Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Similar documents
K12 Cybersecurity Roadmap

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Designing and Building a Cybersecurity Program

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

ISE North America Leadership Summit and Awards

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CCISO Blueprint v1. EC-Council

IoT & SCADA Cyber Security Services

Cyber Protections: First Step, Risk Assessment

The Common Controls Framework BY ADOBE

NEN The Education Network

Automating the Top 20 CIS Critical Security Controls

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

RiskSense Attack Surface Validation for IoT Systems

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

TIPS FOR AUDITING CYBERSECURITY

Protect Your Organization from Cyber Attacks

SDLC Maturity Models

CISO as Change Agent: Getting to Yes

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

MIS Week 9 Host Hardening

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

10 FOCUS AREAS FOR BREACH PREVENTION

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Manchester Metropolitan University Information Security Strategy

Effective Strategies for Managing Cybersecurity Risks

Internet of Things Toolkit for Small and Medium Businesses

FDIC InTREx What Documentation Are You Expected to Have?

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Cyber Security Program

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

VIVOTEK. Security Hardening Guide

NYDFS Cybersecurity Regulations

WHO AM I? Been working in IT Security since 1992

Carbon Black PCI Compliance Mapping Checklist

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

External Supplier Control Obligations. Cyber Security

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

security mindfulness dwayne.

Protecting your data. EY s approach to data privacy and information security

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Google Cloud & the General Data Protection Regulation (GDPR)

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Security Operations & Analytics Services

How Breaches Really Happen

Cybersecurity for Service Providers

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Cloud Customer Architecture for Securing Workloads on Cloud Services

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Cybersecurity Today Avoid Becoming a News Headline

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Building a Resilient Security Posture for Effective Breach Prevention

Sage Data Security Services Directory

CyberSecurity: Top 20 Controls

Understanding IT Audit and Risk Management

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Les joies et les peines de la transformation numérique

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Department of Management Services REQUEST FOR INFORMATION

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

University of Pittsburgh Security Assessment Questionnaire (v1.7)

CISM Certified Information Security Manager

Cyber Risks in the Boardroom Conference

locuz.com SOC Services

Security Solutions. Overview. Business Needs

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

INTELLIGENCE DRIVEN GRC FOR SECURITY

SECURITY & PRIVACY DOCUMENTATION

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CYBERSECURITY MATURITY ASSESSMENT

Checklist: Credit Union Information Security and Privacy Policies

Avanade s Approach to Client Data Protection

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

TEL2813/IS2820 Security Management

CYBER SECURITY AIR TRANSPORT IT SUMMIT

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

Securing Your Cloud Introduction Presentation

Business Continuity Management Standards A Side-by-Side Comparison

Healthcare HIPAA and Cybersecurity Update

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

CoreMax Consulting s Cyber Security Roadmap

Security Incident Management in Microsoft Dynamics 365

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

The checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you.

Transcription:

Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin

Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP top 10 Risk Assessment for IoT Planning Questions Approach IT Controls for IoT Do s and Don ts for IoT Question and Answer

So, what are these things anyway? Components of IOT Data collection sensors and actuators that collect create store transmit and act on data Connectivity WiFi, NFC, BlueTooth, NB-IoT, Wired, cellular, internal and external networks and services People and Processes, risk management manage devices and data in alignment with strategic objectives and risk management goals

They re Everywhere Internet of Things now, Internet of Everything soon. IPv6 means that every atom on the surface of the earth could be assigned an IP address Multifunction printers Building Management Systems Lighting controllers Smartboards Elevator controllers IP phones IP cameras Timeclocks IP radios Physical Actuators Smart plugs Smart Speakers

What Could Go Wrong? Threat Exposure Probability Impact Risk Increasing attacks and vulnerabilities Ineffective Control Environment High Likelihood Loss of CIA Privacy Physical Actuation Reduced visibility into common vulnerabilities and enumerations these devices do not often appear in threat intelligence feeds Reduced manufacturer support cycles Traditional 5-7 year support before EOL is uncommon in this space, especially in consumer oriented devices Reduced configuration management controls, practices and procedures, both technical and operational; including configuration checklists, ongoing assurance monitoring and inconsistent patching or the availability of updates Limited technical expertise, familiarity and consistency of control application Low Maturity of implementation and continuous monitoring of controls Lack of understanding and acknowledgement that all of these devices, almost without exception are Linux based servers that have similar security risks and threat vectors as many full-fledged traditional platform based information systems, with additional sensing capabilities

For the Lack of a Control, a Vulnerability OWASP Top 10 Insecure Web Interface Insufficient Authentication/ Authorization Insecure Network Services Lack of Transport Encryption Privacy Concerns Insecure Cloud Interface Insecure Mobile Interface Insufficient Configurability Insecure Soft/Firmware Poor Physical Security Critical Security Controls (CSC) CSC 3: Secure Configurations CSC 5: Controlled Administrative Privileges CSC 9: Ports & Services CSC 15: Wireless Access Control CSC 11: Secure Configurations CSC 13: Data Protection CSC 3: Secure Configurations CSC 3: Secure Configurations CSC 18: Application Software Security CSC 5: Controlled Administrative Privileges CSC 6: Logging, Data Recovery CSC 4: Vulnerability Assessments CSC 20: Pen Testing & Red Team CSC 14: Controlled Access

