Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.

Slides:



Advertisements
Similar presentations
Internet of Things Security Architecture
Advertisements

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
COMP 6005 An Introduction To Computing Session Four: Internetworking and the World Wide Web.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
Mobile Banking By: Chenyu Gong, Jalal Hafidi, Harika Malineni.
Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion.
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Electronic Security Initiative 2005 Security Assessment & Security Services 23 August 2005.
Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Deconstructing API Security
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Retina Network Security Scanner
Security fundamentals Topic 5 Using a Public Key Infrastructure.
The ERA of API in the World of IoT Jing Zhang-Lee November, 2015.
Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.
NETWORKING & SYSTEM UPDATES
Computer Security By Duncan Hall.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Wikipedia Edit. Internet of Things It is the idea of enabling everyday objects with software, sensors and network connectivity. The connectivity would.
Web Applications on the battlefield Alain Abou Tass.
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Internet of Things. Creating Our Future Together.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Internet of Things – Getting Started
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Principles Identified - UK DfT -
A Survey of IoT Security & Mitigation Tactics
Web Application Vulnerabilities
Koji Nakao, Dai Arisue NICT, Japan
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
“Internet of Things” – The new age drivers of Power Distribution Automation Speaker: Jayant Sinha Date of session: 2 Oct, 2015.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES NAMED AFTER MUHAMMAD AL-KHWARIZMI THE SMART HOME IS A BASIC OF SMART CITIES: SECURITY AND METHODS OF.
Hello, Today we will look at cyber security and the Internet of Things and how it could impact our business.
Pulse: An Adaptive Intrusion Detection System for the Internet of Things (IoT) Good morning every one , I will give you a brief overview of the work my.
The Journey to the Internet Of Things
OWASP IoT Project The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues.
Internet of Things
Cloud Testing Shilpi Chugh.
The security and vulnerabilities of IoT devices
Internet of Things Vulnerabilities
GSBS IT Resources and Security
Securing the Internet of Things: Key Insights and Best Practices Across the Industry Theresa Bui Revon IoT Cloud Strategy.
Data security in iot devices
Back to the Future with Information Security How Embedded Devices Have Turned Back the Security Clock James Edge Information Security Specialist.
PLANNING A SECURE BASELINE INSTALLATION
6. Application Software Security
IoT: Privacy and Security
Presentation transcript:

Engineering Secure Software

Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities

What is IoT?  IoT is a self-configuring and adaptive system consisting of networks of sensors and smart objects whose purpose is to interconnect “all” things, including everyday and industrial objects, in such a way as to make them intelligent, programmable, and more capable of interacting with humans. “IEEE definition”

IoT Examples  Estimates: 50 billion connected devices by 2020  Refrigerator with the screen  The smart thermostat  The TV connected to the Internet  Smart cars  Mobile health  Smart grids

Security implications of IoT

IoT Security Concerns  Privacy Concerns: 90 percent of devices collected personal information via the device, the cloud or the device’s mobile application. many devices transmit this information across networks without encryption.  Insufficient Authentication/Authorization: 80 percent failed to require passwords of sufficient complexity and length. A huge number of users and devices rely on weak passwords e.g. 1234,

IoT Security Concerns (Cont.)  Transport Encryption: 70 percent of devices used unencrypted network services. most devices surveyed failed to encrypt data, even when the devices were using the Internet  Web Interface: 60 percent raised security concerns with their user interfaces, e.g. persistent cross-site scripting, poor session management and weak default credentials.  Insecure Software: 60 percent did not use encryption when downloading software updates.

CIA of IoT  Confidentiality IoT provider will most likely be able to sell the data  Integrity Not an issue for a user’s home temp How about a user’s credit score?  Availability Vulnerable to DDOS attacks

 What things can be done before products reach the market to make them and services inherently more secure?

IoT Risks  Insecure web interface  Insufficient authentication/authorization  Insecure network services  Lack of transport encryption  Privacy concerns  Insecure cloud interface  Insecure mobile interface  Insufficient security configurability  Insecure software/firmware updates  Poor physical security

IoT Attack Surface Areas  Ecosystem access control  Administrative interface  Ecosystem communication  Update mechanism  Network traffic  Cloud web interface  Third-party backend APIs

IoT Attack Surface Areas (Cont.)  Device memory  Device firmware  Device physical interfaces  Device network services  Device web interface  Local data storage  Vendor backend APIs  Mobile application

IoT Vulnerabilities  Ecosystem Access Control Implicit trust between components Enrollment security Decommissioning system Lost access procedures  Ecosystem Communication Health checks Heartbeats Ecosystem commands Deprovisioning Pushing updates  Device Web Interface, Administrative Interface, Cloud web interface SQL injection Cross-site scripting Username enumeration Weak passwords Account lockout

IoT Vulnerabilities  Mobile Application Implicitly trusted by device or cloud Known credentials Insecure data storage Lack of transport encryption  Third-party Backend APIs Unencrypted PII sent Encrypted PII sent Device information leaked Location leaked  Vendor Backend APIs Inherent trust of cloud or mobile application Weak authentication Weak access controls Injection attacks

IoT Testing Guidelines  Insecure software/firmware Includes update capability? Encrypted update files? Uses signed files? Validates files before installation?  Poor physical security Does the device utilizes the minimum # of physical external ports?

IoT Testing Guidelines  Insecure Mobile interface Multi-factor authentication Transport encryption Strong password, password expiration Amount of personal info collected  Insecure web interface, cloud interface XSS, SQLi, and CSRF The account lockout mechanism HTTPS Are weak passwords allowed?

Privacy and Liability  Privacy concerns Amount of personal info collected Collected personal info are encrypted in transit? Data are anonymized?  Liability “old” user license agreements  digital devices IOT devices perform physical action (e.g. turn on lights, unlock doors)

Final Notes  Manufacturers of IoT devices should be taking steps to secure them now before the problem becomes unmanageable. Carry out a security review of all devices and components to detect vulnerabilities Apply security standards that all devices need to live-up to before production Make security a cornerstone of the production life-cycle

Activity  In groups of 4-5, prepare a report about an IoT vulnerability: Describe the IoT vulnerability, its causes, consequences, and fixes if any. What is the attack surface area that was targeted? How do you think it could have been mitigated?

References  P_Internet_of_Things_Top_Ten_Project P_Internet_of_Things_Top_Ten_Project  things/top-5-internet-of-things-security- concerns php things/top-5-internet-of-things-security- concerns php  ments/InternetofThingsFINAL.pdf ments/InternetofThingsFINAL.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.