Join IoT Central | Join our LinkedIn Group | Post on IoT Central


Security (65)

The Internet of Things is changing the world, heralded as one of the most pivotal technology trends of the modern era. We are getting ready to enter a time where everything, quite literally, is connected to the Internet.

For the industrial sector, this is a new area of exploration. Factories have smart infrastructures that use sensors to relay data about machine performance. Cities have smart grids that monitor everything from traffic to the energy used by streetlights. Hospitals can monitor the health of high-risk, at-home patients.

In other words, we are entering a hacker's dream world.

Recent attacks, like the Christmas 2015 attack on the Ukraine power grid, have shown that the Internet of Things possesses severe vulnerabilities. These weak points can be everything from back doors that allow a hacker access to a system to lack of proper use by untrained workers. If your business uses IoT devices, there’s a good chance they are not secure.

Why are so many systems left vulnerable? Weaknesses often come from the same set of five drivers:

Pa1e9cCyWAh6tGKUeQF4-UQgSS_pv-Yr6XRzUL7riY2wtQDkm4jWXT6ryb65N136M3onsWQW2y87NGr2N_Vof6fB1VljWojgrNIgU32gKScfKJceanEpf2x75eX3RaKRsT196PEr 

Source: Allerin

Whether your company is struggling because your devices were deployed too quickly or operational costs constraints got in the way, your team must take measures to fix security risks. Here are four security flaws:

1. Lack of Encryption

Any device that is connected to the Internet to relay data needs encryption. When communication between devices and facility machines are now encrypted, it provides a doorway for hackers to send malicious updates, steal data, and even take control of the system. 

In 2014, an Israeli security firm took control of cars using a specific connected telematics device that failed to use proper encryption.

2. Failing to Install Updates

Once you have a machine-to-machine communication​ system working properly, it can be easy to forget to install the necessary updates to keep the network secure. 

Yet, hackers are constantly updating their strategies and tactics. Failing to install updates and patches leaves your system vulnerable. 

Even if you’re worried about breaking integrations between systems, you should at the least install every security update released by the vendor. These updates are specifically designed to address vulnerabilities discovered in your devices. After all, if your vendor releases a security update, it’s because they found a problem.

You also should know that updates and patches are not always the final solution to security vulnerabilities. Unfortunately, many manufacturers are not able or willing to provide the necessary support to continue updating their devices. 

To avoid this risk, shop carefully for systems that provide updates and are backed by a trusted company.

3. Poorly Built Networks

The modern industrial network is designed to get tasks done. If the design focuses too much on completing that task, it will leave weak points in security. Things that are obvious when building IT networks are sometimes less obvious when creating industrial DNP3 and other network architecture.

The solution to this risk is fairly simple. Those tasked with building industrial networks need to ensure they are partnering with IT professionals to build networks that are safer from attacks. Security features, like deep packet inspection and network segmentation, should be in place from the beginning.

4. Sensors Outside of the Company's Control

Most of the sensors and other connected pieces that make up a network are controlled by the company. But for some companies, that is not the case. For example, power companies have sensors in their customer's homes. 

Sensors outside of the company's immediate control are hard to secure, which gives hackers access. Currently, cloud-based security using public key services to authenticate devices may be the best solution to this problem.

Don't Take The Risk

Industrial security breaches can cause devastating consequences.​ Therefore, the above risks need to be addressed.

As more industrial facilities rely on the Internet of Things, it's important for company teams to be aware of the potential vulnerabilities. Take security into full consideration.

Read more…

BYOD + IOT ≠ Security.

2023482?profile=originalLast year, the number of smartphones in the world hit a new record. Out of the 4.55 billion cell phone users worldwide, 1.75 billion of those were using smartphones. Users are rapidly switching to smartphones as these devices become more affordable, and as 3G and 4G networks are introduced into key markets, allowing faster than ever data transfer rates. For businesses, this increasing smartphone penetration has significant implications. As more businesses adopt BYOD (Bring your own Device), IT security professionals and CIO leaders will need to address the issues of security that are introduced as business data is taken on the road, and exposed to external networks.

How Does BYOD Impact IT Security?

Data security consultants, and anyone involved in information technology or management, will need to be clear on the risks that are introduced with BYOD.

