WEBVTT 00:00.000 --> 00:02.415 >> When we talk about the very top option, 00:02.415 --> 00:04.500 passwords, it's funny because 00:04.500 --> 00:06.870 that exists in our own network environments. 00:06.870 --> 00:08.670 More traditional passwords are 00:08.670 --> 00:10.680 always going to be the weakest link. 00:10.680 --> 00:13.785 For one thing, our devices come with default passwords. 00:13.785 --> 00:15.990 There is an attack where over a million devices 00:15.990 --> 00:17.670 that were all from the Internet of Things 00:17.670 --> 00:18.854 >> were used in a botnet 00:18.854 --> 00:20.895 >> to create a denial of service attack. 00:20.895 --> 00:23.010 Ultimately, what the attackers did, 00:23.010 --> 00:25.590 was assume the default password of these devices. 00:25.590 --> 00:27.720 If the device wasn't using the default, 00:27.720 --> 00:29.500 they just moved on to the next one. 00:29.500 --> 00:30.583 That shows you 00:30.583 --> 00:33.219 >> these default passwords can be very difficult. 00:33.219 --> 00:35.530 >> Ideally, we've made some changes there. 00:35.530 --> 00:37.430 We have more randomized passwords, 00:37.430 --> 00:40.010 but certainly a concern. 00:40.190 --> 00:42.900 Insecure network services. 00:42.900 --> 00:45.680 It's estimated over 600,000 devices suffer 00:45.680 --> 00:48.800 >> from this particular vulnerability like open ports 00:48.800 --> 00:50.240 >> and unneeded services that are 00:50.240 --> 00:52.105 provided through these devices. 00:52.105 --> 00:54.500 Typical security vulnerabilities arise 00:54.500 --> 00:55.760 >> where they have additional services 00:55.760 --> 00:56.974 >> that aren't required. 00:56.974 --> 00:58.310 >> Not to mention the fact that 00:58.310 --> 01:00.499 >> it's so easy to add additional devices, 01:00.499 --> 01:02.510 >> which is why we see these insecure services 01:02.510 --> 01:04.710 as being a real issue. 01:05.290 --> 01:07.850 Insecure ecosystem. 01:07.850 --> 01:09.770 When I bring this into my home environment, 01:09.770 --> 01:11.975 I have lots of devices collaborating. 01:11.975 --> 01:13.910 I've got maybe cameras from my Wyze, 01:13.910 --> 01:16.444 >> where I monitor home activity through cameras. 01:16.444 --> 01:18.350 >> Maybe I have of baby monitor, 01:18.350 --> 01:19.610 an ECO Assistant, 01:19.610 --> 01:22.190 a Google Nest thermostat, and a ring doorbell. 01:22.190 --> 01:24.360 We all have these devices. 01:24.360 --> 01:25.790 First of all, trying to get them 01:25.790 --> 01:27.365 to collaborate could be an issue. 01:27.365 --> 01:28.700 But what is this information 01:28.700 --> 01:30.290 >> that is being collected from all of them 01:30.290 --> 01:32.394 >> and where is it going on the back-end? 01:32.394 --> 01:34.270 >> They have Internet access. 01:34.270 --> 01:36.650 I have Internet access in my Wi-Fi network, 01:36.650 --> 01:38.330 what's being reported through the Cloud 01:38.330 --> 01:40.890 to back-end databases? 01:42.140 --> 01:44.760 Lack of security updates. 01:44.760 --> 01:47.104 When's the last time you updated your thermostat, 01:47.104 --> 01:49.070 your lights, or your doorbell? 01:49.070 --> 01:50.690 We don't think to update. 01:50.690 --> 01:52.850 We don't think to monitor these devices 01:52.850 --> 01:55.130 because they've just become a part of her house. 01:55.130 --> 01:57.720 These have embedded computer systems in them. 01:57.720 --> 01:59.330 Like everything, they're often 01:59.330 --> 02:01.010 necessary updates to maintain 02:01.010 --> 02:02.810 the security of these devices. 02:02.810 --> 02:05.000 Then sometimes if the security updates 02:05.000 --> 02:06.425 are rolled out automatically, 02:06.425 --> 02:08.839 that causes functionality problems. 02:08.839 --> 02:10.535 The question would then be, 02:10.535 --> 02:11.780 am I able to roll back 02:11.780 --> 02:14.174 >> if a security function doesn't work? 02:14.174 --> 02:17.300 >> Insecure or outdated components. 02:17.300 --> 02:19.355 Right in line with our last topic. 