Presented by John Johnson

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Lecture 11 Reliability and Security in IT infrastructure.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1 We’ve been p0wn’d? Review of 2015 Surface Transportation Cybersecurity Incidents 2015 TRB Session 850 Edward Fok USDOT/FHWA – Resource Center.

Honeypot and Intrusion Detection System

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Topic 5a Operating System Fundamentals. What is an operating system? a computer is comprised of various types of software device drivers (storage, I/O,

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

Security Vulnerabilities in A Virtual Environment

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Defense in Depth. 1.A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many.

Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Mobile Security By Jenish Jariwala. What is Mobile Security?  Mobile Security is the protection of smartphones, tablets, laptops and other portable computing.

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

© 2009 Pittsburgh Supercomputing Center Server Virtualization and Security Kevin Sullivan Copyright Kevin Sullivan, Pittsburgh Supercomputing.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

EN Spring 2016 Lecture Notes FUNDAMENTALS OF SECURE DESIGN (NETWORK TOPOLOGY)

James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI D4.4 and the EGI review Dr Linda Cornwall 19 th Sept 2011 D4.41.

Selling SolarWinds to Sysadmins 11/14/2013 © 2013 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

Data Center Security Services & Solutions in Dubai

Defining your requirements for a successful security (and compliance

CYBERSECURITY SOLUTIONS

EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY

Chapter 7. Identifying Assets and Activities to Be Protected

Chapter 6: Securing the Cloud

Managed Services.

Lesson 15 Total Cost of Ownership

Firmware threat Dhaval Chauhan MIS 534.

| Data Connectors: Atlanta, GA

Cybersecurity - What’s Next? June 2017

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES NAMED AFTER MUHAMMAD AL-KHWARIZMI THE SMART HOME IS A BASIC OF SMART CITIES: SECURITY AND METHODS OF.

Firewall Configuration and Administration

Hot Topics:Mobility in the Cloud

Control system network security issues and recommendations

IoT Network Monitor.

Introduction to Networking

3.2 Virtualisation.

National Mining University

Call to Fix QuickBooks Error

Computer Security for Businesses

Internet of Things

Infrastructure, Data Center & Managed Services

Advanced IoT Mobile App Development Company

The security and vulnerabilities of IoT devices

A quick look into today’s APTs

Cyber Security in the Mortgage Industry

This is a typical Windows user desktop

We secure the communication

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Capitalize on Your Business’s Technology

6. Application Software Security

Implementing Firewalls

Goddard Chamber September 12th, 2019 Hosts: John Ash & Jon Grover

Presentation transcript:

Presented by John Johnson Hacking IOT: A Case Study on Baby Monitor Exposures and Vulnerabilities “Frameworks Aren’t Enough” By the Rapid7 Team Presented by John Johnson

Why this paper? Survey of multiple brands of an IOT device Starting point for discussing the surface area for attacking IOT Another style of paper than we have read previously Why security nihilism is a thing

Just a little too new… IOT devices have blown up recently But no security pipeline is in place to deal with the appearance of vulnerabilities IOT are typically a hodgepodge of commodity software, each with a different patching entity

Baby monitors Surveillance placed willingly in the house Watching what is presumably your most prized relative And still totally unregulated

Speculative end user pains IOT devices can be exploited to pivot inside a secure network Home networks are typically undefended beyond a firewall Parents who work from home may be particularly at risk DDOS mitigation is often disruptive to innocent users

A peek at different vulnerabilities

To be more specific

Many different types of vendor A vendor who practically lives off the grid (No Contact) A vendor who kicks the can (“Not my fault!”) A vendor who thinks you are the devil (“Why are you hacking us???”) A Good Vendor™ who cares

Different study by Veracode Looks at different types of IOT devices and their security features Done by a different security company Same similar results

Many different things to compromise Credit to Veracode: IoT Security Research Study

That’s not too bad! Credit to Veracode: IoT Security Research Study

Okay, this isn’t great but we can live with it! Credit to Veracode: IoT Security Research Study

Well that’s… pretty bad Credit to Veracode: IoT Security Research Study

Remember this slide? Credit to Veracode: IoT Security Research Study

Title Credit to Cisco for this diagram

There are many moving parts in an IOT infrastructure In your house: Device, sensor, gateway, router, phone Not in your house: backend storage, backend backups, virtual machine servers(think EC2 servers), company infrastructure Intangible: OS on each of the above devices, phone apps, programs

Every element in the IOT stack can fall to a different department/person Is each expert following best practices? What about at the seams between components? What happens if something goes wrong? Do you have experts who handle incident response? On a budget? In a brand new company of 10 people?

Recommendations Get vendors to use an established framework Get more security people on board at vendor companies Defense in Depth

Thank You!