OWASP Top 10 Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
8 hours 10 minutes
Difficulty
Advanced
CEU/CPE
8
Video Transcription
00:00
Hi, I'm Matthew Clark and this is lesson 1.60 Boss I o t Top 10, Part two.
00:07
In this lesson, we're going to discuss the remaining five of the Abbas I. O. T. Top 10.
00:14
This includes insufficient privacy protection, insecure data transfer and storage, lack of device management, insecure default settings
00:24
and lack of physical hardening.
00:26
So let's get started.
00:29
Number six is insufficient privacy protection.
00:32
There's a lot of momentum going on now in the legal realm to address privacy.
00:38
Two recent laws have been GDP are in the California Consumer Privacy Act, or C C. P. A.
00:45
Data classification is a consideration when it comes to privacy.
00:50
Data classifications the process to identify any classified data.
00:54
To quote the version four of the OAS Application Security Verification standard.
01:00
The most important asset is the data process stored or transmitted by an application.
01:07
Always perform a privacy impact assessment to classify the data protection needs of any stored data correctly.
01:15
This is mainly a design issue.
01:18
One of the questions that you should ask yourself when you're planning the design is Do you need this data?
01:23
Do I need to gather this type of sensitive data. And if the answer is yes, then the next question should be. Well, how do we protect it?
01:32
Do we use encryption at rest? Encryption and transit? And the answer is, that is generally yes.
01:38
And another good question is, are you anonymous Izing the information properly?
01:44
Well, this top 10 entry also includes permission. For example, Are you setting a proper access and need to know controls around the store data?
01:53
And do you have permission to form an action on private information?
01:57
We're gonna talk more about this module seven.
02:00
According to an IBM study
02:02
from 2017,
02:05
90% of all data that has ever been created has been created in the last two years.
02:10
And in 2017, we generated 2.5 quintillion bytes of data daily
02:19
number seven, insecure data transfer and storage.
02:23
Well, this includes the obvious security considerations regarding encryption at rest and encryption and transit.
02:30
But it also includes the security practices regarding the encryption process itself, such as choosing a week algorithm or a week key link. And occasionally Anno am will try to create your own algorithm
02:45
instead of using an established one, which is never really a good idea.
02:49
And sometimes there's a temptation to obscure data instead of secure it, in other words, to hide it instead of protect it. And one thing is guaranteed. Whatever you hide someone's gonna find.
03:01
Another issue is sometimes not using secure protocol, such as TLS or failing to plan for proper hardware within the ecosystems in order to support encryption. This would including, um, put installing an HSM
03:17
or TPM, or tea at the device level.
03:23
Also access controls another consideration, whether it's planning for proper role based access or discretionary or mandatory,
03:30
or it could be failing to use the properly. Use the principle of least privilege for resource Is and systems within the i O T ecosystem
03:38
and as we discussed in less than 1.2,
03:42
98% of all I o T traffic is unencrypted, which exposes personal information, confidential information and basically all the traffic that flows within your ecosystem.
03:54
Number eight is a lack of device management.
03:59
Well. Device management includes activities such as asset management, update management, monitoring of devices, incident management. When something goes wrong, a swell a security commission,
04:10
you can't manage what you can't see in 2017 Ponemon Institute study found that less than 20% of risk professionals can identify a majority of their organizations Coyote devices and I can guarantee you that number hasn't gotten much better since 2017.
04:30
And that same study found that 56%
04:32
we're not keeping an inventory of I O T devices,
04:36
while 64% we're not keeping an inventory of the applications.
04:41
Trying to simply manage a single coyote device might not be that hard.
04:46
If you don't have the people and process and technology for management of large numbers, you're not going to know where your devices are. And you're not going to know if the devices have been patched or updated.
04:59
And consumers just simply don't have the visibility into these. I. O. T devices
05:03
and O. A M have a lack of ongoing support and defined device life cycles that really prevent this issue from getting better. According to a Gartner report. By 2023 the average CEO will be responsible for more than three times the endpoints
05:21
they managed in 2018.
05:26
Number nine is insecure default settings.
05:29
This top 10 entry really concerns itself with default security configurations.
05:34
I'd like to start with this concept of low friction versus security,
05:39
and you can think of low friction. Kind of like a marketing term. Is this idea that products that should be Azizi Thio USA's possible or, in other words, that steps required to go from unpacking the device to using it should be is minimal is possible?
05:54
I purchased a new wise camera the other day. It was my second once. I already had the APP install The count was created on everything like that.
06:03
I was amazed that in like four super simple steps, the camera was attached. Thio my network.
06:11
It was associated with my wife's account, and I was taking video of my worthless, lazy cat sleeping on my couch.
06:18
This drive for low friction or ease of use can inadvertently cause an O a. M to choose insecurity fault settings.
06:28
And now laws are changing to address this. For example, the new California I O T. Law requires i o T device manufacturers to set unique pre programmed passwords or require users to be able to change their passwords before first use.
06:46
So oh, am should ensure to fall credentials or secure um, and generally they could do this but not allowing weak passwords or blank passwords or those types of choices.
06:58
Likewise, OM should take action to ensure that secure account management practices
07:02
are used, for example, guest accounts or disabled, or verify that the default account doesn't have root access to the device.
07:13
Another one not on this list of but also very important worth mentioning are insecure protocols in order to increase usability that the O. E. M may be tempted to allow the use of an insecure protocol within the device. So, for example, you may choose Tell Net or http
07:31
The factory resets in some cases can actually make the device less secure
07:38
by erasing previous security choices made by the end user.
07:42
So after a device reset set up should walk and in user through how to secure the device again.
07:48
Now, if a factory reset will erase a previous security update, then the device should warn that secure operation may be compromised unless the devices is updated again.
08:01
And a good statistic that kind of draws all this together is that 75 75% of cases of routers act as a gateway for I O T devices because routers default passwords aren't changed.
08:18
Which takes us to number 10.
08:20
Lack of physical hardening.
08:22
We know that security starts at the physical way
08:24
and purpose of a physical attack may not be the damage of device it may be for information gathering and in a future lesson, we're gonna go through different ways that attacks are are formed in different tools that are used in different techniques that could be used to thwart attacks.
08:41
But for this purpose, generally, you know, the first thing you wanna do is protect against attack. And if you can't protect, you want to detect against attack. So tamper resistance and tamper detection or two areas that should be considered when considering building the overall security physical security oven I ot device.
09:01
So in Tampa resistance, you may be looking at doing things like disabling or moving debug. Ports are using an epoxy resin on the chips so that any tampering actually destroys the chips itself and tamper detection. You may be looking for secure boot or measure boot in order to validate firmware that No, um
09:20
you know, unauthorized changes have been made.
09:24
Of course, risk assessment should be conducted to determine the products, potential vulnerabilities, the threats and an impact. And that really informs what actions need to be taken at the physical lawyer.
09:39
So they're Ugo the OAS i o t top 10.
09:43
In this lesson, we discussed items six through 10 and here's all 10 for your review.
09:50
I'll see you next time.
Up Next
IoT Product Security

This course will focus on the fundamentals of how to set up a functioning IoT product security program from the perspective of a company that designs, manufactures, and sells IoT and IIoT devices for consumer or industrial use.

Instructed By