TWELVEDOT SECURITY DESIGN.BUILD.SECURE

Transcription

1 TWELVEDOT SECURITY DESIGN.BUILD.SECURE 1

2 AGENDA About Us The Threat Landscape IoT Standards Using an ISMS Approach Testing and Evaluation Privacy Considerations 2

3 ABOUT US - YOW based company - Global customer base - Focus on Mobile, Cloud and IoT Security - Sister company focuses on HW/SW R&D - ISO standards are the basis for all our work - Active in ISO standards development - Team of 7+ {partnerships} 3

4 ABOUT ME 20+ years industry experience Chief Security Analysis - TwelveDot & TwelveDot Labs Financial Services, Government, Telecom, and MSP Chair for ISO/IEC SMC-SC27 in Canada Convener ISO/IEC SC27 SWG-M and SWG-IoT 4 Patents Granted & 6 Pending 4

5 WHAT WE DID LAST WEEKEND 5

6 What Are These Two Numbers? Minutes days

7 UNDERSTANDING THE THREAT LANDSCAPE 7

8 NETWORK LAYER

9 APPLICATION LAYER

10 DEVICE LAYER {SENSOR/GATEWAY/CONTROLLER/ETC}

11 THINGS GETTING COMPLICATED

12 APPROACH TO CYBERSECURITY A CyberSec Culture A Shift in Mindset Mgmt Team ISMS lite SDLC Incident Mgmt Standards

13 ISO STANDARDS WG 10 - IoT ISO/IEC IoT Reference Architecture ISO/IEC Use Cases TR {TBD} Vocabulary ISO {TBD} Interoperability SC 27 Study Groups - what is lacking in the current base 13

14 HOW TO LEVERAGE STANDARDS Help to determine deficiencies in your company process and procedures (next sections) Data at risk? both for your company and your solutions PDAC {Plan, Do, Check, Act} Determine executive support for ISMS Align to IT and business objectives for the year and planned projects Make employees part of this process 14

15 USING AN ISMS {ISO 27001} APPROACH Need to build and implement policies and procedures around security and privacy Update your SDLC {yes even startup-up!} ISO Application Security HR hiring practices (i.e. background checks, sec. training ongoing) Data handling (source code repositories, clouds, remote access, breach plan, etc) These are not one time tasks they are on going 15

16 NEED TO THINK ABOUT Vulnerability management {29147} Incident handling {27035} Evaluating 3rd party libraries and source code HW other component manufactures Say what you do, do what you say and be able to prove it 16

17 PRODUCT/SOLUTION Stage Threat Modelling PIA {ISO 29134} and TRA {ISO 27005/8} Know where your source code is and who has access to it These need to part of your SDLC and every solution you consider 17

18 PRODUCT/SOLUTION Ensure you have regression test cases to deal with old vulns Monitor & evaluate 3rd party libraries Evaluate component suppliers {firmware} Industrial Controls {IEC x} 18

19 PRODUCT/SOLUTION Ensure devices/gateways/plcs etc have a method for infield updating Monitor for attacks against field installations Ensure you have a vulnerability mgmt process (29147 & 30111) 19

20 PRIVACY CONSIDERATIONS Conduct an PIA at design stage and when each new major release is developed (ISO 29134} Lots of supporting docs at PCO web site Create a privacy policy and make your employees, customers, and partners aware of it Ensure your development practices align to the privacy policy {many don t} Only collect what you need from any 3rd party 20

21 PRIVACY CONSIDERATIONS If you can use de-identification techniques for longer storage data Ensure you have a data destruction policy and process Ensure you know who has access to your critical data at all times Consider employee terminations and the removal of access 21

22 YOUR TURN Data: Name, age, etc HR, BP, activity, location Link: Bluetooth USB WiFi - SSL Data: User personal Non-encrypted HD No AV nor FW Link: WiFi - SSL Cloud Data: User personal Non-encrypted HD What would your approach be to securing this solution?

23 RECAP Create a culture of security Need to purchase standards sorry they are not free Use good policies and procedures - standards as the baseline Educate your staff to security/privacy risks Create a ISMS lite with the audit outputs for your company Prepare for the day a breach happens - because it will 23

24 THANK-YOU FOR YOUR TIME TODAY Faud Khan 24

25 RISK MANAGEMENT WORKFLOW 1. Resource profiling 2. Risk assessment Describe the resource and rate risk sensitive (Business owner) Identify and rate threats, vulnerabilities, and risks (Information security) 7. Monitoring and audit Continually track changes to the system the may affect the risk profile and perform regular audits (Information security and business owner) 3. Risk evaluation Information security risk management process For an application, system facility, environment, or vendor Decision to accept, avoid, transfer, or mitigate risk (Information security and business owner) 4 Document Document risk decisions including except and mitigation plans (Information security and business owner) 6. Validation 5. Risk mitigation Test the controls to ensure the actual risk exposure matches the desired risk levels (Information security) Implement mitigation plan with specified controls (Resource custodian) 25