02:19.355 --> 02:20.660 If you have an Alexa, 02:20.660 --> 02:21.860 every few months a year, 02:21.860 --> 02:23.645 they release an updated component, 02:23.645 --> 02:25.010 then they stop supporting 02:25.010 --> 02:26.420 >> some of the earlier components. 02:26.420 --> 02:27.710 >> We have to think about 02:27.710 --> 02:29.629 >> who we trust to allow into our home. 02:29.629 --> 02:32.375 >> Knowing that businesses are in business to make money, 02:32.375 --> 02:33.500 when we look at these systems 02:33.500 --> 02:36.844 >> and interfaces what capability do the have from input? 02:36.844 --> 02:38.870 >> Have we bought this from a trusted vendor? 02:38.870 --> 02:40.280 Have we purchased these devices 02:40.280 --> 02:42.480 >> from a trusted provider? 02:42.679 --> 02:45.470 >> Probably the greatest concern in my mind 02:45.470 --> 02:47.615 is insufficient privacy protection. 02:47.615 --> 02:50.350 Once again, the law's lagging behind, 02:50.350 --> 02:52.310 what can that information be used for? 02:52.310 --> 02:55.550 Who owns the data that's recorded by my Google device? 02:55.550 --> 02:57.290 We don't have a lot of laws in place now. 02:57.290 --> 02:58.670 Certainly, we don't have 02:58.670 --> 03:01.250 any capability of classifying information. 03:01.250 --> 03:03.850 These devices were designed to assist you. 03:03.850 --> 03:05.820 But that means they are always listening. 03:05.820 --> 03:08.915 If you say, "Hey Siri" and your iPhone comes on, 03:08.915 --> 03:10.040 that tells you your iPhone 03:10.040 --> 03:12.020 >> is just sitting there waiting for that command. 03:12.020 --> 03:13.794 >> It's listening. 03:13.794 --> 03:15.200 >> We hear about these things 03:15.200 --> 03:16.070 >> and then we get shocked 03:16.070 --> 03:17.600 >> when the NSA is found to be listening 03:17.600 --> 03:18.890 >> to be suspected criminals 03:18.890 --> 03:20.750 >> or terrorists through their televisions. 03:20.750 --> 03:22.580 Well, the television is waiting 03:22.580 --> 03:24.430 so you record such and such show. 03:24.430 --> 03:25.890 Of course, it's listening. 03:25.890 --> 03:28.425 When it's listening, what's on the back-end? 03:28.425 --> 03:31.190 What's also listening should be a tremendous concern. 03:31.190 --> 03:32.870 Have you ever said something in 03:32.870 --> 03:35.510 your house and then it shows up on your Amazon list? 03:35.510 --> 03:38.730 That should tell you about the privacy we have. 03:40.160 --> 03:42.765 Data transfer and storage. 03:42.765 --> 03:44.115 What's being stored? 03:44.115 --> 03:45.180 Where is it going? 03:45.180 --> 03:46.439 >> How is it protected? 03:46.439 --> 03:49.340 >> How is my communication protected by these devices? 03:49.340 --> 03:50.600 How is the data that's going 03:50.600 --> 03:52.474 >> from one network device to another, 03:52.474 --> 03:54.220 >> how's any of it protected? 03:54.220 --> 03:56.610 When we think about health care information, 03:56.610 --> 03:57.890 and a lot of health care devices 03:57.890 --> 03:59.480 are modified through networking, 03:59.480 --> 04:01.525 they're part of the Internet of Things. 04:01.525 --> 04:03.380 Well, those health care devices 04:03.380 --> 04:05.405 contain sensitive information. 04:05.405 --> 04:07.640 If it were stored in the traditional sense, 04:07.640 --> 04:09.980 HIPAA guidelines would restrict 04:09.980 --> 04:11.604 >> how that data is stored. 04:11.604 --> 04:14.030 >> When we have these wearable devices that aren't being 04:14.030 --> 04:17.000 communicated via Bluetooth or some other fashion, 04:17.000 --> 04:19.550 the security isn't necessarily as clear. 04:19.550 --> 04:21.560 You have to think about who has access to 04:21.560 --> 04:23.930 these devices on our home or on the network. 04:23.930 --> 04:25.820 Again, I'm really thinking 04:25.820 --> 04:27.740 beyond just our home use when I think about 04:27.740 --> 04:30.275 these IoT devices that are part of the network 04:30.275 --> 04:33.885 and incorporate in maybe a facility management system. 04:33.885 --> 04:36.530 How are the rules for access configured? 04:36.530 --> 04:38.780 There are several different ways. 04:38.780 --> 04:41.015 These rule-based access controls, 04:41.015 --> 04:43.405 there is discretionary access control, 04:43.405 --> 04:45.680 there is mandatory access control. 