Risk Assessment Risk assessment is a process by which an auditor identifies and evaluates the quantity of the organization s risks and the quality of its controls over those risks

Risk Assessment Planning for IoT Key Considerations Assessment should analyze the risks inherent in a given business line or process, the mitigating controls processes, and the resulting residual risk exposure to the institution Assessment should be well documented and dynamic, reflecting changes to the system of internal controls, infrastructure, work processes and new/changed business lines or laws and regulations. Assessment should consider thematic control issues, risk tolerance, and governance within the organization Assessment may be qualitative and quantitative and include factors such as impact/likelihood of an event occurring Assessment should be formally documented and supported with written analysis of the risks Assessment should include specific rationale for the overall auditable entity score Assessment results should be provided to the audit committee and include the most significant risks, as well as how those risks have been addressed in the audit plan

Risk Assessment Questions for IoT How will the device be used from a business perspective? What business processes are supported and what business value is expected to be generated? What is the threat environment for the device? What threats are anticipated and how will they be mitigated? Who will have access to the device and how will their identities be established and proven? What is the process for updating the device in the event of a published attack or vulnerability? Who is responsible for monitoring for new attacks or vulnerabilities pertaining to the device? Have all risk scenarios been evaluated and compared to anticipated business value? What personal information is collected, stored or processed by the IoT devices and systems? Do the individuals about whom the personal information applies know that their information is being collected and used? Have they given consent to such uses and collection? With whom will the data be shared/disclosed?

Risk Assessment Approach for IoT Health and Safety Monitoring Security Scoping IoT Systems Resilience Security - Perform a vulnerability assessment of such devices and consider conducting penetration tests on those systems periodically. Resilience - Assess whether controls are in place to recover IoT systems in the event of a failure. Health and Safety - Assess whether such IoT systems have undergone sufficient testing using appropriate test cases before being deployed into production. Monitoring - Assess whether adequate monitoring controls are in place and whether all such controls have been operating effectively over time. Scoping of IoT systems - Assess where and when IoT systems are deployed by different departments and prioritize IoT systems audits according to their criticality and sensitivity.

IT Controls for IoT IT Controls Validate the existence and completeness of an inventory of IoT devices with designated owners Critical Security Controls (CSC) CSC 1: Inventory of Authorized and Unauthorized Devices Ensure the use of Hardening Guides and checklists specific for each class of IoT device Verify that network diagrams exist depicting what segments of the network contain these devices and how they are isolated from segments containing proprietary, GLB, PCI, PII and HPI data. CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 12: Boundary Defense Ensure configuration records are being captured (preferred automatically) for each IoT device attached to the corporate network CSC 4: Continuous Vulnerability Management and Remediation

IT Controls for IoT IT Controls Validate that patching procedures have been developed for IoT devices, and that devices which can't or don't allow for firmware updates are documented in exception management with tested compensating controls Critical Security Controls (CSC) CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Verify that user awareness training has been provided to everyone who installs, maintains, or uses these devices Assess the completeness of IoT device activity monitoring and logging procedures CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs Ensure the Incident Response Plan articulates how to conduct triage, analysis, containment, and eradication of various IoT targeted exploits, including the results of a round table exercise that involves an IoT scenario CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises

IoT Do s Do s Prepare a threat model. Evaluate business value. Holistically evaluate and manage risk. Balance risk and rewards. Notify all stakeholders of anticipated usage. Engage with business teams early. Gather all stakeholders to ensure engagement and thorough planning. Look for points of integration with existing security and operational protections. Examine and document information that is collected and transmitted by devices to analyze possible privacy impacts. Discuss with relevant stakeholders when, how and with whom that information will be shared and under what circumstances.

IoT Don ts Don ts Deploy quickly without consulting business or other stakeholders. Disregard existing policy requirements, such as security and privacy. Ignore regulatory mandates. Assume vendors (hardware, software, middleware or any other) have thought through your particular usage or security requirements. Disregard device-specific attacks or vulnerabilities. Discount privacy considerations or "hide" data that are collected/transmitted from end users.

Resources OWASP Internet of Things Security Project https://www.owasp.org/index.php/owasp_internet_of_things_proj ect#tab=main OWASP Foundational Security Checklist https://www.owasp.org/index.php/iot_security_guidance#consum er_iot_security_guidance CIS IoT Security Companion https://www.cisecurity.org/wp-content/uploads/2017/03/cis- Controls-IoT-Security-Companion-201501015.pdf?x60581 IoT Security Foundation Security Compliance Framework https://iotsecurityfoundation.org/wp-content/uploads/2016/12/iot- Security-Compliance-Framework.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback