Weaponizing IoT Ted Harrington Executive Partner

Slides:

Advertisements

Similar presentations

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Advertisements

Literature Review and Parts of Proposal

Advanced Business Communication Spring Advanced Business Communication Spring 2012 Introduction Our last project for the class is a recommendation.

A Framework for Automated Web Application Security Evaluation

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

MOD 6050 PROJECT MANAGEMENT AND FUND RAISING TOPIC – PROPOSAL WRITING AND FUNDRAISING (WK 6 &8) LECTURER: DR. G. O. K’AOL.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

FFIEC Cyber Security Assessment Tool

Introductions and Conclusions CSCI102 - Systems ITCS905 - Systems MCS Systems.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

VISUAL ANALYTICS SYSTEMS IN THE WILD Presented by: SDS235: Visual Analytics – Fall 2015.

IS3220 Information Technology Infrastructure Security

Academic Writing Fatima AlShaikh. A duty that you are assigned to perform or a task that is assigned or undertaken. For example: Research papers (most.

Objective: Today we will describe consequences of war Describe critical developments and events in the war, including the major battles,geographical.

Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Writing up your thesis - when writing up your thesis you should keep in mind at all times that a good thesis: 1. has question(s) underpinning the whole.

How to Write a Book Review. Before You Begin Remember, there is no right way to write a book review. Book reviews are highly personal and reflect the.

WP2: Security aware low power IoT Processor

New Employee Orientation

Thinking through initial ideas

MOST SIGNIFICANT CHANGE PROCESS

Security Operations Update

Little Red Schoolhouse Supporting Presentations with

Koji Nakao, Dai Arisue NICT, Japan

Ilija Jovičić Sophos Consultant.

Manuel Brugnoli, Elisa Heymann UAB

Writing the Literature Review

Working with Scholarly Articles

By Santiago Anllo and Agustín Rizzolo

April 21, 2017 Workshop Overview

Intelligence Driven Defense, The Next Generation SOC

Title Author name Author affiliation [Add additional authors as needed] Early Start Conference, Wollongong, Australia 27–29 September 2017.

A Security Review Process for Existing Software Applications

R4H Reversing for Humans

Lecture 14: Business Information Systems - ICT Security

Outline What is Literature Review? Purpose of Literature Review

Overview of E2E Security CRs

Introduction WFP Logistics, We Deliver.

Writing the Literature Review

PAD 500 Competitive Success/snaptutorial.com

PAD 500 Education for Service/snaptutorial.com

PAD 500 GUIDES Lessons in Excellence -- pad500guides.com.

Download the Containers!

Young Leader Training Module H Programme Plans Plus.

America’s First National Critical Infrastructure Exercise

A Proposed New Standard: Common Privacy Vulnerability Scoring System (CPVSS) Jonathan Fox, Privacy Office/PDIT Harold A. Toomey, PSG/ISecG Jason M. Fung,

Li Yang, Carson Woods (University of Tennessee at Chattanooga

How to Really Review Papers

Who do you think they are?

Smashing the Stack for Fun and Profit

Great Expectations Assigned Chapters and Topics EXAMPLE

Student name Student ID Degree program Area of specialization

Preparing a PROFILOR® Feedback Report

Fees Initiative Chishala Kateka, Working Group Chair IESBA Meeting

Guidelines Use a Large Bold Font (20PT or Larger)

Project Title Subtitle: make sure you specify it is a research project

Introduction to Quality Improvement Methods

Bandit Thinkhamrop, PhD

7. EAFM cycle overview Essential EAFM Date • Place 1.

Title of research Work Student’s name: ___XYX___

Complete How to Guide for examining significance

Free Reading Book Talks - S&L 1

Site (e.g., LARC Embakasi)

Workshop Set-Up: The aim is that at each table we have a variety of disciplines / subjects represented by (ideally) four participants. Ensure a mixture.

Radiopharmaceutical Production

Welcome to the CSBM workshop:

STEPS Site Report.

ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions

IoT and Supply Chain Risk Management

Presentation transcript:

Weaponizing IoT Ted Harrington Executive Partner SBX2-W2 Weaponizing IoT Ted Harrington Executive Partner Independent Security Evaluators (ISE) @ISESecurity

Weaponize wep-uh-nahyz 1) To convert to use as a weapon 2) To supply or equip with weapons Purpose of this slide is to define the key title term and overall presentation theme. Set the groundwork for the disucssion about how IoT can and is weaponized. Rest of the presentation ties back to this concept.

Agenda Overview Common IoT exploits Case Study Victim Chain Prophecies Recommendations

Overview Purpose of this slide is to establish credibility and set context. Very briefly introduce ISE’s research contributions, in particular as it pertains to IoT via IoT Village

Overview Purpose of this slide is to introduce IoT Village, from which data and other themes are extracted in support of the argument made during the rest of this presentation. Mention here that IoT Village is why RSA has asked us to organize IoT Sandbox

Trends & Data

IoT Security Trends August 2015 – Present: 113 new 0-days 50 device types 39 manufacturers Discuss metrics in order to analyze an quantify the scope of the IoT security problem

Common IoT Security Flaws 2016 2017 Denial of Service Lack of Encryption Key Exposure Privilege Escalation Remote Code Execution Backdoors Runs as Root All of the previous!! PLUS: Buffer Overflow Command Injection Session Management Etc etc etc Describe that things are trending worse, not better. Outline the types of issues relevant to IoT, setting up for a deeper dive into some of the more significant items

Exploit Analysis

Key Exposure Define what this vulnerability means, how it generally works in the context of IoT, and extrapolate the significance.

Remote Code Execution Define what this vulnerability means, how it generally works in the context of IoT, and extrapolate the significance.

Command Injection Define what this vulnerability means, how it generally works in the context of IoT, and extrapolate the significance.

Case Study: Mirai Botnet Advance the talk now from the generalized concepts discussed previously to a real-world, high profile incident

Mirai Botnet Give context and background, for those who might be unfamiliar with the Mirai botnet story

Mirai Botnet Break down the attack anatomy

Mirai Botnet Break down the attack anatomy

WHO CARES?! Score some cheap laughs, then really ask the question. Set up for a discussion of who the victims are and why they might (or might not) care, and how that motivation would dictate whether the problem gets solved

Victim Chain Discuss each victim type, what they care about, and how that impacts the ultimate victim

Where do we go from here?

Recommendations Threat Modeling Secure Design Principles Adversarial Perspective Self-regulate Talk through each recommendation, one by one

Prophecies It will get worse before it gets better The 10/16/16 event was covering something larger A person(s) will get hurt physically

Apply Consider motivation Think like the attacker Adhere to secure design principles

Thank You! ted.harrington@securityevaluators.com