Embed Size (px)
Citation preview
SIX DEGREES OF SEPARATION
PLANNING THE IMPACT OF IOT ON YOUR FUTURE AUDITS
AGENDA
• What is 6 Degrees of Separation
• What is IoT
• The Impact of IoT
• Risks
• Auditing IoT
WHAT IS 6 DEGREES OF SEPARATION?
• The idea that all living things and everything else in the world are six or fewer steps away
from each other
• So a chain of "a friend of a friend" statements can be made to connect any two people in
a maximum of six steps
• Idea is you are 1 degree away from someone, 2 degrees from someone they know, 3 from
someone these know etc
• It was originally set out by Frigyes Karinthy in 1929 and popularized in an eponymous
1990 play written by John Guare Courtesy: Wikipedia
WHAT IS 6 DEGREES OF SEPARATION?
• A 2007 study by Jure Leskovec and Eric Horvitz examined a data set of instant messages
composed of 30 billion conversations among 240 million people. They found the average
path length among Microsoft Messenger users to be 6
• Researchers at Microsoft studied 30 billion electronic conversations in Microsoft
Messenger using 180 million people in various countries in June 2006. People were
considered acquainted if they send each other a message.
• The average length of hops was 6.6
• 78% could be connected with 7 or fewer hops
So, you are five people away from connecting with your favorite movie star, Gandhi, the Queen etc
WHAT IS 6 DEGREES OF SEPARATION?
• So? How does this relate to IoT you ask?
• You are only 5 people away from
connecting with someone or some
business, who uses or benefits from an IoT
device
• OR, 5 business’ away from someone
wanting to use an IoT device maliciously
against your business*
Courtesy: https://upload.wikimedia.org/wikipedia/commons/8/88/Six_degrees_of_separation_01.png
WHAT IS IOT?
• The Internet of Things is a term taken to mean devices connected to the internet
• 2013 Global Standards Initiative on Internet of Things defined the IoT as:
• “A global infrastructure for the information society, enabling advanced services by
interconnecting things based on existing and evolving interoperable information and
communication technologies"
• For these purposes a "thing" is "an object of the physical world or the information world,
which is capable of being identified and integrated into communication networks.
Courtesy: Wikipedia
WHAT IS IOT?
WHAT IS IOT?
• What drives IoT?
• Connectivity
• IpV6 – This internet addressing protocol opens the gate for anything to have a unique identifier.
Enough addresses for more items than the world can produce
• Enhanced sensors
• Drop in cost combined with increase in capabilities of sensors to capture, analyze, store and
transmit data
• Low-power/wide area communications
• Ability to transmit from a wide range of sensors across a simplified and secure communication
infrastructure with low-power sources
Courtesy: https://blog.protiviti.com/tag/auditing-iot-risk/
WHAT IS IOT?
• IoT Use Cases
• The taxonomy is arranged around
people, and each level moves further
away from individual and becomes high
level.
• Different levels are categorized from
personal (e.g. wearables) to macro-level
control ( smart cities, smart highways).
Courtesy: https://iwringer.wordpress.com/2015/10/08/taxonomy-of-iot-usecases-seeing-iot-forest-from-the-trees/
WHAT IS IOT?
• Amazon Dash Button
• A Wi-Fi connected device that reorders
your favorite product with the press of a
button.
• Can be paired with a product of your
choice, using Amazon App during the set-
up process.
• When you run out of that product, press
the button and it is ordered via Amazon
WHAT IS IOT?
WHAT IS IOT?
• THE NEXT WAVE!
WHAT IS IOT?
• Industry Logistics - DHL
• Vehicle monitoring and maintenance,
• Real-time tracking of packages,
environmental sensors in shipping
containers
• Information-gathering on employees and
tools
• Safety-enhancing features for vehicles
and people
WHAT IS IOT?
• Caterpillar Industry
• CAT Smartband
• Activity tracking to monitor operators
to determine better operator safety
• Predict when the wearer’s fatigue level
will become a safety risk
Courtesy: Caterpillar.com
WHAT IS IOT?
• Captures bar code and auto adds item
to your shopping list in the GeniCan app
WHAT IS IOT?
• A smart wine decanter
• iSommelier promises to soften up the tannins
mature wine that normally requires years of
cellaring through aerating your wine with highly
concentrated purified oxygen. There's also a smart
base with a digital screen that shows you the name
of the wine, vintage and aeration progress bar
• There is an app that connects with the decanter to
let you control the device, add aeration programs
and gather information about different winemakers
Courtesy: https://www.wareable.com/smart-home/best-smart-kitchen-devices
WHAT IS IOT?
• IoT is moving fast
• Cars
• Diagnostics, insurance tracking devices
• Lighting systems
• Refrigerators
• Telephones
• Supervisory Control and Data
Acquisition (SCADA) systems
• POS devices
• Traffic control systems
• Home security systems
• Smart electricity meters
• Televisions, DVRs
• Kitchen appliances
• Instant Pot, Avona sous vide cooker, toasters
IMPACT OF IOT?
• Perhaps the biggest potential for IoT isn’t consumer devices, but:
• Industrial automation
• Building automation
• Smart transportation
• Power and irrigation systems
• Environmental & pollution monitoring
Courtesy: http://www.advancedmp.com/environmental-impact-of-iot/
IMPACT OF IOT?
• Environmental impact – Not so Good
• E-waste (waste of electrical and electronic equipment) filling landfill sites
• Heavy metals and toxic materials
• Energy consumption. Huge increase in overall consumption to manage all the devices
• Demand for more as users become accustomed to usefulness
• Greater packaging waste
Courtesy: http://www.advancedmp.com/environmental-impact-of-iot/
IMPACT OF IOT?
