Slide 1

Slide 2

Slide 3

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Milton Smith Sr. Principle Security PM Java Platform Group September 2014 Twitter: @spoofzu Blog: securitycurmudgeon.com Security and the Internet of Things: Preparing for the Internet of Stings

Slide 4

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Who is this Guy? My background 4 Role Strategic security leader working to influence Java team, internal teams, engage researchers, industry outreach Background Many years of application programming and security Former Employer Yahoo! Lead security for User Data Analytics property

Slide 5

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Program Agenda Internet of Things Background Internet of Things Security Threats Platform Features, Countermeasures, Monitoring Resources 1 2 3 4 5

Slide 6

Copyright 2014, Oracle and/or its affiliates. All rights reserved.6 Internet of Things Background about Oracle IoT

Slide 7

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Characteristics - Devices Geographically dispersed >10 6 Millions deployed Diverse sophistication & capabilities 7 Vast quantity of data

Slide 8

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Characteristics - Infrastructure Rapid device onboarding Shared application services End to end security 8 Performance

Slide 9

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Characteristics - Applications Many industry verticalsMany stakeholders Deploy local or in cloud 9 Integrate legacy systems

Slide 10

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Exploring Internet of Things Telcos are experts and have provisioned millions of devices for many years. Massive Internet web applications like Google, Yahoo, Facebook, Twitter, etc. No industry standardized device platforms supporting different lines of business. Current platforms proprietary Generalized cloud service model for devices - IoT Some history and whats required 10

Slide 11

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Internet of Things Architecture Broad view of a big platform 11 Big Data Edge Devices Smart Devices Gateway Devices Identity Application Infrastructure Security Relational Diverse Applications

Slide 12

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Internet of Things vs. n-Tier Similarities Network & application services infrastructure Applications = millions of browser end-points, IoT = millions of device end-points Security controls (transport\rest) Differences Humans = self-provisioning, devices = must be provisioned Browsers very standard, devices very different Browsers can be upgraded\patched, devices more difficult 12

Slide 13

Copyright 2014, Oracle and/or its affiliates. All rights reserved.13 IoT Security Threats Defending the device cloud

Slide 14

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats DDoS Deny business operations Loss of revenue Compliance concerns An overview 14

Slide 15

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Reconnaissance Physical network, PCAPs Devices, cameras Servers, applications Surveillance for cross-compromise An overview 15

Slide 16

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Info Disclosure Exfiltrate logs, app metadata, crypto keys, URL parameters Passwords An overview 16

Slide 17

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Path Traversal Easy to guess URIs Brute force Apps, usr/doc/mydoc.txt OS, etc/passwd An overview 17

Slide 18

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Phishing Links in email Common industry concern Need to defend deep links An overview 18

Slide 19

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Session Hijacking Steal HTTPS session id (e.g., JSESSIONID) Cookie stealing An overview 19

Slide 20

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats SSL\TLS Attacks Renegotiate Known-Weak Cypher Suites TLS Session Key Disclosure Weak Encryption An overview 20

Slide 21

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Device Spoof\MITM Rogue CA, forged keys No Transport Encryption Failed\Improper (De)provisioning An overview 21

Slide 22

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Inappropriate Policy Intentional or unintentional Unauthorized access An overview 22

Slide 23

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Security Patching Increase risk of compromise Vulnerabilities & security alerts, patching important An overview 23

Slide 24

Copyright 2014, Oracle and/or its affiliates. All rights reserved. IoT Threats Bad Privilege Assignments Any component: device, application, operating system An overview 24

Slide 25

Copyright 2014, Oracle and/or its affiliates. All rights reserved.25 Platform features, countermeasures, monitoring An overview of IoT security controls

Slide 26

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Devices Isolated cryptographic processing Hardware protected credentials and keys Strong authentication for all components Protecting millions of devices 26

Slide 27

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Devices (contd) Cryptographic keys and key management Platform attestation and secure boot Isolation across many layers like protocol from browser/application, application from container, container from operating system Protecting millions of devices 27

Slide 28

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Datacenter Network isolation, firewalls Log management (diagnostic\security, compliance) Mitigate vulnerable apps while being fixed, WAFs Industry standards like HTTPS, LDAP, and OAUTH2 New and existing security controls 28

Slide 29

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Datacenter (contd) Anti-viral(AV), malware detection, quarantine for untrusted uploads System policy & configuration review Common logging framework (Win, *NIX, JSR-47) Security\diagnostic. Compliance handled separately Exfiltration control New and existing security controls 29

Slide 30

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Application Infrastructure Anti-password cracking controls Multi-factor authentication Continuous automated dynamic analysis, both In-house and 3 rd party Shared supporting application services 30

Slide 31

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Application Infrastructure (contd) Centralized logging framework (JSR-47) Revocation services (ensure trust) Application domain integrity controls & policy Shared supporting application services 31

Slide 32

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Application Development Process Oracle software development policies & secure coding standards Standard security controls: static analysis, dynamic analysis, fuzzing, open source (findbugs) Different tools for different layers: Java platform, application infrastructure, Java web applications Software defenses 32

Slide 33

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Application Development Process (contd) Security challenges different depending on deployment model (Oracle cloud vs. private cloud) No introduction of unreviewed open source. Production servers air-locked against unauthorized change. Exceptional processes w\management approval Secure coding practices for Oracle components (certification for non-Oracle components) Software defenses 33

Slide 34

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending Production Deployment Process Approved cryptographic algorithms based upon domain of application Approved security hardening & configuration standards for each type of component: OS, Application Server, Database, LDAP, etc Build servers exclusively from standardized images from approved hardening standards. No one-off builds Standardize and control production deployment 34

Slide 35

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Defending 3 rd Party Integration No assurance 3 rd parties conform to Oracle security policies or specifications Increased transparency, 3 rd party code view, contractual obligations Understand development processes, independent test certification, move aware from faith based approaches, trust but verify Including open and commercial source 35 = ? +

Slide 36

Copyright 2014, Oracle and/or its affiliates. All rights reserved.36 Resources Learn more about the Internet of Things

Slide 37

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Links Oracle IoT Landing Page http://www.oracle.com/us/solutions/internetofthings/overview/index.ht ml Java Platform Group, Security Landing Page http://www.oracle.com/technetwork/java/javase/overview/security- 2043272.html

Slide 38

Copyright 2014, Oracle and/or its affiliates. All rights reserved. Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle. Oracle Confidential Internal/Restricted/Highly Restricted 38

Slide 39

Slide 40