risk factory: let's get physical

34
" " Let’s Get Let’s Get Physical" Physical" Cyber Security in an IP- Cyber Security in an IP- Enabled World Enabled World

Upload: risk-factory

Post on 21-Jun-2015

1.084 views

Category:

Documents


1 download

DESCRIPTION

Security issues associated with the Internet of hings (IoT)

TRANSCRIPT

Page 1: Risk Factory: Let's Get Physical

""Let’s Get Physical"Let’s Get Physical"Cyber Security in an IP-Enabled WorldCyber Security in an IP-Enabled World

Page 2: Risk Factory: Let's Get Physical

A simple, easy to use, online, B2B procurement portal for purchasing products and services to

identify, minimise and manage the security threat to business data.

www.riskfactory.com

Page 3: Risk Factory: Let's Get Physical

VirusesViruses

Road ApplesRoad Apples

CrackersCrackers

Script KiddiesScript Kiddies

WormsWorms

PhishingPhishingAdwareAdware

PharmingPharming

ZombiesZombies

MMalwaralwaree

Screen GrabbersScreen Grabbers

Root KitsRoot Kits BackdoorsBackdoors

Data Mining Data Mining

Denial of Service Attacks Denial of Service Attacks

Spyware Spyware

Encryption Cracking Encryption Cracking

Port ScanningPort Scanning

Fingerprinting Fingerprinting

Social Engineering Social Engineering

BotnetsBotnets

CrawlersCrawlers

CookiesCookies

Ear WiggingEar Wigging

EavesdroppingEavesdropping

MockingbirdsMockingbirds

Script ScrapersScript Scrapers

Smurfing Smurfing

Stealth BombsStealth BombsSpoofersSpoofers

Steganography Steganography

Stripping Stripping

SuppressionSuppression

Google HackingGoogle Hacking

SpimSpim

Data Slurping Data Slurping

War Driving War Driving

X-Site Scripting X-Site Scripting

SQL InjectionSQL Injection

Man-in-the Middle Attacks Man-in-the Middle Attacks

Page 4: Risk Factory: Let's Get Physical

Always do whatever's next…Always do whatever's next…

• Wireless

• Bluetooth

• Cloud

Page 5: Risk Factory: Let's Get Physical

Our Internet Based On…Our Internet Based On………

• 60’s concepts, requirements & funding

• 70’s computing environments

• 80’s operating systems, applications, networks, and programming languages

• 90’s security technology

• 2000’s operational and business practices

Page 6: Risk Factory: Let's Get Physical

The End is NeighThe End is Neigh

In the next 2 years the present IP address space

(IPv4) will reach its capacity.

Page 7: Risk Factory: Let's Get Physical

Birth Follows Every DeathBirth Follows Every Death

It will be replaced by IPv6 which has addresses

enough (about 5x10 to the 28th power) for each of the 6.8 billion human

beings on the planet.

Page 8: Risk Factory: Let's Get Physical

In Other Words...In Other Words...

Every human being on the planet could have their own Every human being on the planet could have their own personal network the size of today’s internet.personal network the size of today’s internet.

Page 9: Risk Factory: Let's Get Physical

Why?Why?

• The Internet is preparing to leave its virtual world and enter our physical world.

• IPv6 provides an infrastructure for assigning IP addresses to physical “things”

• The networking of the virtual world to the physical world

• The networking of “things” • Evolution: from a network of interconnected

computers to a network of interconnected objects …

Page 10: Risk Factory: Let's Get Physical

The "average" person owns somewhere between

1000 to 5000 things – possessions.

Page 11: Risk Factory: Let's Get Physical

ImagineImagine

• What if you could put them all on your own network? • Have a complete inventory of everything you own and

know where it is – real-time?• What if you could connect this network of your things

to other networks and interact?• Life on this planet would be significantly and

profoundly changed. • We’d never run out of anything.• No more theft as we know it – we’d know exactly where

things are at any given movement anywhere on the planet

Page 12: Risk Factory: Let's Get Physical

Wake UpWake Up

• It’s all ready here• Internet of Things (IoT)• Concept founded by Auto-ID Centre at in MIT

back in 1999• Phase 1 underway, bottom up, level-specific

functionality• Internet Protocol for Smart Objects (IPSO)

Alliance founded 2008

Page 13: Risk Factory: Let's Get Physical

IoT CharacteristicsIoT Characteristics

Pervasive: present throughout

Ubiquitous: everywhere at the same time

Evolving: constantly changing

Global: everywhere on this planet

Page 14: Risk Factory: Let's Get Physical

Beyond Accidental Beyond Accidental

"Anytime, anywhere, by anyone and everything"

Page 15: Risk Factory: Let's Get Physical

A Day in the Life…A Day in the Life…

Page 16: Risk Factory: Let's Get Physical

First Things FirstFirst Things First

• Everything on the electrical grid - first

• Balance of power (grids)– Plant to substations– Substations to lines– Lines – transformers– Transformers to homes

Page 17: Risk Factory: Let's Get Physical

Second Things SecondSecond Things Second

• Any “thing” with a power source to any “thing” with a power source and vice versa…

– Refrigerator to a television– Toaster to smoke detector– Fire alarms to ovens – Smoke detectors to gas supplier

Page 18: Risk Factory: Let's Get Physical

And Last But Not LeastAnd Last But Not Least

• Any “person” to any “thing” or any person?