A company that allows BYOD is able to receive great benefits from doing so. Systems that allow for users to bring their own devices mean that staff are able to use devices that are familiar to them, which can reduce training time and increase efficiency. At the same time, businesses can save significant amounts of money on IT procurement, because users are bringing their own cell phones, tablets, and even laptops, from home.

There are even benefits to recruiting - new hires will be more comfortable with their own device and the option to bring it in, instead of having to juggle phones and computers.

Even with these key advantages, there are some problem to overcome. The biggest challenge with BYOD is security. A BYOD device would be almost worthless if it didn’t have sufficient access to a corporate network, so that a staff member can easily obtain the information and run the applications that they need to perform their jobs. This means opening up access to systems which would have previously been protected by closed networks accessed by in-house devices, with security enforced through strict and robust security policies.

Another challenge exists when employees leave a company. Because they take their devices with them, there needs to be a mechanism in place that prevents access from devices that are no longer associated with an authorized staff member. Compared to a model without BYOD, this adds another layer of security, and a number of process layers within the organizational structure of a business. Without addressing this type of situation, businesses would be putting themselves at significant risk.

Security Is Even More Important than Ever with IoT

The Internet of Things has been called the future of business, computing, and entertainment. Indeed, IoT covers all of these areas, whether you look at a smart TV, an internet capable MRI machine, or even the cloud services that deliver email, streaming video, or music, to devices that will work from anyplace where there is an internet connection.

IoT exists in complex industries, too. Consider a production line that utilizes networked sensors along the line, which then transmit data in real time between ordering systems, packing robots, and even dispatch centers, to coordinate logistics. Considering the data that is collected using IoT sensors, and then the possibilities there are to interface with this data by using BYOD devices, it becomes clear that a system utilizing IoT technologies and BYOD access policies, needs to be secured to the highest industry standards.

Security breaches could mean that an unauthorized party is able to gain access to production data or even sensitive manufacturing secrets, or that a previous employee is able to take data and learnings to a competitor, using their own device that was once legitimately authorized through BYOD policies.

Similar risks exist in any industry. If you are an IT data security consultant within a contact center business, you could be tasked with protecting CRM systems, billing information, payment gateways, and other critical systems. Sales reps, telephone agents, and remote staff could all be using BYOD devices to connect to a decentralized cloud solution. Ensuring that access control and other security measures are present, will be a core aspect of the solutions that you design and implement. The reality is that a single violation can expose your entire network, making it critical to hire the right people and solve for these problems internally and for your clients.

Who are The Big Players in IT Security Today?

You only need to look at the world’s largest information security consultancies to see that data security is a big business.

Deloitte, currently the biggest player in IT security, made over $2 billion in revenue from security consulting in 2014. Other leading companies are seeing similar growth, with all of the top five, including IBM and KPMG, seeing revenue growth in security consulting. All of the top five exceeded 5% growth between 2013 and 2014.

This means that not only is there a clear growing need for security consulting, but also that there will be an increased demand for IT security consultants who are experienced in the latest technologies, including cloud and IoT technologies. The demand has been partially spurred on by high profile data security breaches, especially those at government level.

Businesses and Professionals Should Prepare for a Growing Market

Not only do businesses need to assess and respond to their needs regarding BYOD, IT security, and overall risk management, but they will need to begin to seek the most qualified consultants to lead their security initiatives.

Likewise, qualified candidates who are entering the job market need to seek out the most promising opportunities. Such as those that exist with businesses where they will have the opportunity to demonstrate their expertise in new and emerging IT technologies.

Moving forward, the businesses and professionals who recognize the importance and opportunity within data security consultancy, will be the ones who benefit the most in the next five years, when both IoT and IT Security are expected to experience drastic market growth.

How are you hiring to fill the need? Let's talk and see how your BYOD security concerns can be solved with a single hire - IOT Security Officer.

Read more…

2023392?profile=originalBig Growth in Data Security Provides Opportunities for Consultants

By 2016, the worldwide data security market is expected to approach almost $90 billion in total value. This means that security is big business, and it should be. Data security has become increasingly critical as businesses utilize increasingly complex technology. Likewise, businesses that are directly involved in technology, such as Internet of Things and connected devices startups, cloud service providers, and even internet service providers, all have a vested interest in maintaining the security of their data.

