kid proofing the internet of things
TRANSCRIPT
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 1
2015 NTX-ISSA Cyber Security Conference (Spring)
Copyright © 2015 Raytheon Company. All rights reserved.
Kid Proofing the Internet of Things
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 2
• As Information Security (IS) professionals (or students), we regularly defend enterprise networks
• General Internet threats- Malware, hackers, identity thieves
• Threats to and from our kids- The threats our kids bring in
Malware, spyware, etc.- The threats against our kids
Objectionable content, predators
Why We Want To Lock Down Our Home Networks
What is important in your Network Castle?
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 3
• General Controls- Firewalls
Perimeter firewall (wireless router) Host-based firewall
- Anti-Virus- User Account Controls (UAC)
• Kid-Specific Controls- Parental controls / Google controls- “Kid Safe” browsers- “Deep Freeze”
The Usual Solutions People Use To Do It (PCs)
Securing a desktop is easier (but not easy)
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 4
• The real problem is all the other devices on your network- With the Internet of Things have you really
thought about how these affect the security of your home network?
- Were these devices built with security in mind?
• Devices you or your kids likely have on the network- Tablets (IOS, Android, Chrome, other Linux
variants)- Game Systems (Playstation, Wii, Nintendo DS,
etc.)- TVs (Linux, Windows, Netflix, Hulu, YouTube,
etc.)- Phones (IOS, Android)
All The Other Devices On Your Network
The Internet of Things is a different matter…
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 5
• Hard lesson learned about these devices- They don’t care about your security concerns…- At best they have VERY limited content controls- All connected, but no control over Internet
content
• Game systems / TVs- Ratings Controls
• Android / Linux / IOS- Limited Parental Controls – can control
purchases- Apple’s “Restriction” Controls (slightly better)- “Kid Safe” Apps and Browsers
Device Lockdowns
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 6
• Apple has some decent controls via their “Restrictions” settings to make the IOS “kid safe” on any network…
• Some strategies I use / have used- Don’t let the kids install / delete Apps (they
hate this)- Disable iCloud and Messages (they hate this
more)- Disable Safari / YouTube / remove “problem”
apps- Install a “kid safe” browser- Configure Google parental controls
• Hacking IOS opens additional opportunities / risks
Locking Down The IOS
Making IOS “kid safe” is reasonably doable
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 7
• What do all these devices have in common?- The home network and Internet Gateway…
• Conventional Router Controls- Basics
Encrypt wireless traffic (devices may limit strength)
MAC address restrictions Guest network (if available)
- Good ingress screening- May have limited egress screening
Limit sites and times for some / all users Generally these are hard to manage
So What Does That Leave Us?
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 8
• Segment your LAN into security zones- Move “high risk / value” devices to their own
zone- Allows you to apply different access policies
• Some security zones to consider…- Adult Household Member Zone- Hardwired Zone / Finance Zone
Consider moving Finance into a VM- Adult Guest Zone- Kid Zone (Household Member and Guests)- Entertainment Device Zone (May be Kid Zone)
Advanced Strategies For More Security
Adult, Visitor, and Kid Zones are my minimums
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 9
• One Router to rule them all…- There are MANY possible variants of this
• Use the existing router as a master device- Leave the DNS the same or use unfiltered
OpenDNS- With a dual wireless router this can be Adult +
Visitor
• Add a new wireless router per zone- Connect Wireless APs via wire to master device- If this is to be a filtered network (Kids) then
reconfigure the DNS to use filtered OpenDNS
How To Implement Security Zones
Shared network devices like printers are issues…
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 10
• Advanced Internet Access Control is a difficult problem- Devices have very limited controls- Wireless routers are marginally better- Is there another way to provide this filtering?
• OpenDNS to the rescue (almost)- If you control DNS, you control the Internet*- OpenDNS is a free (and paid) service that
provides a filtered / controlled Internet experience via DNS Free has a bunch of stock settings Paid has the ability to customize these +
add custom site rules
Advanced Internet Controls At The Network Layer
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 11
• OpenDNS does not protect mobile devices when they leave your network (tablets, phones, laptops, etc.)- Sorry but I do not think there is a good solution
for this- Auditing the device is probably the best work
around
• OpenDNS (paid) can only be used on one “Zone” unless you have more than one public IP- It keys off the source IP to decide how things
resolve- You can use OpenDNS (free) on other zones…- This may affect how you implement your
zoning strategy
OpenDNS - Living With An Imperfect Solution (1)
Controlling devices off your network is very hard…
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 12
• OpenDNS does not stop direct access via an IP- Kids that understand what an IP can be a
problem- Kids that know what a hosts file is can still
have DNS
• OpenDNS works great for devices using DHCP…- But if the device lets you change the DNS
settings – OpenDNS can be bypassed at the host
• If your kids are more computer and network savvy than you, this will not work for long…
OpenDNS - Living With An Imperfect Solution (2)
Its not a perfect solution, but works for me…
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 14
Presenter Bio
Monty D. McDougal is a Raytheon Intelligence, Information and Services (IIS) Cyber Engineering Fellow. He has worked for Raytheon for the last 16+ years performing tasks ranging from programming to system administration and has an extensive web development / programming background spanning 18+ years. His work has included development/integration / architecture / accreditation work on numerous security projects for multiple government programs, internal and external security / wireless assessments, DCID 6/3 compliant web-based single sign-on solutions, PL-4 Controlled Interfaces (guards), reliable human review processes, audit log reduction tools, mail bannering solutions, and several advanced anti-malware IRADs / products / patents.
Monty holds the following major degrees and certifications: BBA in Computer Science / Management (double major) from Angelo State University, MS in Network Security from Capitol College, CISSP, ISSEP, ISSAP, GCFE, GAWN-C, GSEC, and serves on the SANS Advisory Board. Monty has previously held the GCIH, GCFA, GREM, GCUX, and GCWN certifications. Monty is also the author of the Windows Forensic Toolchest (WFT).
E-mail: [email protected]
<mug shot>
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 15
Abstract
Kid Proofing the Internet of Things
This presentation is intended to address the unique challenges parents face in securing their home networks both against their kids and in order to protect their kids from the evils of the Internet. It is particularly focused on the problems the Internet of Things brings to us as parents.
-Why we want to lock down our networks
-The usual tools we would attempt to do it with (PC Solutions)
-What about all those other devices on your network… the real issue
-Device lockdowns
-Wireless Router / security zoning
-OpenDNS and why it may be your best friend in this fight
-Living with an imperfect solution…