Vikram Dhillon IoT Security

all right morning my name is vickram uh it's my third time here at bides proud to be back and thanks to Jeff and Jonathan I think they're in here I can't see them but thanks to the two of them uh having me back here again anyhow uh today I'm going to be talking about securing The Internet of Things this word or term really got a lot of Buzz behind it sort of 2015 was kind of The Big Year a lot of investment funding went into it a lot of companies got started doing this stuff um but it's kind of like the early days of the internet we don't really have a clue what we're really doing uh we're hoping

things work out and you know we get enough funding and so on to continue doing those cool kind of things um I'm one of the few people fortunate enough to be in a lab environment that I can play with a lot of stuff and I don't have to worry too much about consequences as long as I get to write some papers and so on um those are hard to get too but anyway so what are we going to cover today um not too much but we going to start by defining what iot is a lot of people have a lot of different definitions I'm going to use a standard one of my own in this talk after that to talk about a few

Industries and areas where iot is very prevalent it's growing very very very fast I mean that's why you know all the buzz behind it um but it's penetrating a lot of different Industries so we want to take a look at what those are afterwards to talk very briefly about some startups that are building iot stuff then the current state of security in iot which I will say right now is very bad but we'll get more into how bad exactly in a bit uh and finally I'll talk about my contributions to the area where I come in and why I'm giving the stock and so on all right um iot recently has been feeling like kind of a a nervous system to the to

hardware and software it's kind of like the old Hardware abstraction layer if you know from old kernel days that used to be in it's still in in some places got taken out in some other dros but it gives life to a lot of things that before were sep at and just on their own with that the big deal with iot is is communication uh particularly communication between devices and sensors this has been a very very very big deal and the reason is quite simple too many different devices do not connect to each other uh they just you know if you've used a printer you know what I'm talking about I mean just you know things just don't work out and

another thing has been that um a lot of uh big consulting firms uh Gartner being one of them they sent out a report that around 20 million devices will be up in the cloud very shortly um at these are 20 million that are going to be top performing so you're talking about 4G LTE and maybe 5G and so on um you know these devices are online and pretty much everything that's coming out now I mean even cars have LTE come on now but anyway have having those facilities and capabilities also makes you vulnerable You're Going to see a lot of this team repeat having more features is good but you do not need an FTP server on a

printer that's just come on uh that's it's fine to have but it's harder to secure you have to always a lot of people in this room are security researchers you always have to move under the assumption that people will not configure devices the right way they're supposed to be people want to use things out of the box they want to get the easiest way to get something in and it work now that's fine for most things but if you have an FTP server running that has one two three four as password and you know you could have some very serious trouble incidentally uh one of the vulnerabilities that stuck net a huge you know corporate Espionage

malare it took advantage of one of the printer vulnerabilities um and you know it's the oatmeal if you read they have a comic that's you know printers are from hell it's it's it's pretty funny if you've read it but it's you know exactly what I'm talking about anyway back to iot stuff um in the the holy Grill and the main goal is that we're trying to establish a network it could be a private could be a public network but it is a network of connected devices these the the core requirement and probably the only requirement that we can satisfy at the moment is that these devices have got to talk to each other and we'll

we'll see shortly how they do uh devices now now a lot of C different devices you know are are are converging in a sense that you can have you look at mobile phones this is a very good example Samsung has their own stuff you know touchway and so on but it can still load the same sort of apps that my Nexus would load or you know the Sony xeria phones or any of them would load the the infrastructure being different but the software that runs out on top of it being about the same that's kind of what iot is going for but at a much deeper level much deeper as an system level um devices need to be you know

talk like like I've been saying they need to talk to each other but more so they need to able to share data that is a very very difficult challenge to solve me you look at right here you know on the left side Economist and talking about you know language of Internet of things right side that's Vice and the bottom one um from another blog but you know all of them pointing out the same things uh people saying that you know can the internet really be unified that way if you worked with firmwares and devices at you know very sort of system level you'll see how difficult it is for them to really talk any even share data

um message passing protocols M MPS and open MP and so on those are what some of the common sophistications we use you know in a lab setting so if you're developing a server cluster Farm or something you know the way you would talk from between them is message passing but that doesn't translate very well to sort of system level stuff I've I've tried to work on some of this so you know taking known principles in message passing and converting them over to sort of system level Internet of Things devices one simple solution to this stuff happens to be that you could use all the devices on some sort of the same backbone if you will the same

protocols that's probably not going to happen um very low chance of it device manufacturers are very very bad at talking to each other about this perfect example I was a I've been in the Linux Community for a while I was a developer and uh you know just getting drivers to work Graphics drivers to work a alone was a major pain leave alone getting other new system level devices it's very hard to get them happening but there's progress um one of the ones you know when Google does something they generally do it right at least as we're hoping for uh one of the recent ones that came up during the last I/O was uh this combination of something

called brillo and VI wave is not sure if you guys can see the pictures very well but basically is it the idea is that these devices are going to run Android but not the stock Androids on your phone but they're going to run a sort of a strip down version minimalistic version of Android which will power all five or six of these devices that you want to put in the in the cloud and because they're on the same infrastructure you can hope that getting them to talk to each other getting them to share data take input converted into output that's a lot easier to do given that they're on the same infrastructure uh Nest is a company

that you know is now under Google they uh recently released something called Nest weave that's their own implementation and basically it is one of the first home home automation sort of ideas that use a common infrastructure you could imagine one day you have the same device that you know the same stuff that's powering your phone maybe even your car and your home you know sort of the same seamless interface from one to another and they can all communicate very well weave is only a small piece of the puzzle because weave only let you talk to things that's not the all the way there the complete solution is Brillo you guys might recall this slide from

the Android or from Google IO um when they did it I just you know took it right from there but it shows something very nicely at the bottom level is Hardware Hardware could be different but as long as it can be made to run Linux you're making some progress on top of it which is the kernel um on top of the the kernel basically manages the Hardware to software interactions on top of the kernel is H the hardware abstraction layer this is where some really neat stuff happens because if you can take Hardware that's similar enough for example USB you know they're Universal because most of them can operate on similar principles if you can take

Hardware that's similar enough and Abstract s sort of the the core object I'm talking about object orientation if you can do that then you reach a very it's very easy to reach a consensus on devices being able to interact consensus is something I'll get into in a little bit and why it's important but it is important that we can authenticate devices properly it's probably one of the biggest security flaws in iot and we'll see you shortly now what is happening on the other end in terms of Hardware um you can see here it's very easy on top of hell we can build everything uh most common Linux distributions either use hell or something something else that's similar

to hell to build a lot of connectivity and Hardware Services uh we use them you know if you have a Linux distri Distribution on your on your computer um what is being done on the last the blackbox which is Hardware itself uh Linux Foundation announced a initiative called project Yoko it's a common operating system for embedded devices um a lot of embedded devices are running it currently a lot of them use it huge industry Partners I mean Intel you know a lot of the big ones are are in it contributing code to it again the hope is still the same that because we're using the same backbone we can get these devices to work and talk to each other

well enough go over really quick what it looks like that looks like a nightmare but it's actually a lot easier than that uh I'm not going to go over the whole picture but the the point basically is you have you know in deban or or in in any package management system you have something like apt get you know you just type that and type A package and it installs it now think of the similar similar principle but applied to hardware and software drivers you just have one script a 10line script that runs and each of those 10 lines it installs the exact sort of the same operating system including drivers on all five or six of your devices that's

kind of the idea behind project Yoto um you can see on the right side the same package feeds basically the same repositories are powering um all these different flavors of Yoko that are available and in the end they all get compiled into the images that run on devices if you've tried never tried Yoko in uh in your you know small virtual machine or something I highly recommend giving it a try it is amazing um the fact just the simple amazing fact that there is something out there that can support eight or nine different devices if you have a Raspberry Pi that's a very good U tutorial there are several good tutorials on running U Yoko on it

