Connecting...

back to xpand blog

AAN & X:ED - Cloud and IoT Security

8th Mar 2016

Blank

The first AAN & X:ED events of the year were a huge success and for the first time ever, we live streamed the event from Sydney! It is now up on YouTube so please click below if you were unable to attend.

To stay updated and attend future events, please join our meetup group.

Thank you to our fantastic presenters in both Sydney and Melbourne;

Adam Sellers, Lead Solution Engineer, ANZ Platform Specialist, Salesforce.com

Lee Hickin, Commercial Lead for Internet of Things, Microsoft Australia

click here to download Lee’s slide deck

Dave Glover, Senior Technical Evangelist IOT Solutions, Microsoft Australia 

Steven Brealey, Lead Digital Transformation Consultant | Internet of Things, Cisco

click here to download Steven’s slide deck

We were delighted to welcome on our panel;

Daniel Iversen, Head of Solution Architecture, Dropbox 

Craig Hall, Managed Defense Analyst, FireEye

Clarence Cheah, Sales Consulting Director | Digital & Identity, Oracle Australia

We also asked both Craig Hall and Steven Brealey some questions…

Interview with Craig Hall

Describe who you are and what’s brought you to where you are now?

Defense Analyst with a focus on APT and targeted attacks. Finding 0-days and stopping state-sponsored attackers is my thing. 
Professional history working in managed security solutions for defense industrial base and fortune 500 companies. 

Should everything have an IP address? 

Should it? No. Will it? Yes probably. 

Security has never really hampered innovation. Developers will continue to make cool things and connect them to the internet regardless of the security implications.

Has there been any observed usage of IoT devices as part of an APT campaign or targeted attack?

Yes. Many APT groups will use IoT infrastructure as it is often overlooked by infosec teams. Off the top of my head I can name two groups that have been observed using network printers for data exfiltration and there is a surge of point-of-sale malware at the moment. 

Is the security industry doing enough to keep pace with IoT development?

No, we’re not doing enough and what we are doing isn’t being done fast enough. 

The catalyst for most organizations is ‘wait until we have been compromised and then do something’  which is too little too late. 

Does anyone remember the learning curve of BYOD, and if so why are people making the same mistakes?

BYOD was a change led by innovators, not infosec teams. Security got messy for a lot of people when they tried to catch up. 

The notion of having data travel from any number of internet enabled devices into the cloud, can be quite scary. This is particularly relevant with the ongoing discussions regarding data privacy. 

A favorite quote of mine is ‘There is no cloud: only someone else's computer.’

How can the source of the data maintain control over it?

If you don’t own the infrastructure that it sits on, and the code that it runs on, you never really control it. 

Even still, trust but verify. Practice defense in depth etc. Good security should be practiced everywhere. 

How can regional regulatory requirements be satisfied?

Regulatory requirements seldom form part of actual security. And any security management that thinks they are secure because they are compliant is going to get compromised very quickly. 

Regulation moves at a glacial pace. Hackers move like lightning. 

How can control over this data be seamless?

Is there ever really full control? 

The approach should be making CIA (Confidentiality, Integrity, Availability) seamless. Each of those three things needs to be handled in a separate manner and they all have to start from the platform up. Get your developers thinking about security from the first line of code. 

If you get security involved at the late in the development lifecycle, you’re going to have a bad time. 

If cost is a driver How can we manage the registration and control the access of thousands or even millions of users of our Cloud?

Security controls are cheaper than Incident Response. 

How do you protect virtual machines?

Same way you protect physical machines. All the same controls should be in place. 

Can we provide protection against network threats and vulnerabilities in the Cloud?

Same way you protect physical network threats and vulnerabilities. All the same controls should be in place. 

How does provider ensure software security and which software remains customer’s responsibility? 

Legal teams will always, eventually, work out who is responsible for what. 

The idea is for infosec teams to figure it out before it comes to this.

How do you manage the battle between locking everything down securely and allowing the business to work effectively? 

If a security team locks everything down so hard that the business cannot run, they have failed. 

How does migrating to the cloud change my risks?

How long is a piece of string? 

Your risk profile will change when you move to the could. But it will change over time anyway. Keep reminding yourself that security is an ongoing process and you’ll be fine no matter the platform. 

What are the most important aspects of a cloud security policy?

The breach is inevitable, so prepare defense in depth. 

Does cloud encryption singlehandedly protect data?

Nothing single handedly protects data. For additional emphasis – NOTHING SINGLE HANDEDLY PROTECTS DATA. 

What it more secure: a public cloud or a private cloud?

Some public clouds are better than some private clouds. But a well managed private cloud is the less insecure choice. 

If my data is in the cloud, my security is in the cloud, and my backup is in the cloud, what do I control?

‘Cloud’ doesn’t equal a lack of control. You will always control, or not control, whatever your architecture lets you control. 

It’s not the clouds fault if you are ignorant of what you got yourself into.

Describe the best the best (or worst) IoT or cloud breach/hack and what were the takeaways from that event?

The Stuxnet attack on Iranian nuclear infrastructure in 2010.

Officially unknown, but suspected as a joint American-Israeli attack against SCADA systems associated with Uranium enrichment.  
The attack utilized a number of sophisticated mechanisms to bypass what was (and for the most part still is) best practice security. 
The takeaway should be ‘the breach is inevitable’ and you should have plans in place for what to do when you are breached. 

Interview with Steven Brealey

Should everything have an IP address?

Generally Speaking yes, however there are exceptions!  For example, where Cisco’s Fog computing is used, as a technology that supports the idea that all the ‘ things’ don't need to have the same kind of connection as the infrastructure and devices that is currently used using to communicate online.

Does anyone remember the learning curve of BYOD, and if so why are people making the same mistakes?

The notion of having data travel from any number of internet enabled devices into the cloud, can be quite scary. This is particularly relevant with the ongoing discussions regarding data privacy. 

Yes, potentially is scary, however if the correct security approach is used to build the IoT solution using a Defence in Depth approach then data collected can be safe guarded.

How can the source of the data maintain control over it?

With any data gathering exercise, while the source of information needs to be managed (secured etc.), it is where the data is stored, how it is converted to information and how it get used is where the focus needs to be in terms of control.

Can we provide protection against network threats and vulnerabilities in the Cloud?

As a customer of a public cloud service, you should be carrying out disaster planning as you would for any other part of your business.

You need to ensure that all issues and risks are assessed and mitigated.

How do you manage the battle between locking everything down securely and allowing the business to work effectively? 

Taking a Defense in Depth approach will ensure that a risk based approach is used and users and ICT managers are aware of the risks and the mitigation needed to guard against attacks.

If my data is in the cloud, my security is in the cloud, and my backup is in the cloud, what do I control?

If you have everything located in the cloud, your risk assessment would have said it is ok for this to occur.   Are your backups located in the same area as the production Cloud for example, if so, maybe consider locating these in a different location (different provider).   At the end of the day, you are in control, you need to manage your risk assessment and make changes as risks are identified.

Describe the best the best (or worst) IoT or cloud breach/hack and what were the takeaways from that event?

There are many documented cases of IoT breaches.   In terms of the worst, it will depend on the case of the worst (i.e., costs incurred, injuries caused, company impact, etc.)  The presentation has two cases included and these have the worst in their situation.