Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Modeling for IoT Systems

Published byYohanes Susanto Modified over 6 years ago

Similar presentations

Presentation on theme: "Threat Modeling for IoT Systems"— Presentation transcript:

1 Threat Modeling for IoT Systems
Dan Cornell CTO Denim Group @danielcornell

2 Dan Cornell Founder and CTO of Denim Group
Software developer by background OWASP San Antonio co-leader 20 years experience in software architecture, development, and security

3 How we can help: Building a world where technology is trusted
Denim Group is solely focused on helping build resilient software that will withstand attacks. Since 2001, helping secure software Development background Tools + services model Mostly in here for the PDF-ing How we can help: Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform

4 This Wasn’t In My IoT Threat Model
-Anecdote about Sheridan’s neighbor’s camera system

5 Agenda IoT Overview Goals of Threat Modeling Why Threat Model IoT?
Threat Modeling Overview IoT Threat Modeling Particulars Conclusion/Questions

6 IoT Overview -Why do we care about IoT security?

7 IoT is Cool -Most of the press mentions about IoT focus on consumer IoT

8 But IoT Isn’t Just Consumer IoT
-But the bulk of the IoT market is going to be focused in other areas -Enterprises will be adopting consumer IoT but putting them into enterprise infrastructures -Industrial sites will be adopting different IoT solution for themselves

9 Definitions (That I Made Up)
Consumer IoT IoT systems sold to the general populace. Front-door cameras, exercise trackers, personal assistants, etc Enterprise IoT Enterprise organizations deploying IoT systems – largely consumer-focused – into enterprise environments Industrial IoT More specialized IoT systems sold to industrial environments. Smart lighting, hyper- connected control systems, industrial equipment enhancements, etc -Have a different definition or a better distinction? Please bring it up. It won’t hurt my feelings if I learn something during this talk.

10 So Why Are YOU Concerned About IoT Security?
Consumer: I’m using IoT devices. Is that safe? Enterprise and Industry: I’m deploying IoT devices in my environment. What are my risks? Developer: I’m building IoT systems. What should I worry about? [Don’t dwell here – more description with the next slide]

11 So Let’s Talk About (My) Bias
My view of this topic is skewed by my experience – which is acting as a consulting firm helping organizations deal with the risks associated with IoT Consumers don’t pay us because they’re too poor BUT people that sell things to consumers do occasionally pay us in order to protect their brands Enterprises pay us to help them be safer when deploying IoT into their enterprise IT infrastructures Industrial organizations pay us to help them be safer when deploying IoT into their industrial environments IoT system builders pay us to help them build safer IoT systems – when there are appropriate economic incentives to do so

12 Consumers Sophisticated consumers might informally threat model IoT systems they let into their lives But really they just kinda get what they’re going to get… Rely on brand to make trust decisions -There are some budding certifications for systems but they are surface level -Recently finished an assessment of a firm with one of those and we broke the hell out of it

13 Enterprise and Industry
This is largely a supply-chain concern Threat modeling can be used to identify potential risks during the acquisition process Assessments can be used to identify vulnerabilities during the acquisition process Note that I said “acquisition” not “deployment” or “even later” Because once you have purchased then it is your problem

14 Developers Threat model during development to avoid huge issues that are expensive to fix and embarrassing to have publicly revealed Threat model after development to target internal red team activities Use security as a differentiator for discerning customers

15 Goals of Threat Modeling

16 Why Threat Model? Avoid introducing vulnerabilities
Identify vulnerabilities in an existing system Understand the system

17 Avoid Introducing Vulnerabilities
It is cheaper to identify vulnerabilities on the whiteboard than to fix them at the keyboard Threat modeling is a great way to proactively identify potential issues and address them during the design process

18 Find Existing Vulnerabilities
Threat modeling provides a structured way to look at systems This structure can provide consistency to assessments

19 Understand the System What are the parts? How do they fit together?
”If I change this, what happens to that?” Encourages critical thinking – especially with developers

20 Why Threat Model IoT?

21 The Good Old Days -Kinda like threat modeling checkers

22 Oh Crap, Mobile! -Now we’re playing chess!

23 Argh! IoT! -Now we’re playing three dimensional chess!
-This is an oversimplified example of consumer IoT. Enterprise and Industrial IoT get way worse

24 How I Realized the World Had Changed
Mobile application assessments: Sensible template threat model, easy statistics collection Where in the system are vulnerabilities found? What technique (static/dynamic, automated/manual) was used to find them? Fun and valuable research presented at: RSA: ile_upload/mbs-f02-mobile-application-assessments-by- the-numbers-v2.pdf OWASP AppSecEU: security-assessments-by-the-numbers- owaspappseceu20151