basically it gives you a very nice system level access to the Raspberry Pi and let you do crazy things you can do whatever you want with it the but the going back to the something I said earlier the very simple fact that this can happen that alone is amazing because it historically it's been incredibly hard to get device manufacturers to agree on building something like this to begin with all right so been talking about iot sort of from the system level approach I want to talk from the other angle the other angle being from the user end iot has been around in way too many places now but what are some of the prominent applications I want to talk in this

section about some of the common ones that are around here's a brief summary of the applications that we see most commonly around manufacturing um they're mostly focusing on supply side uh one of the big trouble that a lot of manufacturing um sort of at least the supply side chain people have had um part of the reason a lot of them turned to Yammer and so on was keeping track of inventory stuff coming in they can't keep track of it in time and what's needed what's in transit and so on they're really trying to get big on iot and RFID chips and so on to make sure that the M the supply side and Manufacturing process goes as

smoothly as possible they don't waste a lot of money on it um Healthcare big one something that that I you know also had spent a little bit of time on uh electronical records electronic health records uh any of you have Fitbit um any of those devices you know are yeah thank you yeah those devices you know are in a they're constructed in a similar sense a Fitbit alone is not iot it's a component of it because that Fitbit connecting to your laptop connecting to your phone going to the cloud one day you can imagine that there will be more sensitive fitbits made that can track Hardware more reliably you could have that data being piped directly to your

physician or as some sort of a monitoring server which will notify your physici in case your heart rate goes too high up that's the hope at least um retail mostly these guys are sort of the the front end of the supply side you know they're they're mostly using it for tracking and so on as well similar ideas but here something very interesting that comes in retail and I'll talk about it later on in more detail um I beacons if you guys have played with them uh there are some very cool principles you can apply from very using I beacons as in information sort of almost advertising tools you walk around in a store your phone gets a notification you pull it

out check what's going on like oh wow so that's what's going on here you know they could tell you about a sale that's not there only if you have your phone you could do it you could make a lot of augmented reality games and so on even from that uh that's part of the thing that they're going for at least um security Biometrics is becoming a huge deal in iot so using your fingerprint to unlock device and not only do that but also authenticate it to the rest of the network so in in Enterprise in an Enterprise environment you're talking about something that could connect right away and open you up to you know it

could also authenticate your email and so on and so forth all four or five different things through your fingerprinting finally Transportation this is a big one because it's becoming very very practical um Google's doing self-driving cars apple is participating in it they're putting a lot of money in it and we don't know what's going to come out yet um Uber and LIF are trying excuse me they're trying to build automated cars that you know stuff driving cars um GM and just partnered with lift and they're rolling out their first sort of batch of these in 2018 I I believe uh that's going to be exciting because you can imagine uh you know not only stuff

driving cars are going to be amazing but the fact that you could also have the same sort of ride sharing and all those features built into the device that would probably be a pretty exciting thing to do um let's go into a few of these areas in in sort of more detail and see how they work out um I briefly talked about this whole idea earlier of healthcare being a um being of importance especially because a lot of money is going into the area you know there are three sort of these components in a triangle the the pairs which are people who actually you know are paying for the money for the treatments the providers that your

insurance plans so on and the patients who actually you know getting the treatment very often these three are not in sync to give you an idea of how bad it is $3 trillion do are spent each year in healthcare and about a trillion of it is completely wasted uh so there's a lot of incentive here to save any money from that trillion uh by incorporating new technologies experimental Technologies like iot uh sensors are becoming very very a big deal uh like I said Fitbit being an example uh Pebble they released the Health um you know step tracking and health API Apple watch has a couple of Fitness initiatives too sensors are becoming important because these devices

do one thing very very well which is track what they're given to do and if you can get them to talk in a smart way you might have something very interesting going on where you can sort of automate your own life or your own health in that manner so you can imagine sensors providing data that can be accessed easily or you know through like a rest API or something and then an application building on top of it where you can do more fun things with it uh that's kind of where Healthcare is going at least it seems to be that way um we talked about I beacons U talked about them earlier the main idea here again

