Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Milton Smith Sr. Principle Security PM Java Platform
Group September 2014 Twitter: @spoofzu Blog: securitycurmudgeon.com
Security and the Internet of Things: Preparing for the Internet of
Stings
Slide 4
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Who is this Guy? My background 4 Role Strategic security
leader working to influence Java team, internal teams, engage
researchers, industry outreach Background Many years of application
programming and security Former Employer Yahoo! Lead security for
User Data Analytics property
Slide 5
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Program Agenda Internet of Things Background Internet of
Things Security Threats Platform Features, Countermeasures,
Monitoring Resources 1 2 3 4 5
Slide 6
Copyright 2014, Oracle and/or its affiliates. All rights
reserved.6 Internet of Things Background about Oracle IoT
Slide 7
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Characteristics - Devices Geographically dispersed
>10 6 Millions deployed Diverse sophistication &
capabilities 7 Vast quantity of data
Slide 8
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Characteristics - Infrastructure Rapid device
onboarding Shared application services End to end security 8
Performance
Slide 9
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Characteristics - Applications Many industry
verticalsMany stakeholders Deploy local or in cloud 9 Integrate
legacy systems
Slide 10
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Exploring Internet of Things Telcos are experts and have
provisioned millions of devices for many years. Massive Internet
web applications like Google, Yahoo, Facebook, Twitter, etc. No
industry standardized device platforms supporting different lines
of business. Current platforms proprietary Generalized cloud
service model for devices - IoT Some history and whats required
10
Slide 11
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Internet of Things Architecture Broad view of a big
platform 11 Big Data Edge Devices Smart Devices Gateway Devices
Identity Application Infrastructure Security Relational Diverse
Applications
Slide 12
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Internet of Things vs. n-Tier Similarities Network &
application services infrastructure Applications = millions of
browser end-points, IoT = millions of device end-points Security
controls (transport\rest) Differences Humans = self-provisioning,
devices = must be provisioned Browsers very standard, devices very
different Browsers can be upgraded\patched, devices more difficult
12
Slide 13
Copyright 2014, Oracle and/or its affiliates. All rights
reserved.13 IoT Security Threats Defending the device cloud
Slide 14
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats DDoS Deny business operations Loss of revenue
Compliance concerns An overview 14
Slide 15
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Reconnaissance Physical network, PCAPs
Devices, cameras Servers, applications Surveillance for
cross-compromise An overview 15
Slide 16
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Info Disclosure Exfiltrate logs, app
metadata, crypto keys, URL parameters Passwords An overview 16
Slide 17
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Path Traversal Easy to guess URIs Brute force
Apps, usr/doc/mydoc.txt OS, etc/passwd An overview 17
Slide 18
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Phishing Links in email Common industry
concern Need to defend deep links An overview 18
Slide 19
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Session Hijacking Steal HTTPS session id
(e.g., JSESSIONID) Cookie stealing An overview 19
Slide 20
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats SSL\TLS Attacks Renegotiate Known-Weak Cypher
Suites TLS Session Key Disclosure Weak Encryption An overview
20
Slide 21
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Device Spoof\MITM Rogue CA, forged keys No
Transport Encryption Failed\Improper (De)provisioning An overview
21
Slide 22
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Inappropriate Policy Intentional or
unintentional Unauthorized access An overview 22
Slide 23
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Security Patching Increase risk of compromise
Vulnerabilities & security alerts, patching important An
overview 23
Slide 24
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. IoT Threats Bad Privilege Assignments Any component:
device, application, operating system An overview 24
Slide 25
Copyright 2014, Oracle and/or its affiliates. All rights
reserved.25 Platform features, countermeasures, monitoring An
overview of IoT security controls
Slide 26
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending Devices Isolated cryptographic processing
Hardware protected credentials and keys Strong authentication for
all components Protecting millions of devices 26
Slide 27
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending Devices (contd) Cryptographic keys and key
management Platform attestation and secure boot Isolation across
many layers like protocol from browser/application, application
from container, container from operating system Protecting millions
of devices 27
Slide 28
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending Datacenter Network isolation, firewalls Log
management (diagnostic\security, compliance) Mitigate vulnerable
apps while being fixed, WAFs Industry standards like HTTPS, LDAP,
and OAUTH2 New and existing security controls 28
Slide 29
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending Datacenter (contd) Anti-viral(AV), malware
detection, quarantine for untrusted uploads System policy &
configuration review Common logging framework (Win, *NIX, JSR-47)
Security\diagnostic. Compliance handled separately Exfiltration
control New and existing security controls 29
Slide 30
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending Application Infrastructure Anti-password
cracking controls Multi-factor authentication Continuous automated
dynamic analysis, both In-house and 3 rd party Shared supporting
application services 30
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending Application Development Process Oracle software
development policies & secure coding standards Standard
security controls: static analysis, dynamic analysis, fuzzing, open
source (findbugs) Different tools for different layers: Java
platform, application infrastructure, Java web applications
Software defenses 32
Slide 33
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending Application Development Process (contd)
Security challenges different depending on deployment model (Oracle
cloud vs. private cloud) No introduction of unreviewed open source.
Production servers air-locked against unauthorized change.
Exceptional processes w\management approval Secure coding practices
for Oracle components (certification for non-Oracle components)
Software defenses 33
Slide 34
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending Production Deployment Process Approved
cryptographic algorithms based upon domain of application Approved
security hardening & configuration standards for each type of
component: OS, Application Server, Database, LDAP, etc Build
servers exclusively from standardized images from approved
hardening standards. No one-off builds Standardize and control
production deployment 34
Slide 35
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Defending 3 rd Party Integration No assurance 3 rd
parties conform to Oracle security policies or specifications
Increased transparency, 3 rd party code view, contractual
obligations Understand development processes, independent test
certification, move aware from faith based approaches, trust but
verify Including open and commercial source 35 = ? +
Slide 36
Copyright 2014, Oracle and/or its affiliates. All rights
reserved.36 Resources Learn more about the Internet of Things
Slide 37
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Links Oracle IoT Landing Page
http://www.oracle.com/us/solutions/internetofthings/overview/index.ht
ml Java Platform Group, Security Landing Page
http://www.oracle.com/technetwork/java/javase/overview/security-
2043272.html
Slide 38
Copyright 2014, Oracle and/or its affiliates. All rights
reserved. Safe Harbor Statement The preceding is intended to
outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making purchasing
decisions. The development, release, and timing of any features or
functionality described for Oracles products remains at the sole
discretion of Oracle. Oracle Confidential
Internal/Restricted/Highly Restricted 38