WEBVTT

00:00.270 --> 00:06.210
One of the coolest things about being in today's Internet is that our universe is filled with all of

00:06.210 --> 00:10.260
these amazing devices that I'm going to call static hoes.

00:10.260 --> 00:15.720
Now you might also when you use the term Internet of things but it basically boils down to those zillions

00:15.720 --> 00:21.030
of devices out there that have some form of embedded operating system.

00:21.030 --> 00:28.380
And they also have some type of network awareness so gosh I could go from a Google Home box to a Nest

00:28.380 --> 00:33.030
thermostat to a home router to a game controller.

00:33.030 --> 00:37.210
There are so many things out there that fit underneath that criteria.

00:37.530 --> 00:41.320
Now a lot of people would argue that mobile devices are static homes.

00:41.370 --> 00:47.760
They certainly have a specific operating system and it's also stored on firmware and they're very much

00:48.180 --> 00:49.470
internet aware.

00:49.470 --> 00:54.240
However these are kind of general purpose devices so when we're talking about a static host usually

00:54.240 --> 00:59.700
the best idea is to think about a device that's designed to do a specific things so.

01:00.000 --> 01:03.150
So there are arguments for mobile devices being static.

01:03.150 --> 01:08.190
However I'm going to save all that for their own episode and we can go into the security of mobile devices

01:08.190 --> 01:11.530
in great detail but there's lots of static hosts all around us.

01:11.530 --> 01:13.320
I mean look what I got right in front of me here.

01:13.440 --> 01:15.790
I've got a wireless access point.

01:15.810 --> 01:17.500
I've got a nice switch here.

01:17.520 --> 01:19.730
Got an old but good router right in front of me.

01:19.740 --> 01:22.720
I've got a network aware printer right here.

01:22.740 --> 01:28.280
All of these are single purpose devices whose job is to do whatever they are supposed to do.

01:28.280 --> 01:34.320
They are network aware very much network aware and they have some form of operating system stored on

01:34.320 --> 01:36.740
some kind of firmware so these are all static.

01:36.840 --> 01:38.050
Now I'm not done yet.

01:38.070 --> 01:38.970
Let's keep going here.

01:39.000 --> 01:44.400
Let's take it up to more of an industrial level and talk about some of the stuff that we see for example.

01:44.460 --> 01:51.570
Industrial control systems everything we do when it comes to industrial anything these days usually

01:51.570 --> 01:56.850
means you've got some kind of machines some kind of something with a computer that is network aware

01:57.120 --> 01:58.310
that is single purpose.

01:58.440 --> 02:01.640
Who is going to control that thing to make it do whatever it wants to do.

02:01.650 --> 02:06.600
So I don't care if you're baking bread or making motherboards there's invariably going to be some type

02:06.780 --> 02:08.520
of industrial control system.

02:08.580 --> 02:14.010
Now probably one of the more famous industrial control systems is heating ventilation and air conditioning

02:14.010 --> 02:16.080
systems or HD AC.

02:16.080 --> 02:22.020
Pretty much any office building any industrial building today has an HD AC system and all of that is

02:22.020 --> 02:28.920
powered by some type of specialized computer whose only job is to keep us warm or to keep us cool.

02:28.920 --> 02:31.930
Now we can even take it one step further than that.

02:31.950 --> 02:36.870
What I want to do is take the idea of industrial control and take it out over long distance.

02:36.870 --> 02:38.540
We have a lot of situations.

02:38.550 --> 02:45.170
Railroads oil pipelines electrical distribution systems that require industrial controls.

02:45.180 --> 02:51.180
But because of their physical distances involved they actually go into a whole new class of devices

02:51.450 --> 02:56.810
that we call supervisory control and data acquisition systems or skater.

02:57.090 --> 03:02.730
So Scates systems are pretty much icy Yes but the only big differences is they usually have to have

03:02.730 --> 03:08.460
some kind of like a cellular connection or something like that they have a lot of autonomy to make sure

03:08.460 --> 03:11.100
that they can do whatever they have to do.

03:11.130 --> 03:16.520
So there is a lot of stuff out there that we have to deal with when it comes to static hoes.

03:16.530 --> 03:19.150
So the big question is is how do we secure them.

03:23.440 --> 03:29.560
The biggest challenge to securing static hosts is understanding that in many ways they are like any

03:29.560 --> 03:32.050
other type of host and in many ways they're not.

03:32.050 --> 03:39.290
So first of all they act a lot like any regular host in that just like Rieger Windows system for example.

03:39.400 --> 03:41.420
I will have user accounts with passwords.

