Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Shared and Collaborative Responsibility

Published byJuliet Simpson Modified over 6 years ago

Similar presentations

Presentation on theme: "A Shared and Collaborative Responsibility"— Presentation transcript:

1 A Shared and Collaborative Responsibility
19 June 2018 OTA & IoT: A Shared and Collaborative Responsibility Kevin Meynell Manager, Technical & Operational Engagement

2 The number of IoT devices connected to the Internet will be more than 2.5x the global population by 2020 (Gartner)

3 As more and more devices are connected, privacy and security risks increase.
And most consumers don’t even know it.

4 What type of risks? Unlocking doors, turning on cameras, shutting down critical systems and theft of personal property. Large IoT-based attacks have crippled global access to high-profile Internet services for several hours. People’s safety might even be at risk. 2

5 22 ~8.3/day ~1.2/day ~5.4/day ~0.4/day ~1/day Real Threats & Incidents
Malware Blocked ~8.3/day Phishing Blocked ~1.2/day Botnets Blocked ~5.4/day Scams Blocked ~0.4/day Spam Blocked ~1/day PUP Blocked Threats Blocked Per Home, Per Day 22 Source: Symantec

6 Real Threats & Incidents
The Internet Society 2/16/2019 Real Threats & Incidents TRENDnet Webcam (2010) Cameras transmitted login credentials in the clear, and stored them on mobile apps unencrypted Anyone who obtained the IP address could login and view the stream Mirai botnet (2016) – Huge DDoS attack launched against Dyn using IoT devices Primarily targeted Linux-based peripherals and IoT devices, using default logins to infect with malware. Affected major services across the Internet, including Netflix, Amazon, PayPal, Twitter, etc.. Jeep SUV (2016) Researchers were able to use cellular network and firmware vulnerability to hijack CAN bus Could make it speed-up, slow-down, and move the power steering servos Cardiac devices (2017) – Vulnerability in transmitter that reads device data and remotely shares it Could administer incorrect pacing and shocks

7 Only 2 weeks ago – VPNFilter!
The Internet Society 2/16/2019 Only 2 weeks ago – VPNFilter! Targets certain routers & NAS devices with known exploits and/or those using default credentials Spying on traffic, overwriting firmware to render it non-functional + looking for SCADA industrial control systems Persistent - devices need to be factory reset to remove malware, which is itself disruptive Industry is not adequately addressing fundamental security, privacy and life-safety issues. Many manufacturers are new to the networking and Internet arena, and lack experience. There are STRONG competitive pressures for speed to market and cost reduction. Security and privacy cost money, require specialized skills, and slow down the development process. The proliferation of devices, and corresponding interactions with other devices, increase the “surface” available for cyberattack. Poorly secured devices affect the security of the Internet and other devices globally, not just locally.

8 IoT Challenges (in my house)
The Internet Society 2/16/2019 IoT Challenges (in my house) Cable modem, router, switch 2 x WiFi access points 2 Apple Macs, 2 PCs iPhones (4), iPads (6), Android tablet, Android phone 1 x Synology RAID server (multimedia, backup and security) 1 x network printer Smart televisions (3), multimedia systems (2), gaming controller (1) Home security devices – security cameras (2), burglar alarm, smoke and fire sensors Home automation – lighting controls (2), would like to add temperature control At least 30 devices in use, plus a few redundant ones

9 What is going on? I’m a reasonably astute technical user;
The Internet Society 2/16/2019 What is going on? I’m a reasonably astute technical user; I bought devices that support SSL/TLS management, IPv6, configurable security, and encrypted data transmission + storage; and, I have (some) idea how to do network monitoring. BUT I’m time poor, not at home much, and can’t monitor everything; I’ve little/no idea who these devices are communicating with, and who is communicating with them; I’ve little/no idea what data is being collected, and where it’s going; Many devices have stopped being supported (usually 1-2 years); Some of the ‘secure’ aspects have been deprecated (e.g. TLSv1).

10 The challenges we face

11 A connected world offers the promise of convenience, efficiency and insight, but creates a platform for shared risk. Many of today’s IoT devices are rushed to market with little consideration for basic security and privacy protections.