25 How I Realized the World Had Changed (Cont’d)
IoT application assessments Created initial sensible threat model based on a consumer example Start looking at statistics collection “Oh, crap. That doesn’t work for this enterprise case. Let’s revise.” “Oh, crap. That works even worse for this industrial case. Let’s revise again.” “Sensible” threat model template no longer looks sensible Here is a starting point:

26 So Where Does That Leave Us?
IoT environments are complicated Potentially significantly more so that what most are used to Threat modeling is more valuable – and more necessary – than ever

27 Threat Modeling Overview

28 High Level Threat Modeling Concepts
Decide on scope 1 Build your dataflow diagrams 2 Enumerate threats 3 Decide on mitigations 4

29 Creating Data Flow Diagrams (DFDs)
Decompose the system into a series of processes and data flows Explicitly identify trust boundaries

30 Example Data Flow Diagram

31 Identifying Threats from the Data Flow
STRIDE is expansion of the common CIA threat types Confidentiality Integrity Availability STRIDE Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege

32 Mapping Threats to Data Flow Asset Types
Threat Type External Interactor Process Data Flow Data Store S – Spoofing Yes T – Tampering R – Repudiation I – Information Disclosure D – Denial of Service E – Elevation of Privilege

33 So What Does That Leave Us?
Take all the assets Associate threat types with each asset Voila! List of things we need to worry about So What Does That Leave Us?

34 Countermeasures Do nothing Remove the feature Turn off the feature
Warn the user Counter the threat with Operations Accountability Separation of Duties Counter the threat with Technology Change in Design Change in Implementation There is no “catch all” countermeasure

35 IoT Threat Modeling Particulars

36 Example Consumer IoT Threat Model

37 Use Cases to Watch Initial provisioning and deployment
Configuration updates Integration into enterprise AuthX infrastructure Software updates

38 Using Threat Models to Scope Assessments
IoT systems have many different parts and kinds of parts Web applications, web services, custom hardware, esoteric protocols Creating a test plan can be challenging - you will never have the resources to be exhaustive Threat modeling can help drive decisions about trade- offs “Should I fuzz-test the device Zigby stack or run SAST on the web services“

39 Safety Concerns Confidentiality, Integrity, and Availability
Everywhere else: Confidentiality breaches of regulated information IoT (especially industrial): Integrity or availability breaches impacting the kinetic environment

40 What Could Possibly Go Wrong?
-Mangler: Industrial laundry equipment gets possessed by black magic -Maximum Overdrive: Radiation from rogue comet causes vehicles to start acting on their own -I’ll tell you a really scary story – What if we took stuff like this … and connected it to the INTERNET

41 Medical Device Risks doctors-disabled-wireless-in-dick-cheneys- pacemaker-to-thwart-hacking/ 11/Radcliffe/BH_US_11_Radcliffe_Hacking_M edical_Devices_WP.pdf -scariest-hacks-from-black-hat-defcon/

42 Safety Concerns with IoT
Materials from Joshua Corman and We Are the Cavalry internet-things -At what point is it irresponsible to NOT have a Threat Model for an IoT system?

43 Closing Thoughts IoT systems are varied and complicated
And will increasingly have safety implications Threat modeling is a valuable technique for Avoiding introducing vulnerabilities Structuring assessments to find vulnerabilities If you are building or considering deploying significant IoT systems – save yourself a lot of headaches and use threat modeling

44 Questions Dan denimgroup.com threadfix.it

Download ppt "Threat Modeling for IoT Systems"

Similar presentations

Frank Stajano Presented by Patrick Davis 1.  Ubiquitous Computing ◦ Exact concept inception date is unknown ◦ Basically background computing in life.

Frank Stajano Presented by Patrick Davis 1.  Ubiquitous Computing ◦ Exact concept inception date is unknown ◦ Basically background computing in life.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.
*** Remember – this material is based on 7 Habits.

*** Remember – this material is based on 7 Habits.
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security: Now and.
Information Systems in Organizations 3.1.1 Running the Business: Enterprise Systems (ERP)

Information Systems in Organizations Running the Business: Enterprise Systems (ERP)
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Computer Security! Emma Campbell, 8K VirusesHackingBackups.

Computer Security! Emma Campbell, 8K VirusesHackingBackups.
Cloud Computing Project By:Jessica, Fadiah, and Bill.

Cloud Computing Project By:Jessica, Fadiah, and Bill.
Practical Threat Modeling for Software Architects & System Developers

Practical Threat Modeling for Software Architects & System Developers
ATD-NYC eLearning SIG Homework for Meeting 11/18/2015 No-Budget Gamification Copyright 2015 by Sellon Solutions LLC.

ATD-NYC eLearning SIG Homework for Meeting 11/18/2015 No-Budget Gamification Copyright 2015 by Sellon Solutions LLC.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.

The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
Chapter 1: Security Governance Through Principles and Policies

Chapter 1: Security Governance Through Principles and Policies

Similar presentations

Ads by Google