04:45.680 --> 04:47.030 We'll talk about those three different 04:47.030 --> 04:48.350 access control types, 04:48.350 --> 04:52.130 we are going to find differing degrees of security. 04:53.510 --> 04:55.875 I mentioned this earlier. 04:55.875 --> 04:57.825 Just lack of device management. 04:57.825 --> 05:00.120 Who is updating their thermostat? 05:00.120 --> 05:01.680 Most people aren't. 05:01.680 --> 05:03.435 Who's managing or monitoring? 05:03.435 --> 05:04.550 How do we make sure that 05:04.550 --> 05:06.484 >> when we decommission these devices, 05:06.484 --> 05:09.155 >> that they're truly decommissioned in a safe way? 05:09.155 --> 05:12.365 Can we destroy the device or what's stored locally? 05:12.365 --> 05:14.060 We just don't have a lot of control 05:14.060 --> 05:16.954 >> and a lot of management on these devices. 05:16.954 --> 05:19.670 >> Default settings make these devices 05:19.670 --> 05:21.230 easy to set up and get running. 05:21.230 --> 05:22.220 But once again, 05:22.220 --> 05:24.320 >> if I know your default configurations 05:24.320 --> 05:26.424 >> and can I access your network? 05:26.424 --> 05:29.180 >> Many people don't change those default settings. 05:29.180 --> 05:30.560 Not to mention the fact that with 05:30.560 --> 05:32.420 just a little bit of physical access, 05:32.420 --> 05:35.885 I can usually and sometimes not even physical access, 05:35.885 --> 05:38.674 but I can reset the devices to their factory settings, 05:38.674 --> 05:40.040 which means we're going to come back 05:40.040 --> 05:42.300 to all the defaults as well. 05:43.670 --> 05:46.500 Then a lack of physical hardening. 05:46.500 --> 05:49.130 With these devices, just like any other device, 05:49.130 --> 05:52.130 you can't underestimate the need for physical security. 05:52.130 --> 05:54.125 They need to be tamper-resistant. 05:54.125 --> 05:56.535 We need modes for tamper detection. 05:56.535 --> 05:59.090 Can we implement some device that listens 05:59.090 --> 06:00.859 >> or acts as a man in the middle attack? 06:00.859 --> 06:02.540 >> Do we trust our supply chain? 06:02.540 --> 06:05.345 Do we trust who calls and comes in in our environment? 06:05.345 --> 06:08.395 Just a lot of security considerations for IoT. 06:08.395 --> 06:10.520 What I really believe is we get caught up 06:10.520 --> 06:11.750 >> in the convenience that's offered, 06:11.750 --> 06:12.860 >> that we really fail to think 06:12.860 --> 06:15.750 about the security considerations. 06:15.880 --> 06:18.545 Just some key takeaways. 06:18.545 --> 06:20.980 We have a lot of use for the Internet of Things. 06:20.980 --> 06:22.220 It really has become 06:22.220 --> 06:24.620 just an explosion over the past few years. 06:24.620 --> 06:26.825 We often think of these personal assistants, 06:26.825 --> 06:28.660 these health care devices that we use, 06:28.660 --> 06:30.935 but expands way beyond that. 06:30.935 --> 06:33.110 We have monitoring tools and 06:33.110 --> 06:36.350 configuration capabilities, inventory systems, 06:36.350 --> 06:38.990 all elements that take advantage of these devices 06:38.990 --> 06:41.975 that report maybe to a central management framework. 06:41.975 --> 06:45.205 Ultimately, the capabilities are pretty much unlimited. 06:45.205 --> 06:47.820 However, we have to consider security. 06:47.820 --> 06:51.470 OWASP publishes the top 10 security vulnerabilities 06:51.470 --> 06:52.720 with Internet of Things. 06:52.720 --> 06:55.505 Even though that's not going to be testable per se, 06:55.505 --> 06:57.680 I would certainly be aware of some of those. 06:57.680 --> 07:00.680 Really, all of those vulnerabilities. 07:00.680 --> 07:02.690 They're not going to ask you about it 07:02.690 --> 07:04.849 >> in the context of OWASP. 07:04.849 --> 07:06.560 >> I think being able to pick some of 07:06.560 --> 07:09.140 the security vulnerabilities of IoT out of a list 07:09.140 --> 07:11.750 >> and say, "That would absolutely be appropriate." 07:11.750 --> 07:14.100 >> I think that may.