12 New devices, new vulnerabilities
The Internet Society 2/16/2019 New devices, new vulnerabilities The attributes of many IoT devices present new and unique security challenges compared to traditional computing systems. Device Cost/Size/Functionality Volume of identical devices (homogeneity) Long service life (often extending far beyond supported lifetime) No or limited upgradability or patching Physical security vulnerabilities Access Limited user interfaces (UI) Limited visibility into, or control over, internal workings Embedded devices Unintended uses BYOIoT Industry is not adequately addressing fundamental security, privacy and life-safety issues. Many manufacturers are new to the networking and Internet arena, and lack experience. There are STRONG competitive pressures for speed to market and cost reduction. Security and privacy cost money, require specialized skills, and slow down the development process. The proliferation of devices, and corresponding interactions with other devices, increase the “surface” available for cyberattack. Poorly secured devices affect the security of the Internet and other devices globally, not just locally.

13 Key Challenge: IoT Ecosystem
Apps and Platforms Cloud & Web Services Devices & Sensors Three Dimensions: Combination of devices, apps, platforms & services Data flows, touch points & disclosures Lack of defined standards Impacts on Sustainability Issues: Lifecycle supportability Data retention / ownership

14 Who is responsible? Developers and users of IoT devices and systems have a collective obligation to ensure they do not expose others and the Internet itself to potential harm. We need a collective approach, addressing security challenges on all fronts.

15 Two views of IoT Security
Inward Security Focus on potential harms to the health, safety, and privacy of device users and their property stemming from compromised IoT devices and systems. Outward Security Focus on potential harms that compromised devices and systems can inflict on the Internet and other users. Example of outward risk: A home appliance may continue to function well as far as the direct user is concerned, and s/he may be unaware that it is part of a botnet participating in a DDoS attack Toaster example: - Someone may use it against you, and remotely decide to burn your hands our even your house (inward security related issue) Your toaster works ok but is being used for a major DDOS attack (outward) At ISOC,  our focus is on the impact that IoT security and privacy has on the Internet and other users.

16 The myth of low cost devices
The Internet Society 2/16/2019 The myth of low cost devices Often claimed that it’s not economical for vendors to maintain low-cost devices My PCs and router were cheaper than my smart televisions and cameras Windows (7 and above) has regular updates My router has periodic firmware and operating system Smart televisions got a couple of updates and nothing after 1 year Cameras had regular updates for 2 years – then nothing since So presumably it’s possible to provide ongoing support with sufficient critical mass. How do we encourage/mandate that?

17 Something must be done!

18 We want manufacturers and suppliers of consumer IoT devices and services to adopt security and privacy guidelines to protect the Internet and consumers from cyber threats.

19 https://otalliance.org/iot/
Online Trust Alliance Founded as Industry Trade Organisation in 2007 65 members (e.g. DigiCert, Symantec, Verisign, Microsoft, Twitter, Coles) Internet Society and OTA merged in April 2017, with OTA members becoming ISOC members Objectives and Activities: Promote best practices in protection of user security, privacy and identity, including data stewardship Develop meaningful self-regulation Consensus driven process with input from industry and policy-makers Multi-stakeholder working group – 100 plus participants Face-To-Face meetings / Public Call for Comments/Ongoing refinement/Working Group Focus Unique from other IoT-related frameworks. Many others focus just on security or interoperability or privacy, and few take into account the lifecycle issues associated with these offerings, such as how to hand over a smart home or what to do when software upgrades are no longer available for a long-lived device such as a garage door opener. This includes devices/sensors, mobile apps and backend services. Most frameworks focus on just the devices, but a system is only as strong as its weakest link.

