Save Signed Data with airSlate SignNow

Save signed data

okay this will be the top six myths of iot security security has been the subtitle for all discussion about the internet of things but a lot of that discussion has been based on some bad assumptions and misinterpretation iot can be secured but just not in a lot of the ways that are being discussed here are six of the most common iot security myths and the reality behind each them number one light bulbs and industrial robots are secured the same way iot is really a super a super set of two very different technologies the first part is what we think of most with consumer grade tech think light bulbs tvs and vacuum cleaners the second part is operational technology or ot industrial robots water turbines elevators and power plant rely equators the essential difference is that ot is serviced and maintained by a dedicated theme usually closely backed by the vendor whereas iot as consumer grade tech is not this difference is significant to how they are secure and to the impact of being insecure auto vendors however are typically less experienced than it vendors in the ways of security and this is a rough differentiation so cars for example although a consumer technology are in the ot classification because of manufacturer involvement number two standards will secure iot this is common myth no one who hosted an ot or iot roundtable in the uae and the majority voted that they believed standard would fix the iot security problem this is certainly how things should work when viewed through the lens of safety safety standard works well in ot and iot with established national standards bodies and labs however the reality is much different there is hope but no time zone will standards play a role of any impact standards play almost no rule in id security today so our hope for them in iot is aspirational number three iot vendors will start patching their devices product makers don't want insecure stuff all iot is patching challenge but for different reasons the short description won't completely do the topic justice as this is very noise and complex discussions ot teams do have a strong desire to patch however their software update cycles are open magnitudes lower than i t patching many ot devices will never see a patch so the development and delivery of time critical security patches is not part of their corporate dna similarly patch management is not traditionally part of the auto group and dna there's is no turbine and water filtration system monday equivalent to microsoft patch tuesday nor are parts management tool open in use in auto environment much of the patching must be done locally and manually iot has different issues with patching and most iot devices were designed without any prospect of patching some iot vendors do not keep a software team in-house making patching problematic a portion of iot software is embedded in firmware chips containing the flow plus that can require a replacement meaning usually the whole device must be replaced as uh the iot component manufacturer told that it would add uh 0.2 us dollar per chip for them to extensively test code and provide patches for security vulnerabilities whereas the price of their nearest competitor is 0.01 us dollar per chip and the manufacturer said the company had never had a buyer factor security in top purchasing decision number four ot will make it all better what is not amin is that there is usually tension between enterprise id department and the ot staff is responsible for the technology for the shop floor or production environment the auto teams certifi certainly know their environment best however they come less equipped and experience the tight stuff concerning modern threats and patch management techniques teams usually learn on their familiar vendors the manufacturers of the equipment however these vendors reflect the auto team in that they are slow to adapt to the new and incredibly hostile environment most of these vendors do not even have any kind of bug bounty or vulnerability research interface think about it ot and their band or scape are required to go from 0 to 100 overnight from an air gap low threat world to an ip enabled one attack by nation attack or nation states and custom crafted malware ot team do understand their environment the best so they are rightly skeptical of it teams which lead us to number five early or i.t will make it all better early on in iot and ot security it was assumed that the current id techniques would be the fix just do what we do on the corporate network and everything will be all right unfortunately it was immediately evident that things were in business as usual not everything is ip enabled we cannot we cannot risk connecting critical infrastructure to the corporate environment the service level agreements for out age or downtime was several magnitudes less forgiving than id a strange protocol were involved and there was little if no coverage of these devices by vulnerability research id security has the triad of cia as its foundation confidentiality integrity and bulk and availability and suddenly a new leg was added to that safety because iit security and ops department were not equipped to perform their current task with that level of impact iot under it is a bit better than ot but still requires flexing with which id department may not be willing to undertake most studies predict that iot devices are growing at magnitudes greater than it devices most i.t security products are not equipped to deal with the scale of iot even if the teams are willing for example most security information event products are already being challenged to handle the alert load as well as firewall handling connection per second iot adds an approximate 10 times load in most enterprises with it department again open and willing to take on the load of managing and securing what doesn't appear to be devices in the realm of responsibility it does not have the iot security answer today but that doesn't stop the threat landscape from using iot as an attack surface in the interim number six special iot security products will fix it all early on there were iot specific security products that emerged they tended to be either wireless focus a good thing since so much of iot connectivity is wireless based or from the ot device manufacturers however the impact has based limited has been limited auto manufacturers have been slow to bring effective products and the slow release of real dollars for ot and iot has alienated vendors the critical issue is that most iot and auto security technologies are not linked to corporate id security groups that are already organizationally decoupled making the job of a security operation center responsible almost a manual task of calling co-workers to find out informations okay the top barriers to iot and m2m adaption so again that's what i have as what we have here we have the security and the barrier so this will be the barriers for that then again as what we discussed the challenge is low pressure human inter interaction unit device identification device authenticity device user association and nature of the data so to security versus comfort risk versus reward more challenges as what i discussed earlier this will be the more challenges we have limited encryption capabilities limited resources limited clock synchronization and firmware must be upgraded from time to time iot security design rules build security in it cannot be added later keep security mechanism simple use existing standards and obscurity does not provide security encrypt sensitive data trust and in transit usefully studied cryptographic building blocks identifying access management must be part of the design and develop a realistic threat model so secure web mobile in cloud interface do not allow default credentials as what we discussed earlier now assume device access internally and externally credentials should not be stored in plain text nor trouble in encrypted channels protect against account enumeration and employment account block out protects again xss csrf and sqli implement i and i am irm systems identify creation identification authentication and authorization so this will be the provisioning device identity so from pki ids system and of course for them to verify authenticity and register devices so store rna okay so this will register me authenticate our own device then this will be the verify identification of user register user authenticate user and others so device and data on behalf of users so this will be an example again user shares data rebooks token then the network device says so ensure all necessary reports are open ensure services are not vulnerable to buffer overflow and pushing attacks ensure services are not vulnerable to those attacks transport encryption insure data and credentials are encrypted while in transit you secure encrypted channels be sure of that use good key lens and good algorithms as what we discussed and protect against replay attacks so privacy as part of the design collect only the minimum necessary data for the functionality of the device especially here in the philippines we have the data privacy law ensure any sensitive data collected is properly protected with incredible encryption and ensure the device properly protects and personal data for the software and firmware you must ensure your firmware does not contain hard-coded credentials or sensitive data use a secure channel to transmit that firmware during upgrades in ensure the update is assigned and verified before allowing the update do not send the public key with the firmware use a hash ensure your svn or git repositories do not contain the private case for physical security ensure physical access to your device is controlled accessible usb or sd ports can be a weakness can it can it be easily disassembled to access that internal storage if locally necessity consider encrypting the data and this will be the references thank you and good day everyone you