Time
23 hours 21 minutes
Difficulty
Intermediate
CEU/CPE
23

Video Transcription

00:01
Hi. Welcome back to the course. In the last video, we went over some coyote basic information. So we talked about what it is I ot We also talked about the anti architecture, some of communication models and then also some of the challenges of I o. T.
00:15
In this video, where to go over the OSS top 10 for io ti vulnerabilities. And we're also gonna discuss countermeasures for each one.
00:23
So here's our list of the S top 10 I ot vulnerability. So this is a 2014 list, and probably the next year or two they'll be coming out with the next version of it.
00:31
But for now, Number one is insecure. Web interface number two. Insufficient authentication or insufficient authorization. Number three Insecure network service is for lack of transport encryption. Five privacy concerns.
00:44
Six Insecure cloud interface is insecure mobile interfaces for seven and then eight is insufficient security. Configurable itty nine insecure software firmer. And then number 10 is poor physical security.
00:57
So let's talk about the counter measures of each one.
01:00
So for insecure Web interface is this is a lot of common sense stuff you're gonna notice. Several of these have similar countermeasures here. So here we can. We want to make sure we change any default passwords and years their names. And generally that's during the initial set up. We don't want to wait too long before doing that.
01:15
We also want to make sure that our password recovery methods are pretty robust. So we don't want a criminal hacker or anything just because we're not doing, you know, a lot of checks and balances.
01:25
We just want to make sure that the Web interface is not susceptible the things like cross site scripting or cross Irish Crest forgery.
01:32
I just want to make sure that no credentials were exposed while we're just sending network traffic, and that includes internal and external network traffic,
01:38
we don't want to allow any weak passwords at all. And then also, we want to make sure you have some kind of account lockout feature. After a certain number of failed Logan takin attempts,
01:49
the number two, they're the insufficient authentication and insufficient authorization. Make sure passwords are strong. We also don't want to make sure we can have granular access control. So what that means is basically that I don't want to just say that okay. You know, you work as a network admin, and I just give you all this stuff I want to be ableto truncated down to say, Okay, you only need these two servers,
02:07
and you only need to access to these 25 workstations
02:10
because that see the people and the information you're working with.
02:14
We also want to be able to put in two factor authentication standards in there. And then again, make sure we have pretty robust password recovery mechanisms.
02:24
So we're secure. Network service is we basically just want open necessary port. So again, I mentioned all the lot of the stuff is common sense or straightforward stuff. This is all. If you've got some general knowledge of security and, you know, throughout this course what you've learned, you kind of see like Okay, yeah. You know, we want to make sure these things are in place.
02:42
So we also want to make sure that our service is air not vulnerable through things like buffer overflows and also distributed Excuse me, denial of service attacks or distributed denial of service attacks as well.
02:53
Lack of transport encryption. So we want to make sure that data is encrypted on dhe with protocols like Ellis, I know Easy Council does mention, like in their material about SSL, but realistically, a real life we want to your bliss,
03:07
at least at this stage until something else comes out.
03:09
And then we want to avoid any proprietary type of encryption protocols, just medical use, accepted encryption standards,
03:17
privacy concerns. So we want to just make sure that data critical to just the functionality of R I o T devices collected we want don't want them collecting any other type of personal information.
03:27
We want to protect that data with encryption and then also make sure that only authorized individuals or organizations have access to our personal information.
03:36
The insecure cloud interface. So you see here again, we got default usernames and passwords. These need to be changed.
03:43
We need to have an account lockout feature and then also make sure, as we did with our Web interface, make sure that that's not susceptible through Cross I scripting or cross site request forgery.
03:53
Also make sure that credentials aren't gonna being exposed over the Internet, so you might have seen him. I think it's been in the past six months. There's been several articles in the in the media, at least here in the United States regarding insecure, like a W s buckets on. So, like different credentials. And even some companies had log in credentials on *** Club s O.
04:13
Just keep that in mind that you don't want to expose that in any capacity anywhere on the Internet.
04:17
And then, of course, put in, like, two factor multi factor authentication.
04:21
So insecure mobile interface is we want to make sure that we change again. Default using passwords, strong password, reset things in place, account lockouts. Make sure that our credentials, they're not being exposed to wireless networks. And then, of course, two factor authentication,
04:36
insufficient security configurable ITI. We want to ensure the ability to keep our admin user separate from our regular users. So we wantto separate those
04:44
encrypt the data at rest or even in transit. And then, of course, strong password policies and also logging security events.
04:54
So for a number nine, the insecure software firmer. We want to make sure that our device has the ability to actually get updates, right. And then we also want to ensure that the updated file is encrypted, that it comes from the legitimate source, and also that it doesn't contain any type of sensitive data.
05:09
We have to ensure the signature and the verb and verify the actual update file. Make sure again, it's from the correct source and then make sure that the update to our servers actually secured
05:18
on the finally poor physical shook. Your security soon may have stumbled on that one, Uh, but we want to assure that today's data storage medium cannot be easily removed. So we don't want someone walking out with a server, right? Or we don't want someone walking out with our, you know, a refrigerator. You know, our washer dryer or a thermostat or, you know, a smartphone.
05:38
So just make sure that it's secure in some capacity.
05:41
Storing the data make sure encrypted at rest. I'm eliminating the use of USB ports, basically disabling them,
05:47
insuring the device cannot be disassembled easily, so we don't want somebody just come in and take off the lid and they can grab it and walk out. We want to make sure it's complicated for them to try to take it apart
05:58
and then ensure the product can limit administrative capability, so limit the admin capabilities on that particular device.
06:06
So in this video, we just talked about the OAS top 10 I ot vulnerabilities on that. Also countering those as well.
06:15
The next video we're gonna talk about I ot attack surface is also talk a little bit about I ot hacking tools.

Up Next

Penetration Testing and Ethical Hacking

Do you like breaking things or figuring out how things work? Join thousands of professionals who’ve entered the information security field by taking this class. Taking this ethical hacking course will give you the skills needed to become a professional penetration tester and prepare you for industry certifications, like the CEH.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor