insecure Software/Firmware Ensure all applications are written to include update capability and can be updated quickly … Many IoT deployments are either brownfield and/or have an extremely long deployment cycle... I10: Poor Physical Security Ensure applications are written to utilize a minimal number of physical external ports (e.g. USB ports) on the device… Plan on having IoT edge devices fall into malicious hands... © Justin Klein Keane <justin@madirish.net>

Principles of IoT Security Assume a hostile edge Test for scale Internet of lies Exploit autonomy Expect isolation Protect uniformly Encryption is tricky System hardening Limit what you can Lifecycle support Data in aggregate is unpredictable Plan for the worst The long haul Attackers target weakness Transitive ownership N:N Authentication © Justin Klein Keane <justin@madirish.net>

Framework assessment Based on a prototypical IoT deployment model Designed like a checklist or benchmark © Justin Klein Keane <justin@madirish.net>

Example Edge Considerations Are communications encrypted? Is storage encrypted? How is logging performed? Is there an updating mechanism? Are there default passwords? What are the offline security features? Is transitive ownership addressed? © Justin Klein Keane <justin@madirish.net>

Example Gateway Considerations Is encryption interrupted? Is there replay and denial of service defensive capabilities? Is there local storage? Is it encrypted? Is there anomaly detection capability? Is there logging and alerting? © Justin Klein Keane <justin@madirish.net>

Example Cloud Considerations Is there a secure web interface? Is there data classification and segregation? Is there security event reporting? How are 3rd party components tracked/updated? Is there an audit capability? Is there interface segregation? Is there complex, multifactor authentication allowed? © Justin Klein Keane <justin@madirish.net>

Example Mobile Considerations What countermeasures are in place for theft or loss of device? Does the mobile authentication degrade other component security? Is local storage done securely? Is there an audit trail of mobile interactions? Can mobile be used to enhance authentication for other components? © Justin Klein Keane <justin@madirish.net>

Final Thoughts Privacy in realms of big data is a problem No real technical solution to this one Regulation is probably coming FTC set to release guidelines next year Consumers may eschew security but business won’t Security can be a differentiator © Justin Klein Keane <justin@madirish.net>

Other Organizations © Justin Klein Keane <justin@madirish.net>

Questions? © Justin Klein Keane <justin@madirish.net>

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.