being that you can use them in a lot of ways that you couldn't otherwise for example proximity marketing I saw an application of this happen um it's very very cool it's in the lab so it wasn't actually in the environment outside uh what was interesting was you could see you walked around with it and if you were in close enough to it you could see an ad or something or a sale or something like that of the item being on on the shelf and it was it was it was amazing was all I needed to do was walk past it and I got a notification on my phone that's pretty amazing instead of having to look around to each of the you

know through the shelves or through flyers or anything you just get the notification automatically which I think is actually a pretty cool thing context is also a big deal so based on what you've been shopping it could recommend more things this kind of like an Amazon you know you you might also like thing where you can buy more things right off of based on your recommendation and that gives a lot of power to the stores or you know people who are putting the items up because they simply need to program the ibeacon to take some information and provide it to your phone that that whole process is very simple and straightforward the cloud then actually does the processing

of making recommendations and so on but again seamless and very very easy because you don't even have to take your phone after that this has been one of the largest sort of um drivers of iot which is home automation you guys you all know of nest and and the uh you know automatic control light bulbs and more importantly Belin which you know you can the coolest thing about them is they don't aim to change what's already in place they only aim to change how it's accessed now now what I mean by that is you can imagine your your your coffee maker doesn't have internet Wi-Fi on it it shouldn't um now now if you can't you can either just

build a new coffee maker that has Wi-Fi or you could build something that has Wi-Fi but it turns the coffee maker on and off the reality here is that is that instead of building instead of phasing out old devices and making smart devices all over again you could just control access to power that's why one of the one of the things that you know that belin's done really big on on you can control the access to power and that matters a whole lot more the next thing and this is actually getting maybe perhaps more serious uh the reason here being that there is a lot of government money going going in here and and this is infrastructure uh

anybody here taking the public bus I took the public bus for four or five years it's terrible right yeah thank you for greate um a lot of the problem just comes out from uh not only miscommunication but also not knowing where the bus is not knowing what anything is happening the whole idea of smart infrastructure is to keep the people using it and the people providing it on the same page the whole idea here is if you can make that communication faster and seamless people will be more happy people want to use your service more uh I think a pretty reasonable assumption is if I know when my bus is coming I don't have to wait

outside for 2 hours I'll be pretty happy right that that's how used to happen um not only is this kind of stuff becoming more prevalent in Japan it's kind of been kind of the commonality from what I heard I've never actually been there i' like to go but um one of the coolest things they've done is build these iot sensors that work along with raspberry pies and they just leave them in sort of a plot of land somewhere and these things can tweet if there's an earthquake happening so they can sense uh seismic motion and they can tweet if an earthquake is forming or even close to getting to dangerous levels and you can see the public Twitter feed anywhere

at any time I think that's a pretty neat application nobody's you know thought of kind of that kind of stuff people have also done some neat stuff where um you have a sensor that's connected to a plant it's actually in the soil and then it sends you a message saying I need water because the the plant you know the soil is dried out and stuff that kind of stuff is pretty neat and that's also where hobbyists sort of come in you have to realize everybody who interest interested in iot has to come in from an angle so a lot of people come in from the healthcare angle people like me who are academics government is coming in

from the infrastructure angle hobbyists are coming in from I beacons are building these sort of DIY home you know home devices which all of them are very neat and this is one of the best things that's happening they're teaching people how to code a lot of people who know how to program well enough don't understand the basics of networking not at a deep level but these things are sort of forcing them to learn because if they're not then there could be other trouble now a lot of the things I talked about so far were small Players let's talk about big efforts and particularly I'm going to focus on Watson Oracle and Microsoft and what they've done because

what they're doing is probably going to change the game forever who saw Watson at the Jeopardy game and so on everybody right probably yeah it was a huge deal um Watson also is building cognitive Services there was a a a recent Trend by them what they call cognitive Services uh platform which is is the idea that you can offer machine learning or deep learning tasks as a service you can drag and drop them attach them in sort of a flowchart and all you need to do is provide data and Watson will give you the output there's what I listed up here are just some of the services available but you can imagine just dragging and dropping four or five of

