http://twelvedot.com/blog/wp-content/uploads/2016/06/IoT-Meetup-Ottawa-Presentation-Slide-Deck-June-28_2016.pdf

It was a very good presentation at the IoT meeting last night. The speaker was Faud Khan of Twelve Dot Security (twelvedot.com). In addition to running, TwelveDot (an Ottawa based technology and security consulting practice), Faud is on the ISO standards committee for IoT applications (ISO 27000).

Faud is a great speaker and shared a good mix of information, standards discussions and horror stories (e.g., a cheap tablet with counterfeit chips which called-home once or twice a day with all of the user info, or the polycom phone in the main board room of a GoC department which, in addition to the people on the other end of the phone line, streamed all conversations in the room back to Taiwan(?), etc.)

Some gems (in no particular order):

• 78 minutes – the average length of time required to break into a system or device
• 177 days – the average length of time to detect a breach
• Don’t trust any 3rd party software; especially if it comes from GitHub or similar… have it checked for back doors
• Implement (and follow) an Information security management system (ISMS) & Systems development life cycle (SDLC)… if nothing else, it’ll demonstrate you’ve done your due diligence when a breach occurs (when, not if)
• If you have a breach, call your lawyer first. Then have them call the experts
• Add `thread modelling` to the design process (including personal information assessment (PIA / ISO 29134) & threat risk assessment (TRA / ISO 27005/8)
• Know the vulnerability landscape for the software/firmware/processors in your product
• Ensure devices/gateways have a method for infield firmware updates (see above)
• Do not charge your devices through *any* public charging station… they are likely compromised. If you must, use a power-only USB cable rather than a sync cable.
• Know your supply chain… be on the lookout for forged/compromised chips