03:41.440 --> 03:46.320
This has a user account with passwords and invariably it's going to have some default user account password.

03:46.320 --> 03:48.650
You know what you probably want to change that.

03:48.850 --> 03:53.090
Also like a regular host you want to turn off unnecessary services.

03:53.110 --> 03:57.850
This particular router right here has a built in telnet server which I don't like to have turned on.

03:57.930 --> 04:00.200
It has an s S-sh server which is fine with me.

04:00.310 --> 04:03.200
So I make sure to turn off that telnet server.

04:03.250 --> 04:09.490
So the first thing you're going to do when you're dealing with a static host is think about that static

04:09.490 --> 04:10.810
host as a regular host.

04:10.810 --> 04:13.030
There's a lot of things that you can take care of.

04:13.030 --> 04:18.640
However the other problem with static most is that it doesn't act like a regular host in many ways.

04:18.760 --> 04:24.430
I don't have any windows update that comes with this that automatically updates the built in operating

04:24.430 --> 04:25.220
system.

04:25.240 --> 04:31.660
I don't have any anti-malware on this guy that allows me to make sure I'm not being corrupted by something.

04:31.660 --> 04:39.100
So when you have static hosts in your life you're going to spend a lot of time monitoring your network

04:39.100 --> 04:43.070
monitoring what's going on out there and making firmware updates.

04:43.090 --> 04:49.600
Hopefully a lot will depends on the device you run into a lot of interesting problems like for example

04:49.600 --> 04:52.330
a very popular brand of home routers.

04:52.330 --> 04:57.670
People discovered fairly recently you could just type something into a screen and it would automatically

04:57.670 --> 04:59.630
allow you to take full control of them.

04:59.650 --> 05:04.630
A wonderful injection attack but it's because I watch the news and I discovered something like that.

05:04.750 --> 05:06.670
Also this is a Cisco device.

05:06.670 --> 05:12.400
I tend to live on the Cisco sites always watching for particular problems for any piece of firmware

05:12.400 --> 05:13.480
that needs an update.

05:13.570 --> 05:15.810
And then I'll go ahead and do those updates.

05:15.910 --> 05:20.940
And in 99 percent of the cases it's a manual thing that you have to watch manually.

05:20.960 --> 05:28.030
Now that's great but there's a lot of aspects about this device that you're not going to be able to

05:28.030 --> 05:28.750
do anything about.

05:28.750 --> 05:33.540
For example there is no anti-malware built into the Cisco router.

05:33.610 --> 05:38.920
There are things I'm going to have to do to protect this and I can't do it on the device itself.

05:38.980 --> 05:41.850
So I start to create layers of protection around it.

05:41.860 --> 05:44.320
Or what we call defense in depth.

05:44.320 --> 05:48.730
And the best way to do defense in depth is through network segmentation.

05:48.730 --> 05:49.900
Let me show you what I mean.

05:49.930 --> 05:56.080
So here's Mike's bread baking company and I've got a big industrial control system where I make lots

05:56.080 --> 05:56.980
of delicious bread.

05:56.980 --> 06:02.940
Now what I need to do is perform network segmentation here to give my self defense in depth.

06:02.940 --> 06:06.570
For example here I have all these bread baking machines.

06:06.610 --> 06:12.520
What I'm going to do is separate these bread making machines from the rest of my network using the lands

06:12.790 --> 06:18.040
in that way making sure that I get some good control and I can even put a firewall between the separate

06:18.070 --> 06:22.540
villans to make sure the traffic that I don't want to have going between these two will take care of

06:22.540 --> 06:23.580
it.

06:23.650 --> 06:28.110
Now if I want to scale this up a little bit let's just say I've got Mike's pipeline here.

06:28.120 --> 06:33.310
So instead of an icy Yes now I've got to scale the system so here's my pipeline with a few different

06:33.310 --> 06:35.920
terminals along a thousand mile pipeline.

06:36.070 --> 06:41.440
What I can do in this situation is that if any of these systems need to phone home or if I need to talk

06:41.440 --> 06:48.040
to them I can go ahead and use a VPN network to allow me to talk to these guys with a high degree of

06:48.040 --> 06:49.300
security.

06:49.420 --> 06:52.710
You're going to see questions on the exam about static hosts.

06:52.750 --> 06:55.320
Remember a few things though and you shouldn't have any trouble.

06:55.320 --> 07:01.420
Number one treat a static host like any other regular host at first but then secondly if there are unique

07:01.480 --> 07:07.450
aspects to that host Don't be afraid to throw in some really good network segmentation to protect your

07:07.450 --> 07:10.440
static hosts from the mean outside world.