them to build a pretty convincing Network um pretty convincing at least task Runner um they're they're building up this new entire infrastructure actually with 38 new services specifically for sensors uh they're going to work very well with some of the Intel supported devices actually uh it's going to come out I think mid 2016 unless it already has I'm not too sure at the moment but basically the idea there being that Watson is going to be able to power a whole new world of devices and because the reason Watson matters so much is because they have the technical sort of not only the resources but the expertise to do it they have enough servers they have enough all of

that what what is needed to power a very very good private Network and obviously they're going to charge you a fortune for it but that aside the fact that they can do it very convincingly that matters because they're going to push it forward the fact that they have the enough resources to make all those things happen is going to ultimately push iot further down because dragging and dropping you don't need a lot of time to put together sort of a first prototype on the Enterprise side is Oracle again don't worry I'm not going to go through the whole chart but what matters is is is again something convincing that they've done which is actually the very bottom um Java Powers

a lot of devices U even some Ed devices and so on some of that's being phased out but in any case it Powers enough devices Oracle what they're now trying to do is is push out separate set of API that can allow things that are powered on by their own devices to collect all that data pull it back process it in the cloud and then finally let it do whatever you want to do in your organization what's important is this whole you know this whole them might become more Universal now you know been through might talk about halfway The Gather stream manage and action people need to collect more and more data to get actionable insights is

you know the big word for it basically meaning making a decision based on the on the data that's available Oracle especially powered you know if you use people software um you know ucfs stuff they a lot of it's powered by Oracle a lot of that information could be pulled in and processed in the proper way to give more actionable insights into the people using it that's kind of what Oracle is banking all this on and finally last Microsoft they had the coolest looking graphic no I'm kidding um Microsoft's main appeal has been with AER platform that they're using to power Internet of Things the best thing about AER is the visibility you get in terms

of not only metrics but the data itself uh aer's been exceptionally well in providing a lot of new ways or angles to look at the same data that you gathered uh that's really I think what's been powering them that's the big difference between Microsoft and the other competitors so far uh when you use their devices unfortunately their the limitation on their devices is they don't have a huge amount of different devices that are powered by the windows platform uh Windows phone is doing so so it's not doing great um besides that the server and the desktop environment are about it a lot of people are switching away from you know hosting Microsoft servers or even embedded devices away to

other things so they don't have a lot of Leverage in the area but what they do have is an amazing platform for visualization and data analytics that's why a lot of people are using them finally get to sort of the meat of the talk which is the uh the secur the currency of security now there are issues with it both good and bad but you got to realize this is very early days I mean think of all the progress that's been made in Internet things right now and we're still at day Zero we haven't even started yet there's a lot of room for improvement and that being said let's tear down iot and see what's going

on right now people have no idea how to secure their devices uh at the moment there aren't any standard protocols simply because people don't know how many new devices people are going to come up with more importantly this is kind of the second fact is kind of the sad thing which is people think that we can compress years and years of security very fast and very very rapidly just because some security policies worked in one environment they think it will also translate very easily to it I will personally say that it's been very hard to translate even small policies over and finally no one solution is going to be able to secure it uh this is something a lot of experts

in the area agreed you cannot just go find one solution that will secure all 500 devices connected to your private Network just not going to happen you're going to need device level security as opposed to Cloud level security and we'll get to that let's talk real quickly about what are some of the challenges we're facing number one probably the biggest one too much data being collected now it makes sense this is the whole purpose of iot you're supposed to collect more data but the problem is it's becoming too much to where we don't even know what the streams of data inputting are if you don't know what where the stream is you can't secure it

as well or as easily another thing because we don't know all the use cases people can make whatever they want to make with iot stuff they can use the hardware the software come up with new software there's no sort of centralized repository where they all can be managed for example like ruby gems or something you know the centralized Place everybody knows that's where to go look for them here completely out in the wild it's hard to secure something where you don't even know the parameters or what goes around it lastly um the more devices you connect the problem is the more security flaws you're opening up every device if it has one flaw and you connected 500

