Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Milton Smith Sr. Principle Security PM Java Platform Group September 2014 Twitter:

Published byNancy Robertson Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Milton Smith Sr. Principle Security PM Java Platform Group September 2014 Twitter:"— Presentation transcript:

1

2

3 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Milton Smith Sr. Principle Security PM Java Platform Group September 2014 Twitter: @spoofzu Blog: securitycurmudgeon.com Security and the Internet of Things: Preparing for the Internet of Stings

4 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Who is this Guy? My background 4 Role – Strategic security leader working to influence Java team, internal teams, engage researchers, industry outreach Background – Many years of application programming and security Former Employer – Yahoo! Lead security for User Data Analytics property

5 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Program Agenda Internet of Things Background Internet of Things Security Threats Platform Features, Countermeasures, Monitoring Resources 1 2 3 4 5

6 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.6 Internet of Things Background about Oracle IoT…

7 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Characteristics - Devices Geographically dispersed >10 6 Millions deployed Diverse sophistication & capabilities 7 Vast quantity of data

8 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Characteristics - Infrastructure Rapid device onboarding Shared application services End to end security 8 Performance

9 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Characteristics - Applications Many industry verticalsMany stakeholders Deploy local or in cloud 9 Integrate legacy systems

10 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Exploring Internet of Things Telcos are experts and have provisioned millions of devices for many years. Massive Internet web applications like Google, Yahoo, Facebook, Twitter, etc. No industry standardized device platforms supporting different lines of business. Current platforms proprietary Generalized cloud service model for devices - IoT Some history and what’s required… 10

11 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Internet of Things Architecture Broad view of a big platform… 11 Big Data Edge Devices Smart Devices Gateway Devices Identity Application Infrastructure Security Relational Diverse Applications

12 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Internet of Things vs. n-Tier Similarities Network & application services infrastructure Applications = millions of browser end-points, IoT = millions of device end-points Security controls (transport\rest) Differences Humans = self-provisioning, devices = must be provisioned Browsers very standard, devices very different Browsers can be upgraded\patched, devices more difficult 12

13 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.13 IoT Security Threats Defending the device cloud…

14 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats DDoS Deny business operations Loss of revenue Compliance concerns An overview… 14

15 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Reconnaissance Physical network, PCAPs Devices, cameras Servers, applications Surveillance for cross-compromise An overview… 15

16 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Info Disclosure Exfiltrate logs, app metadata, crypto keys, URL parameters Passwords An overview… 16

17 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Path Traversal Easy to guess URIs Brute force Apps, usr/doc/mydoc.txt OS, etc/passwd An overview… 17

18 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Phishing Links in email Common industry concern Need to defend deep links An overview… 18

19 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Session Hijacking Steal HTTPS session id (e.g., JSESSIONID) Cookie stealing An overview… 19

20 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats SSL\TLS Attacks Renegotiate Known-Weak Cypher Suites TLS Session Key Disclosure Weak Encryption An overview… 20

21 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Device Spoof\MITM Rogue CA, forged keys No Transport Encryption Failed\Improper (De)provisioning An overview… 21

22 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Inappropriate Policy Intentional or unintentional Unauthorized access An overview… 22

23 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Security Patching Increase risk of compromise Vulnerabilities & security alerts, patching important An overview… 23

24 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Bad Privilege Assignments Any component: device, application, operating system An overview… 24

25 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.25 Platform features, countermeasures, monitoring An overview of IoT security controls…

26 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Devices Isolated cryptographic processing Hardware protected credentials and keys Strong authentication for all components Protecting millions of devices… 26

27 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Devices (cont’d) Cryptographic keys and key management Platform attestation and secure boot Isolation across many layers like protocol from browser/application, application from container, container from operating system Protecting millions of devices… 27

28 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Datacenter Network isolation, firewalls Log management (diagnostic\security, compliance) Mitigate vulnerable apps while being fixed, WAFs Industry standards like HTTPS, LDAP, and OAUTH2 New and existing security controls… 28

29 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Datacenter (cont’d) Anti-viral(AV), malware detection, quarantine for untrusted uploads System policy & configuration review Common logging framework (Win, *NIX, JSR-47) Security\diagnostic. Compliance handled separately Exfiltration control New and existing security controls… 29

