Have you ever thought the perils of smart home devices? In this presentation we discuss the Internet of Things (IoT) and the concept of Bring Your Own Device (BYOD) and the security challenges and risks they can be to companies, systems, and ultimately to the mainframe.
1. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training.
Hack All The Way Through
from
Fridge To Mainframe
World Leading z Security Specialists
2. What to do
Summary and
Conclusions
Exposing the mainframeBYOD
IOT
Introduction and
Objectives
AGENDA
3. Who am I? A quick introduction…
RUI MIGUEL FEIO
• Senior Technical Lead at RSM Partners
• Based in the UK but travels all over the world
• 20 years experience working with mainframes
• Started with IBM as an MVS Sys Programmer
• Specialist in mainframe security
5. IoT – What is it?
• IoT stands for Internet of Things
• Term used to describe physical objects that
can communicate with each other and
complete tasks without any human
involvement having to take place.
• Examples:
– Vehicles, appliances, buildings, …
– Any item embedded with electronics,
software, sensors, and network
connectivity
6. IoT – Some numbers
• A study conduct by the Gartner says:
– More than 4.9 billion IoT
connected devices in 2015
– 6.4 billion IoT connected devices
in 2016
– More than 20 billion IoT
connected devices in 2020
• A CISCO report predicts there will be
50 billion IoT connected devices in
2020!
8. IoT – The problem
• Trendy fashionable devices are produced to appeal to the technical
savvy consumers
• But the manufacturers of IoT devices tend not to have security in
mind
• Some devices like routers, have the firmware customised by the
Internet Service Providers (ISP):
– Don’t allow firmware updates directly from the manufacturer
– Don’t provide customised updated versions of the firmware
14. IoT and Cyber Crime
• HP study reveals 70% of IoT devices are vulnerable to attacks
• Cyber criminals are working on new techniques for getting through
the security of established organisations focusing on IoT:
– Home appliances
– Office equipment
– Smart devices
• IoT devices are easier to hack as they don’t have robust security
measures
15. IoT – How to hack?
• There are several resources available in the internet and dark web:
– Web sites
– Blogs
– Forums
– Software tools
– Scripts
– Vulnerabilities
– Specialised search engines
16. Shodan – The IoT Search Engine
https://www.shodan.io/
21. IoT – The Risk
• Your home network can be compromised by one of your own IoT
devices
• How secure are your IoT devices?
• How frequently do you update the firmware and software of the
devices?
• Are the IoT devices still supported by the manufacturer?
• You connect from home to your company’s network
• What will it happen if your home network is compromised?
• How long will it take for a hacker to exploit this security flaw?
24. BYOD – What is it?
• BYOD stands for Bring Your Own
Device
• It’s becoming the standard which
allows employees to use their own
personal devices to access the
company’s network remotely, either
from their home location or from the
workplace
• Seen by companies as a way to reduce
costs
25. BYOD – Some numbers
• 59% of companies allow employees to use their own devices at
work, and another 13% plan to in the near future. (study from Tech
Pro Research)
• 87% of companies allow employees to use personal devices to
access business apps (study from Syntonic)
• A company can save an average of $350 per year for each
employee using their own devices (study from CISCO)
26. BYOD – The problem
• There are a large number of security risks:
– As the device is owned by the employee, it is also used for their
own personal use
– The organisation has limited control over the BYOD devices and
how they are used
– If the BYOD device becomes infected or compromised, the
attacker could use this as a platform to attack the company’s
network
27. BYOD – The problem
• There are a large number of security risks:
– Employees failing to complete security updates
– Employees using unsecured Wi-Fi connections
– Employee turnover
– Employees losing their devices
30. BYOD and Cyber Crime
• In the UK in a document entitled ”10 Steps to Cyber Security” the
GCHQ has advised businesses to consider banning bring your own
device (BYOD) because staff represent the "weakest link in the
security chain”
• Approximately 22% of the total number of mobile devices produced
will be lost or stolen during their lifetime, and over 50% of these
will never be recovered
• According to Kaspersky, 98% of identified mobile malware target
the Android platform, and the number of variants of malware for
Androids grew 163% in a single year
31. BYOD – The Risk
• A 2016 Ponemon Institute study reports:
– Negligent employees are seen as the greatest source of
endpoint risk
• Increased number of BYOD devices connected to the
network (including mobile devices)
• Use of commercial cloud applications in the workplace
• Security management control tasks become less efficient and more
difficult to implement, ‘creating holes’ that can be exploited by
hackers
34. IoT & BYOD vs The Mainframe
• Remember: the mainframe is just another platform residing in the
company’s network
• If the network is compromised the mainframe can be directly or
indirectly affected
• Using BYOD creates challenges to the company’s security team that
can be difficult to tackle
• You may think that your home network is secure; you update your
laptop with the latest security patches, antivirus and firewall
definitions, but… have you ever considered the IoT devices?
36. What can be done?
• Manufacturers of IoT devices need to start focusing more on
security
• Governments must take lead in IoT security
• Companies and individuals need to be more security conscious and
consider the implications of BYOD and IoT
• Reducing costs on the short term can lead to great financial losses
in the medium and long term for everyone
37. What can be done?
• Strong security policies and rules need to be in place to ensure that
any BYOD device is security compliant
• Employees need to be educated about the risks and challenges of
both IoT and BYOD
• Managers and directors also need to be educated!! Money saving
now, can be a very costly thing in the future
• Have you ever imagined how a company’s image would be
affected if it’s IT security had been breached using a…
38.
39. What if…
• A hacker compromises your IOT device…
• Your Fridge!!
• They have access to your WiFi network
• The are scanning your network and see your work laptop connected
• They manage to compromise your laptop
• You VPN into your corporate network
• They port scan and find telnet listening on port 23 for a DNS entry
called zOSProd
• And they just happen to know what z/OS is or they google zOSProd
or zOS TELNET
• Start reading and enjoy!!!
• I dont believe in scaring people, but this could happen!
40. Being more specific
• Evaluate device usage scenarios and investigate leading practices to
mitigate each risk scenario
• Invest in a mobile device management (MDM) solution to enforce
policies and monitor usage and access
• Enforce industry standard security policies as a minimum
• Set a security baseline
• Differentiate trusted and untrusted devise access
• Introduce more stringent authentication and access controls for
critical business apps.
• Add mobile device risk to the organisation’s awareness program
45. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training.
UK:
RSM House
Isidore Rd
Bromsgrove Enterprise Park
Bromsgrove
B60 3FQ
UK
T: +44 (0)1527 837767
E: info@rsmpartners.com
www.rsmpartners.com
US:
Suite 1600
222 So. 9th Street
Minneapolis MN 55402
US
T: +1 (612) 547-0089
E: info@rsmpartners.com
www.rsmpartners.com
Rui Miguel Feio
ruif@rsmpartners.com