• Environmental impact – Good
• Pocket-sized environmental sensors that provide for monitoring the airborne quality, radiation,
water quality, hazardous airborne chemicals etc
• Airbot, waterbot, Sensordrone, Sensaris, Pressurenet
• IoT smart grids in the energy sector could save over 2.0 Gt of CO2 using smart meters and
demand-response systems
• Improved energy efficiency with optimized routes of transportation, IoT could reduce about
1.9Gt of CO2 in 5 years
Courtesy: http://www.advancedmp.com/environmental-impact-of-iot/
IMPACT OF IOT?
• Other Key Impacts
• Real-time operational data
• Performance of individual machines
• Energy usage in buildings
• Telematics from your vehicles on the road, connections to field staff or monitoring of remote assets,
• Richer and faster flow of real-time operational data, yielding deeper, more accurate insights about your
business so you make better and timelier decisions
• Improved operational efficiencies and standards.
• For example, food and drug manufacturers monitor shipping containers for changes in temperature that could
affect product quality and safety
RISKS
• IoT devices are “always on”
• Attackers have all the time they need
• How will you know they have been hacked?
• Business risks
• Compliance, privacy
• Technical risks
• Hacking, device vulnerabilities,
• Operational risks
• Performance (slowdown or speed up), shadow or rogue use, managing updates
RISKS
• At the Heart of the matter
• Dick Cheney has wireless access removed
• A precaution as he was Vice President of the USA at the time
• Upon getting a new defibrillator, his doctor Dr. Reiner ordered the manufacturer to disable the
wireless feature
• These devices monitor the heart's electrical activity and, when an arrhythmic event is detected, can
induce a shock that resets the heart. They also contain small radio transmitters that let doctors read
their monitoring of the heart and even reprogram the device to customize it to the patient
RISKS
• Medical Risks
• The recent WannaCry ransomware:
• Locked down medical records in hospitals,
• Infected MRI machines, and
• Hit diagnostic radiology equipment
RISKS
• Medical Risks
• Jay Radcliffe, a security researcher at Rapid7 and a diabetic, found that the wireless
remote for his Johnson & Johnson Animas OneTouch Ping diabetes pump
communicated in an unencrypted fashion
• "Attackers can trivially sniff the remote/pump key and then spoof being the remote or
the pump," he wrote last year. "This can be done without knowledge of how the key is
generated. This vulnerability can be used to remotely dispense insulin and potentially
cause the patient to have a hypoglycemic reaction."
https://www.pcmag.com/news/354582/can-a-hack-give-you-a-heart-attack?utm_source=email&utm_campaign=dailynews&utm_medium=title
RISKS
• Home Automation
• Locks, baby monitors, lights etc
• Executives
• Car tolls, medical, homes
• Sensitive positions
• Admins, HR etc
• Theft, Kidnapping, Coercion
RISKS
• Network risks
• Connected devices may allow
unauthorized access to your inside
network
Courtesy: https://www.forescout.com/wp-content/uploads/2016/10/iot-enterprise-risk-report.pdf
RISKS
• Network risks
• Different degrees of risk
Courtesy: https://www.forescout.com/wp-content/uploads/2016/10/iot-enterprise-risk-report.pdf
AUDITING IOT
• Need a survey / questionnaire to users about internet connected devices in the office
• Is IoT part of a business strategic initiative?
• Does the business know what IoT data is collected, and stored?
• Is the data analyzed for business and security related objectives?
• Has the organization assessed potential implications?
• Security
• Privacy
• Organizational
AUDITING IOT
• Risk Assessment
• Conduct an assessment of risk in your organization through the use of IoT enabled devices
• Technical risks
• Business risks
• Perform a vulnerability assessment
• Conduct penetration tests on IoT systems
• Assess the adequacy of the encryption used by IoT systems for communication
AUDITING IOT
• Monitoring
• Monitor IoT systems to ensure they are functioning as intended
• Assess whether adequate monitoring controls are in place and whether all such controls have been
operating effectively over time.
• Assess whether exceptions and failures that occur get properly logged
• Ensure resolutions to incidents are recorded on a timely basis
• Assess whether a process is in place for incidents to determine their root causes
• Ensure that someone is accountable for reviewing logs
AUDITING IOT
• Is someone accountable?
• Who manages IoT assets, from purchase to disposal?
• Know what you have
• Is a list of IoT enabled devices maintained? Part of asset management?
• Is it broken down by level of connectivity / risk?
• Connectivity
• Who authorizes connectivity to the network?
• Is that a good idea? Segregated on the network?
AUDITING IOT
• Maintenance
• Who is accountable and responsible for ensuring regular maintenance?
• How do you ensure all devices are updated as required?
• Are stakeholders engaged when considering new devices?
• Understand risks, benefits, manage rogue use
• Legal ramifications researched, understood and managed?
• Compliance, Privacy etc
AUDITING IOT
• Network properly managed?
• Denial of Service attacks on IoT devices?
• Ready for added demand on network bandwidth?
• Patch management standard updated to include IoT devices?
• Incident response procedures handling IoT?
• Insurance updated to include risks associated with IoT?
TACTICS FOR IOT
• IoT security tactics you might consider:
• Design a good perimeter protection with a firewall and an intrusion prevention system
• Implement an emergency incident response program
• Include a good identity and access management program with your IoT program for central user control.
• Implement two-factor authentication where practical
• Have the administrators of your devices use privileged user control
• Search for standardization. The market will soon define standards for the IoT, including security standards
• If you have a third-party IoT provider, consider due diligence
• Stay informed with key sources of security through groups such as the National Institute of Standards and
Technology (NIST)
Courtesy: https://securityintelligence.com/how-to-protect-yourself-against-iot-risks/
