50 milliards de failles connect es en 2020
play

50 Milliards de failles connectes en 2020 Benot Rousseaux Bruxelles - PowerPoint PPT Presentation

50 Milliards de failles connectes en 2020 Benot Rousseaux Bruxelles 12 juin 2018 Pure Player in Cyber Security Services 200+ Experts in France. Subsidiaries in Belgium and Luxembourg 2 domains of expertise : Information Systems and


  1. 50 Milliards de failles connectées en 2020 Benoît Rousseaux – Bruxelles – 12 juin 2018

  2. Pure Player in Cyber Security Services 200+ Experts in France. Subsidiaries in Belgium and Luxembourg 2 domains of expertise : Information Systems and IOT 6 service lines : Audit (intrusion tests, code review, … ), Consulting (governance, risk management, GDPR), Training, CERT, Onsite Security (SOC, SIEM), Project based security (IAM,SSO, … ) Innovation : CERT, Technology watch, R&D, Publications Certified consultants (PASSI, ISO, CISSP, ITIL, … ) P Security label for the Internet of Things , … Digital Security

  3. IoT : What is it ?

  4. IOT : Definition A connected object with the following seven attributes :  Sensor  Connected to Internet  Processor  Energy efficiency  Optimized cost  Reliability  Security Digital Security

  5. IoT: A major evolution Use of Connected Objects Source : kaizen-factory.com In 2 years, the new connected objects will be half of Internet devices Digital Security

  6. All sectors are concerned Source : iot-analytics.com Gartner:  « By end of 2018, over 20 percent of entreprises will have digital security services devoted to protecting business initiatives using the IoT » Digital Security

  7. A complex architecture Source : Mark Horowitz - Stanford Engineering - Securing the Internet of Things Data to be protected in a distributed architecture, using a dozen of different programming languages Digital Security

  8. IoT : what about security?

  9. Digital Security

  10. Top 10 of IoT flaws according 1 Insecure Web Interface 2 Insufficient Authentication/Authorization 3 Insecure Network Services 4 Lack of Transport Encryption 5 Privacy Concerns 6 Insecure Cloud Interface 7 Insecure Mobile Interface 8 Insufficient Security Configurability 9 Insecure Software/Firmware 10 Poor Physical Security Digital Security

  11. The point of view of authorities Source : FBI, I-091015-PSA The FBI mentions […] personal data theft, but also the sending of malware, e-mail spamming as well as a risk for physical security. Digital Security

  12. IoT Standards and safety guides Several initiatives :  Sectorial guidance on IoT security by the ENISA  U.S. Dept of Homeland Security Strategic Principles for securing IoT  NIST Special Publication 800-160  Projet OWASP for the IoT  NESCOR Standard  UL 2900 Standard IoT security is on the way, but connected solutions are already largely widespread Digital Security

  13. How the IoT got hacked

  14. How the IoT got hacked Shodan.io, the IoT search engine Source : Shodan.io Shodan crawls the Internet and records technical banners of accessible services A malicious use is to identify vulnerable targets to known flaws IoT devices expose themselves on Internet Digital Security

  15. How the IoT got hacked Spying thinks to the Internet of things Source : Presse Hack of « smarts TV » used for the « Digital Signage » Hijacking of services robots (cameras, micros) Interception of conversations at reception areas, meeting rooms, etc. Facilitation of spying Digital Security

  16. How the IoT got hacked Resonance of the IoT on the company information system An « APT » through hacking of the distributor’s subcontracter responsible for the remote monitoring of the connected heating and air conditioning systems. A financial and privacy prejudice never reached:  $ 40 millions of stolen credit card numbers and $ 110 millions of stolen contact details … affecting 1 out of 3 American  Total estimated cost: $ 14 billions Information System Hacking Digital Security

  17. How the IoT got hacked Hack of the Information System through a smart light bulb Source : www.contexis.com Analysis of the light bulb firmware reveals vulnerabilities in every devices Possibility to hack the WiFi network in case of physical access to the radio frequency waves (30 meters) Information System Hacking Digital Security

  18. How the IoT got hacked Hackers remotely took control of a connected car Takeover through Internet of the car embedded systems 1,5 millions cars have been called back in USA during Summer 2015 Available update by USB key! Endangering of human life Digital Security

  19. How the IoT got hacked Attacks on smart meters Source : Black Hat Euope 2014, www.youtube.com Study on smart meters security  Measuring of consumption  Adaptation of electricity production Hypothetical attack scenari include the electric sabotage and subsequent blackout of a whole population Endangering of human life Digital Security

  20. How the IoT got hacked Hijack of medical devices The common point between a pacemaker and a insuline pump? They have both been hacked  Pacemaker : possibility to turn off the device or send a electric discharge of 830 volts  Insuline pump: Takeover via WiFi, possibility to convert the device in a lethal weapon! Endangering of human life Digital Security

  21. IoT security: what solutions?

  22. Our IoT CERT and its activites Our CERT CERT UBIK: the very first CERT in Europe dedicated to IoT security 50 experts Security watch, incident response, security audits, reverse engineering, … We have our own dedicated lab Digital Security

  23. Our IoT CERT and its activites Digital Security portfolio Security level evaluation of the IoT chain  Integrating security into projects  Software and hardware reverse engineering  Code review  Penetration tests Equipment and appropriate skills for the IoT security specificities Digital Security

  24. Security label for IoT solutions IoT Qualified Security Label IQS enables future buyers, companies or individuals to identify the security level of a connected solution according to a reliable, neutral and independent indicator. Digital Security

  25. Benoit.Rousseaux@digital.security Digital Security

Recommend


More recommend