– You to your house– You to your appliances– You to your car– You to your….

Page 19: Risk Factory: Let's Get Physical

Communication is KeyCommunication is Key

• Need mobile “smart” communication devices to connect:

– Things to things– People to things

• IP Smart Objects (IPSO)• RFID chip the leader

Page 20: Risk Factory: Let's Get Physical

IoT LanguageIoT Language

Hello: My UID is 1234567fa and my challenge is X4665

Bonjour: My UID is af7654321 and the answer to your challenge is Ab455839

Page 21: Risk Factory: Let's Get Physical

CommunicationCommunication

Page 22: Risk Factory: Let's Get Physical

FrameworkFramework

Netless: is an anamorphic structure of nodes that is capable of holding some amounts of digital data. each node is a small, low-power wireless digital transponder. There is no permanent network connection. Every time any node would appear in the vicinity of any other node - they would establish a wireless link and swap the data that was stored internally.

Keywords: permission-less, parasitic network, off-line data-sharing, city-net, WAN, othernet, decentralized, node-network, sneakernet, sensor-network, grassroots-network, wireless.

Page 23: Risk Factory: Let's Get Physical

Looks LikeLooks Like

Page 24: Risk Factory: Let's Get Physical

Soylent Green is People! Soylent Green is People!

Newly developed ‘RFID Powder’, as invisible as a speck of dust: 0.05 mm x 0.05 x 0.005mm

Chips are packed with 128 bits of static memory, enough to store a unique 38-digit ID number, 2.45 GHz, 1mW

Can be embed directly into pieces of paper

Current favored application: anti-counterfeiting

Page 25: Risk Factory: Let's Get Physical

Already ThereAlready There

• Retail stores using RFID for stock control

• Vehicles paying by RFID on motorways

• Cows, Dogs, Cats, Sheep implanted with RFID chips

• Consumer products from cars and mobiles to children’s tennis shoes now equipped with GPS RFID chips

Page 26: Risk Factory: Let's Get Physical

Security Requirements Security Requirements

Can our current C.I.A. definition fit the IoT?

Pervasive: present throughout?

Ubiquitous: everywhere simultaneously?

Emerging: constantly evolving?

Global: everywhere on this planet?

Page 27: Risk Factory: Let's Get Physical

Application ChallengesApplication Challenges

Page 28: Risk Factory: Let's Get Physical

IP ChallengesIP Challenges

Packet spoofing

Network traffic analysis

Device analysis

Device spoofing

Encryption

Key distribution

Privacy protection

Identity protection

Identity and identifier management

Page 29: Risk Factory: Let's Get Physical

IPSO ChallengesIPSO Challenges

• Devices are not reachable

– Most of the time a device is not connected

• Devices can be lost and stolen

– Makes security difficult when the device

is not connected

• Devices are not crypto-engines

– Strong security difficult without processing power

• Devices have finite life

– Credentials need to be tied to lifetime

• Devices are transportable

– Will cross borders

• Devices need to be recognised by many readers

– What data is released to what reader?

Page 30: Risk Factory: Let's Get Physical

Privacy ChallengesPrivacy Challenges

• What things you own• Where you bought them• The price you paid for them• Where they are located• What you use them for• How often you use them• What they connect to• Who they connect to

Page 31: Risk Factory: Let's Get Physical
Page 32: Risk Factory: Let's Get Physical

Fraud ChallengesFraud Challenges

• "Thing" Theft

• Counterfeit

• Piracy

Page 33: Risk Factory: Let's Get Physical

Professional ChallengesProfessional Challenges

• See the bigger picture - now • Anticipate the potential problems• Security professionals are always

“catching up” to technology• Step up. Consider the implications of the

next world of networked things • Prepare for it – now• Lead - Don’t follow.

Page 34: Risk Factory: Let's Get Physical

26 Dover Street 26 Dover Street LondonLondon

United KingdomUnited KingdomW1S 4LYW1S 4LY

+44 (0)20 3586 1025+44 (0)20 3586 1025+44 (0)20 7763 7101(fax)+44 (0)20 7763 7101(fax)