devices you're probably going to have 500 flaws given they're all different that's probably not going to happen but nonetheless the point is if you connect a lot of different devices all with on their own sort of infrastructure that are different from others you're also going to have trouble managing each of those security flaws which becomes exponentially difficult to manage very very hard to do if you have Hardware or firmware issues or security issu issues that go that far deep um God help you at that point I mean it's very hard to manage software level issues leave alone something as problematic as a firware security issue um the other problem is a lot of people aren't understanding how

to define access level um if you have predefined predefined environments that can control how the access works that's one thing but if you're at a stage where you don't have any idea how the access level is going to be managed for users connecting to it you can't control that um I actually worked on access LEL controller wrote a grant to Google which unfortunately didn't get funded but I worked on it anyway later on uh the uh the part of the grant was dealing with authentication especially user level authentication and how you're going to manage and I'll talk about some of that work later on and lastly maintenance of the devices that are connected a lot of

people don't like to update their computers leave alone update firmwares or things on their router leave you know and then you go on to sensors and so on nobody's going to update them now the issue is how do you still manage to keep those devices free from vulnerabilities if you cannot manage even the most basic update procedures they're going to be very hard we I'll show you what happens when people don't manage them uh this one thing that came out very recently was huge which is this search engine called shun which actually gives you access to uh it's for free you might even look it up you can get access access to cameras that are out there and

view all the unprotected streams like you're doing a Google search this was huge and it made people not only think about how bad the security is even made some people close down um their their private clouds entirely I mean it was so bad that you know you could see the you know some of them were actually incriminating and so on but anyway that aside uh the the real the real story here is that uh some of these devices you know the people again the users cannot be held completely accountable a shopkeeper is not going to spend 10 hours making sure the camera and the way the camera connects to recording device and so on are secured with AES and a 13

character passphrase just not going to happen we need to find better mechanisms on our own because if people aren't going to do it and this stuff keeps happening some of this could spill over into very serious matters as it happened in some Healthcare in some hospitals and we'll talk about that in a little bit HP released a report um under their fortify on demand initiative on the internet of things and this is what the report said about 25 vulnerabilities per device and they only examined I think 15 or 20 of those devices uh some of the common points I I talk about here the one I want to focus on particularly is uh lack of TR you know transport

encryption basically what that means is two devices that are talking to each other aren't even on a secure um secure layer like SSL or h gdps or anything they're talking completely in open Point anybody could intercept um again if you think about deeply about who really should fix this not the developers or the consumers the developers cannot secure everything mistakes happen people don't you know if you think about budget and project allocations not everybody's going to allocate every security feature in every project what we need is something fundamentally different and more importantly something ingrained that can come from bottom up is div design devices oh and obviously software protection nobody updates their stuff my laptop is not updated by the way no I'm

just kidding I updated yesterday before the talk uh this was another big thing actually that came out recently uh with with with Nissan uh their Nissan Leaf um this guy anybody follow try hunt on the blog okay you guys probably already seen this then uh yeah the a lot of the stuff what happened was basically you know they were talking about vehicle control and they had a application you know mobile application to do it a lot of the data about the vehicle uh the point of the app was you get a lot of good data on on how your car works it runs and so on and even other features about it I'm not going to go too deep into it the

problem if it came out to be everything about the car was accessible through rest apis even use a secret key nothing it was very straightforward accessible uh and the the column on the right shows you know some just some of them turns out you could use some of these variables or some of the results that came out here plug them in back into the rest apis and get even deeper access uh the the name of the person you could turn the car on and off remotely um they pulled off the app I think right away after this came out uh which is very good on them because they you know quickly saved the world but you know

damage already been done this is just one example of something a massive scale that happens if you don't have not only the right policies but even uh the sort of of the designed mindset on how to control iot and again you cannot blame them for it uh this is all far too new for everybody including security people like me and Troy hun who poned it finally get to where I come into this talk and what my contribution was I wanted to save the world you know protect all these devices but that didn't happen soon enough um I tried to take a different angle to it which was as I mentioned earlier try to translate security policy and and so on that have

already been in place for years in big tools and big you know companies and bring them down to sort of these normal Play devices first thing I worked on um which happened to actually give some positive results was um make every connection count for money so microtransactions by implementing smart contracts and microtransactions what you really allow to do is two devices cannot talk to each other unless they either pay up in terms of resources or actual money Bitcoin anything like that the point of it being you could connect two devices very securely this way because a third device trying to access it wouldn't one either have the payment setup system set up if it does it

