Presentation is loading. Please wait.

Presentation is loading. Please wait.

NETWORK RESILIENCE WORKGROUP

Published byJasper Kneller Modified over 6 years ago

Similar presentations

Presentation on theme: "NETWORK RESILIENCE WORKGROUP"— Presentation transcript:

1 NETWORK RESILIENCE WORKGROUP
SEPTEMBER 5, 2018

2 THE INTERNET CONNECTS THINGS
Computers Laptops Phones Things While we think of computers or phones as connected devices, there are now more connected objects than phones or computers, and this is the fastest growing segment of devices on the Internet. These objects are often made by companies with strong domain expertise but little cybersecurity background.

3 CRIMINALS LEVERAGE INSECURE IOT DEVICES
In 2016, a college student named Jha Paras wrote software that took over hundreds of thousands of closed-circuit TV cameras, and used them as part of a “mafia” style protection racquet. He tried to sell Internet-based businesses “protection” against losing their Internet services. If they didn’t pay up, he would use the connected computers inside the cameras to flood his victim with garbage Internet traffic and prevent legitimate users from getting through. Then he’d ask if they’d changed their mind about paying up. Jha’s “botnet” software – Mirai – set records for the size of such an attack… and it’s available online. Jha Mirai Botnet

4 NEED TO PROTECT IOT DEVICES TO PROTECT INTERNET
The Internet is used to take over IoT devices, which in turn launch new attacks. To break the cycle, we must protect IoT devices from Internet-based threats.

5 TWO WAYS TO IMPROVE IOT DEVICE SECURITY
x x We can either build better, more secure IoT devices or we can restrict access to them. Improving the security of IoT device software through standards, practices, certification, regulation, and consumer transparency is important work that will improve the security of IoT devices when they ship and throughout their lifespan. Many of you are engaged in it, and there is broad industry interest. But software security is challenging, and even devices from reputable companies may end up outliving their software support, and well-intentioned companies will ship products that are insecure out of the box. So far, the network resiliency group has focused on improving access control to IoT devices, to make it more challenging for bad actors to take control of them or for suborned devices to do additional harm.

6 SECURE HOME GATEWAY Home Security Appliances Sensors Management
Application IoT Cloud Services CIRA and other participants in the network resilience group have been working together to prototype a home gateway that protects IoT devices and the Internet at large, and provides users control over how IoT devices connect. It uses open source code – OpenWRT – implements emerging standards, and will contribute back code and standards changes to the community. There are a number of challenges involved.

7 PREREQUISITE: UNIQUE WIFI KEYS
Before we can restrict access within the home, we need to address a problem. We have given all of our connected devices – all of our house-guests – copies of the same key. It is the key to the house, not to a room, and we can’t control who goes where or stop our guests from cutting new key copies. And if we change the locks, we must hand out new keys to everyone whom we wish to stay. A better model for us is the hotel, where each guest is given a different key. And when it’s time for a guest to check out, we render their key – and only their key -- useless. Together with Algonquin College, I have a demonstration of this on WiFi: one SSID (network name) and pairs of passwords and MAC addresses (WiFi device identifiers). Our demo uses an app to generate device passwords, so it also removes the need for the user to remember or read off from the router’s label the WiFi password. Locking passwords to MAC addresses in this way gives a cryptographic guarantee to simple MAC-based firewall rules. No WiFi devices can successfully impersonate each other.

8 BUILDING ACCESS CONTROL POLICIES
IETF Manufacturer Usage Description (MUD) specification aids IoT device provisioning and automated network access control I’m an ACME water sensor - MUD File at: MUD FILE: - I have WIFI & apply the water sensor access policy - I need to upgrade my firmware at - Configure me at - Alerts available at A new draft standard – the Internet Engineering Task Force’s Manufacturer’s Usage Description -- allows devices to suggest appropriate policies to the network by giving out a link to a policy file. The policy file helps indicate what Internet sites the device should have access to or be accessed from, and what traffic types are allowed. Prototyping using it should help to address challenges around how to signal the policy file to the network, how a network should treat changes to the policy file that might come as a result of a device upgrade, how a network can seek user approval of or modifications to device polices, and what role there can be for third-party security software. This kind of policy management problem is similar to what we see with app permissions on phones – there may be lessons we can learn.

9 High Level MUD & IoT Device Provisioning Workflow
SHG ACME.CORP MUD Repository (1) CIRA SHG MUD Repository MUD Supervisor (3) User accepts provisioning instructions (2) Send to CIRA (2) Get vendor MUD file SHG App MUD Controller (IP Tables) In this diagram of the CIRA policy prototype being developed, there is a cloud service that can rewrite manufacturer policies. This gives the flexibility to tighten policies based on behavioural analysis or public vulnerabilities, or to provide policy support even when a manufacturer doesn’t. We are not limited to the manufacturer’s usage description as a policy source. (1) (4) (4) IoT device added to network with specific network access controls Network Access control: Allow access to ACME.CORP Allow to send alerts internally Allow to be configured by app Deny all other internet access (1) Scan MUD QR code & send to MUD controller MUD QR Code ACME.CORP IoT Water Sensor github.com/CIRALabs

10 Prototyping IoT security measures – in the network
JOIN IN! Prototyping IoT security measures – in the network Participation welcome! We are prototyping Internet of Things security measures, for home and SMB. We intend to contribute back to the IETF and open source communities to add a missing layer of network-based defence. We are very much open to new ideas, and we welcome participation from any stakeholder. Joining us on slack is a good first step.

Download ppt "NETWORK RESILIENCE WORKGROUP"

Similar presentations

Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Configuring your Home Network Configuring your Home Network Jay Ferron ADMT, CISM, CISSP, MCDBA, MCSE, MCT, NSA-IAM.

Configuring your Home Network Configuring your Home Network Jay Ferron ADMT, CISM, CISSP, MCDBA, MCSE, MCT, NSA-IAM.
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.

Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
LTEC 4560 Summer 2012 Justin Kappel Networking Components.

LTEC 4560 Summer 2012 Justin Kappel Networking Components.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
C OMPUTER C ONCEPTS Unit 1 Concept 3 – Solving Technological Problems.

C OMPUTER C ONCEPTS Unit 1 Concept 3 – Solving Technological Problems.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.

Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Unit 2 (task 28) In this PowerPoint I will tell you about 7 important IT job roles and if a candidate might want one what he would have to do to get one.

Unit 2 (task 28) In this PowerPoint I will tell you about 7 important IT job roles and if a candidate might want one what he would have to do to get one.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Chapter 7 Part 2 Networks. Why would I ever consider a wired network connection over a wireless? – Wireless signals are more susceptible to interference.

Chapter 7 Part 2 Networks. Why would I ever consider a wired network connection over a wireless? – Wireless signals are more susceptible to interference.
Mr C Johnston ICT Teacher www.computechedu.co.uk BTEC IT Unit 09 - Lesson 11 Network Security.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID # 0435738.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Networks and Security Great Demo

Networks and Security Great Demo
PROTECTING YOUR DATA THREATS TO YOUR DATA SECURITY.

PROTECTING YOUR DATA THREATS TO YOUR DATA SECURITY.

Similar presentations

Ads by Google