30 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Application Infrastructure Anti-password cracking controls Multi-factor authentication Continuous automated dynamic analysis, both In-house and 3 rd party Shared supporting application services… 30

31 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Application Infrastructure (cont’d) Centralized logging framework (JSR-47) Revocation services (ensure trust) Application domain integrity controls & policy Shared supporting application services… 31

32 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Application Development Process Oracle software development policies & secure coding standards Standard security controls: static analysis, dynamic analysis, fuzzing, open source (findbugs) Different tools for different layers: Java platform, application infrastructure, Java web applications Software defenses… 32

33 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Application Development Process (cont’d) Security challenges different depending on deployment model (Oracle cloud vs. private cloud) No introduction of unreviewed open source. Production servers air-locked against unauthorized change. Exceptional processes w\management approval Secure coding practices for Oracle components (certification for non-Oracle components) Software defenses… 33

34 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – Production Deployment Process Approved cryptographic algorithms based upon domain of application Approved security hardening & configuration standards for each type of component: OS, Application Server, Database, LDAP, etc Build servers exclusively from standardized images from approved hardening standards. No one-off builds Standardize and control production deployment… 34

35 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Defending – 3 rd Party Integration No assurance 3 rd parties conform to Oracle security policies or specifications Increased transparency, 3 rd party code view, contractual obligations Understand development processes, independent test certification, move aware from “faith based” approaches, trust but verify Including open and commercial source… 35 = ? +

36 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.36 Resources Learn more about the Internet of Things…

37 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Links Oracle IoT Landing Page http://www.oracle.com/us/solutions/internetofthings/overview/index.ht ml Java Platform Group, Security Landing Page http://www.oracle.com/technetwork/java/javase/overview/security- 2043272.html

38 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Oracle Confidential – Internal/Restricted/Highly Restricted 38

39

40

Download ppt "Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Milton Smith Sr. Principle Security PM Java Platform Group September 2014 Twitter:"

Similar presentations

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
Internet of Things Security Architecture

Internet of Things Security Architecture
Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Principal Product Manger, Oracle Bob Beach, CIO, Chevron October,

Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Principal Product Manger, Oracle Bob Beach, CIO, Chevron October,
Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.
Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Product Manager, Oracle Bob Beach, CIO, Chevron October, 2014.

Beyond Brute Force Strategies for Securely leveraging Mobile Devices Rajesh Pakkath, Sr. Product Manager, Oracle Bob Beach, CIO, Chevron October, 2014.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Oracle Cloud Marketplace Neelesh Gurnani Director, Product Development Arif Khan Director, Product Management September 29, 2014 Copyright © 2014, Oracle.

Oracle Cloud Marketplace Neelesh Gurnani Director, Product Development Arif Khan Director, Product Management September 29, 2014 Copyright © 2014, Oracle.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Agile insurance carrier - What the carrier has to look like? Glenn Lottering Senior Director, EMEA Insurance Product Strategy and Sales Consulting.

Agile insurance carrier - What the carrier has to look like? Glenn Lottering Senior Director, EMEA Insurance Product Strategy and Sales Consulting.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer What’s New in Version 4.1 Jeff Smith

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer What’s New in Version 4.1 Jeff Smith
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Advanced Metadata Modeling Modeling for the Oracle Business Intelligence Cloud.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Advanced Metadata Modeling Modeling for the Oracle Business Intelligence Cloud.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction.
CON7349 - Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.

CON Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer For the DBA Jeff Smith

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer For the DBA Jeff Smith
The Safe Harbor The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated.

The Safe Harbor The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated.
Best Practices for Supporting Oracle Hyperion EPM and Business Intelligence Solutions Mitra Veluri Senior Principal Technical Support Engineer David Valociek.

Best Practices for Supporting Oracle Hyperion EPM and Business Intelligence Solutions Mitra Veluri Senior Principal Technical Support Engineer David Valociek.
Best Practices for Upgrading Oracle PeopleSoft Environments

Best Practices for Upgrading Oracle PeopleSoft Environments

Similar presentations

Ads by Google