wouldn't be able to that easily get into your payment stuff if if you can get if a external device or external hacker can get that easily into your payment system you have other problems than iot but that aside adding payments makes it very unlikely for people to sort of want to hijack and connect the same issue why you know email spam that was one of the things about it about eliminating spam was if you had to pay a fee for every email one of the exciting applications in Bitcoin particularly has been if you attach a small microtransaction to every email you sent you will eliminate spam because for spammers who send 10 million emails a day that transaction would add

up to far too much real money they just wouldn't do it the cost benefit you know the cost of sending it weighs far out weighs the benefit they'll get because nobody clicks on those links from you know Nigerian princes these days the the smart contracts are are nice because they're autonomous and self-executing but what that comes down to is you could have two devices completely without a person monitoring them connect to each other manage each other and even check up on what the status is that could become powerful because if you have something like a Json leak like with the car stuff we had earlier if was a sense of monitoring the the outflow of that

information they could have detected there was it was information coming out that somebody was accessing even if you can't stop it knowing that it happens that's that alone is a big deal and this was the second idea I worked on which was detecting uh there can be a whole magnitude of threats that come in either from inside or outside for iot instead of looking and preventing threats from the outside what is probably probably more reliable to do arguably so what's more reliable is to monitor once your device has been compromised how it homes back that's the whole idea behind Extrusion detection how is it that your devices are connecting from your software your system outside to the

command and control servers if you can instead of monitoring for every threat that's outside a better policy is to monitor your own devices and every threat that penetrates through the idea here being if you can control how your devices interact from inside out you might be able to eliminate completely how that that con that that connection works so the point of it being if you could manage how exactly your devices are transmitting data outside you could probably completely stop it um one of the things that verisign found uh in in the later half of 2015 was that dasas activity had been some of some of the highest that ever had been in a very very long time they do a four or five

year study I found it was way way way higher than it ever ever been before and one of the ways that you could really bring down a lot of it was if you could control your own devices well enough if you had policies in place instead of protecting from dos from the outside for dos you can't really protect too much what you can do is mitigate some of the damage from the inside out so that you can isolate the system and make sure that your excuse me that your devices are protected well enough and finally the the thing I was talking about earlier which is device enroll management this is something that's actually very very simple a lot of

security tools implemented like SE Linux and so on but a lot of the tools aren't actually doing or or applicable to system level security the point of it being if you can manage an authenticator device if you know exactly what's connecting to your network you might be able to stop some devic from connecting to it um this could also mean malicious sensors you can imagine it's not too farfetched to think somebody would design a sensor with with some software on it that's supposed to instead of sending in data actually just taking data or worse off is providing wrong data that happened as I mentioned earlier in the case of stet where the data being provided from the

nuclear centrifuges was all completely wrong um so the engineers thought the cuses were totally fine when in reality they were breaking down uh so that you know there you have a risk of very serious Espionage I'm Tak giving a very extreme example you're not going to find iot beacons in in a nuclear reactor okay but the point of it being that you know if you have a better idea of who's connecting to your devices you could probably do a very good job at maintaining them system policies are effective but to a certain end what really matters is device-based RO security you people not everybody should have access to everything in an Enterprise environment you should limit

the access and not only limit the access but more importantly make it so that their roles Define how exactly they can connect and authenticate to to more services if if you can have a very clear idea of that happening I think it' be really be making you know strides towards securing these new Internet devices and with that I hoped I saved the world not really uh the you know it's it's it's funny you know you're insecurity often you're fighting a losing battle uh you make things you you hope they work and often they don't uh you know and then because the attacker attackers come up with more sophisticated or something you missed entirely you know sometimes

you work on on the thing hoping that it would work out very fast and and safely it just completely blows out of the window but yeah thank you so much for coming by and that was [Applause] all if anyone like to ask any questions please either come up or just say it from there I'd be happy to answer thank you