Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough

  • View
    213

  • Download
    1

Embed Size (px)

Transcript

Internet of Things Top Ten

Internet of Things Top Ten

1AgendaIntroductionMisconceptionConsiderationsThe OWASP Internet of Things Top 10 ProjectThe Top 10 Walkthrough

226 Billion by 202030 fold increase from 2009 in Internet of Things install baseRevenue exceeding $300 billion in 2020$1.9 trillion in global economic impact*Gartner Internet of Things Report 2013

3Misconception | Its all about the device Its not just about the device, or the network, or the clients

There are MANY surface areas involved

Each of these need to be evaluated

4Considerations | A holistic approach is required All elements need to be consideredThe Internet of Things DeviceThe CloudThe Mobile ApplicationThe Network InterfacesThe SoftwareUse of EncryptionUse of AuthenticationPhysical SecurityUSB ports

Enter the OWASP Internet of Things Top Ten Project

5Internet of Things Top Ten Project | A complete IoT ReviewReview all aspects of Internet of Things

Top Ten Categories

Covers the entire device

Without comprehensive coverage like this it would be like getting your physical but only checking one arm

We must cover all surface area to get a good assessment of overall security

6I1 | Insecure Web Interface

8 June 2015HP Confidential7I1 | Insecure Web Interface | Testing

Account EnumerationWeak Default CredentialsCredentials Exposed in Network TrafficCross-site Scripting (XSS)SQL-InjectionSession ManagementAccount Lockout

8 June 2015HP Confidential8I1 | Insecure Web Interface | Make It Secure

8 June 2015HP Confidential9I2 | Insufficient Authentication/Authorization

8 June 2015HP Confidential10I2 | Insufficient Authentication/Authorization | Testing

Lack of Password ComplexityPoorly Protected CredentialsLack of Two Factor AuthenticationInsecure Password RecoveryPrivilege EscalationLack of Role Based Access Control

8 June 2015HP Confidential11I2 | Insufficient Authentication/Authorization | Make It Secure

8 June 2015HP Confidential12I3 | Insecure Network Services

8 June 2015HP Confidential13I3 | Insecure Network Services | Testing

Vulnerable ServicesBuffer OverflowOpen Ports via UPnPExploitable UDP ServicesDenial-of-ServiceDoS via Network Device Fuzzing

8 June 2015HP Confidential14I3 | Insecure Network Services | Make It Secure

8 June 2015HP Confidential15I4 | Lack of Transport Encryption

8 June 2015HP Confidential16I4 | Lack of Transport Encryption | Testing

Unencrypted Services via the InternetUnencrypted Services via the Local NetworkPoorly Implemented SSL/TLSMisconfigured SSL/TLS

8 June 2015HP Confidential17I4 | Lack of Transport Encryption | Make It Secure

8 June 2015HP Confidential18I5 | Privacy Concerns

8 June 2015HP Confidential19I5 | Privacy Concerns | TestingCollection of Unnecessary Personal Information

8 June 2015HP Confidential20I5 | Privacy Concerns | Make It Secure

8 June 2015HP Confidential21I6 | Insecure Cloud Interface

8 June 2015HP Confidential22I6 | Insecure Cloud Interface | TestingAccount EnumerationNo Account LockoutCredentials Exposed in Network Traffic

8 June 2015HP Confidential23I6 | Insecure Cloud Interface | Make It Secure

8 June 2015HP Confidential24I7 | Insecure Mobile Interface

8 June 2015HP Confidential25I7 | Insecure Mobile Interface | Testing

Account EnumerationNo Account LockoutCredentials Exposed in Network Traffic

8 June 2015HP Confidential26I7 | Insecure Mobile Interface | Make It Secure

8 June 2015HP Confidential27I8 | Insufficient Security Configurability

8 June 2015HP Confidential28I8 | Insufficient Security Configurability | TestingLack of Granular Permission ModelLack of Password Security OptionsNo Security MonitoringNo Security Logging

8 June 2015HP Confidential29I8 | Insufficient Security Configurability | Make It Secure

8 June 2015HP Confidential30I9 | Insecure Software/Firmware

8 June 2015HP Confidential31I9 | Insecure Software/Firmware | TestingEncryption Not Used to Fetch UpdatesUpdate File not EncryptedUpdate Not Verified before UploadFirmware Contains Sensitive InformationNo Obvious Update Functionality

8 June 2015HP Confidential32I9 | Insecure Software/Firmware | Make It Secure

8 June 2015HP Confidential33I10 | Poor Physical Security

8 June 2015HP Confidential34I10 | Poor Physical Security | TestingAccess to Software via USB PortsRemoval of Storage Media

8 June 2015HP Confidential35I10 | Poor Physical Security | Make It Secure

8 June 2015HP Confidential36Resources

OWASP Internet of Things Top Ten

Email List

8 June 2015HP Confidential37