20 What are we doing? There are ~40 different IoT industry bodies! BUT…
The Internet Society 2/16/2019 What are we doing? There are ~40 different IoT industry bodies! BUT… OTA decided to take broad multi-stakeholder approach to assess IoT risks, and address security, privacy and life-cycle sustainability in IoT products and services OTA’s IoT Trustworthy Working Group (ITWG) was established in January , chartered with development of an IoT Trust Framework Consultation with more than 100 device manufacturers, major retailers, security and private experts, consumer testing and advocacy organisations, and governments Published IoT Security & Privacy Trust Framework in March 2016, updated several times, latest version (v2.5) released June 2017

21 OTA IoT Security & Privacy Trust Framework
The Internet Society 2/16/2019 OTA IoT Security & Privacy Trust Framework 40 principles in 4 key areas to secure IoT devices and their data: Security – ensure devices use cryptographic protocols by default, only open physical and virtual ports and services that are required, regular monitoring of security settings, verifiable patches User Access & Credentials – strong authentication, storing of credentials, and anti-brute forcing measures Privacy, Disclosure & Transparency – what data is being transferred, only collecting data with affirmative user support, disclose end-of-life security and patch support Notifications – sending authenticated messages to users

22 The Internet Society 2/16/2019 Okay, but so what? Other IoT frameworks exist (e.g. OWASP, IOTSF), but tend to focus on specific areas like interoperability and security OTA is arguably the only holistic IoT framework - security, privacy and lifecycle, although has overlaps with many of the others More than 100+ stakeholders from industry, government and consumer advocates contributed to the Framework Several leading manufacturers agreed to support, and several retailers planning to use OTA framework as filter for carrying products Working with consumer testing and review organisations – initially producing rankings than certification programmes (e.g. Consumers International) Framework is conformant with NTIA IoT Multistakeholder recommendations

23 IoT Trust by Design Work with manufacturers and suppliers to adopt and implement the OTA IoT Trust Framework Mobilize consumers to drive demand for security and privacy capabilities as a market differentiator Encourage policy and regulations to push for better security and privacy features in IoT Consumers We want to raise awareness of the privacy and security risks and encourage consumers to voice their concerns Policymakers and Regulators We want policymakers to create a policy environment that favors strong security and privacy features in IoT products and services

24 Connect us with manufacturers and suppliers providing IoT products and services to adopt the OTA IoT Trust Framework Help us spread the word about the privacy and security risks of consumer IoT products and services Encourage policymakers to support better security and privacy features in IoT offerings Promote OTA recommendations to policymakers, as captured in the IoT Security for Policymakers paper Suggest key events and partners to broaden awareness of IoT security and privacy Recommend civil society and other partners to help us extend our reach

25

Download ppt "A Shared and Collaborative Responsibility"

Similar presentations

7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
A Survey of Mobile Phone Sensing Michael Ruffing CS 495.

A Survey of Mobile Phone Sensing Michael Ruffing CS 495.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.

Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Issues at Casinos and eGaming

Information Security Issues at Casinos and eGaming
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
INTEROP 2014 Mobile Issues in the Network. Mobile Issues Data loss – Hardware theft or failure – Data corruption Data theft – Hardware theft – Spyware,

INTEROP 2014 Mobile Issues in the Network. Mobile Issues Data loss – Hardware theft or failure – Data corruption Data theft – Hardware theft – Spyware,
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.

Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.

Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.
The Internet of Things and Consumer Protection

The Internet of Things and Consumer Protection
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.

Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
IoT Trust Framework leading to self regulation code of conduct and certification models Craig Spiezle Executive Director & President Online.

IoT Trust Framework leading to self regulation code of conduct and certification models Craig Spiezle Executive Director & President Online.
5 th ITU Green Standards Week Nassau, The Bahamas 14-18 December 2015 Taming The IoT Security & Privacy Beast Craig Spiezle, Executive Director, Online.

5 th ITU Green Standards Week Nassau, The Bahamas December 2015 Taming The IoT Security & Privacy Beast Craig Spiezle, Executive Director, Online.
Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.

Education – Partnership – Solutions Information Security Office of Budget and Finance Christopher Giles Governance Risk Compliance Specialist The Internet.
Office 365 is cloud- based productivity, hosted by Microsoft. Business-class email Gain large, 50GB mailboxes that can send messages up to 25MB in size,

Office 365 is cloud- based productivity, hosted by Microsoft. Business-class Gain large, 50GB mailboxes that can send messages up to 25MB in size,
Security and resilience for Smart Hospitals Key findings

Security and resilience for Smart Hospitals Key findings
Principles Identified - UK DfT -

Principles Identified - UK DfT -

Similar presentations

Ads by Google