Three Core Influencers on the Security Market

There are three core areas of influence that are driving the key players in data security consulting. Market influencers, according to Gartner Research, include BYOD (Bring Your Own Device), big data, and the security threats themselves.

BYOD is changing the way that SMBs and enterprise clients think about security. In the past, security solutions could be rolled out and controlled across a limited number of devices that were usually owned and maintained by employers. Today, it is more common for executives and staff at all levels to bring their own devices, which can then connect to company applications and networks. This creates the challenge of implementing robust security policies and technologies that can cover a range of devices and access methods.

Increased connectivity has led to increasing levels of "big data" in business. Considering all of the channels where data is collected, whether it be through software, customer interactions, or even data that comes from IoT connected devices, it is becoming critical that big data is not only collected, identified, and categorized, but that it is kept secure. Security in the future will be essential for protecting IP, trade sensitive information, and maintaining privacy.

Finally, the increasing number of security threats that are present, are reshaping the market, and will continue to do so in the future. In addition to the attacks and exploits that have been common in the past, data security consulting professionals now have new technologies where compromises must be patched and anticipated. IoT devices, SaaS solutions, and an increasingly widespread cloud adoption will be major factors that shape the needs of future data security.

 

Data Security Consulting: What is Hot?

Recent graduates, professionals looking for new opportunities, and even CIOs within existing organizations can anticipate the opportunities and needs, by identifying current roles and niches in the data security consulting market.

A data security role may be completely specialized, or in some cases, generalized and more leadership based, depending on the size of an organization.

Information security can be broken down into two main areas. These areas are hardware, and software. A data security consultant may be expected to have a wider understanding of their industry, but in reality they will only specialize in some key areas. This means that employers need to be specific about who they’re looking for and the technologies that they use. It also means that jobseekers need to be upfront about their expertise, or they may risk finding themselves in a position that is beyond their current skillset, which could lead to career impacting underperformance.

As a consultant, the role is to advise, develop, and implement change. This change is usually to address a problem that already exists. In the case of data security, this could mean that a security threat has already been identified, or it could be to mitigate possible threats with new technologies.

  • Consultants need superior application and network penetration skills. This means that they should be able to break down, and analyze the way that software works within any environment. This includes input and output channels. Networks need to be understood in the same way. The purpose of this knowledge, is to identify where risks exist, or where existing security breaches are occurring.

  • Software algorithms are known to provide false positives, so a consultant needs to be able to identify these, and should have skill in determining viable threats. This will help the consultant to allocate resources where they are most necessary, which can benefit their employer, financially.

  • Consultants should build an understanding of the technologies used by their employer. Whenever working on a contract, a consultant will deal with systems that they are unfamiliar with. Understanding the underlying technologies will be critical to implementing successful security solutions. This may require knowledge of cloud computing and infrastructure, IoT protocols and industry practices, or even specifics of networking or programming languages.

  • Successful consultants will be experts in risk management. This should not just include software and hardware, but also their employer’s strategy when it comes to risk management. Some companies are willing to accept higher levels of risk, while some have more stringent expectations. Understanding the culture of any particular company will be critical.

 

As Data Becomes More Important, Security Consulting Becomes a Necessity

It does not matter whether a business processes EPS payments, collects consumer information for a large retail operation, or even deals exclusively in cloud technology and the Internet of Things. The reality is that, as long as they are collecting and storing data, they will need dedicated security professionals.

Protecting that data for commercial and privacy reasons, will best be achieved with the right candidates, who have the skills and experience to deal with security threats in the modern business landscape.

I found a great resource for planning for and making decisions about information security at the Gartner Research Security and Risk Management page.

Read more…

Big Data, IOT and Security - OH MY!

1987832?profile=RESIZE_1024x1024

 

While we aren’t exactly “following the yellow brick road” these days, you may be feeling a bit like Dorothy from the “Wizard of Oz” when it comes to these topics. No my friend, you aren’t in Kansas anymore! As seem above from Topsy, these three subjects are extremely popular these days and for the last 30 days seem to follow a similar pattern (coincidence?).

 

The internet of things is not just a buzzword and is no longer a dream, with sensors abound. The world is on its way to become totally connected, although it will take time to work out a few kinks here and there (with a great foundation, you create a great product; this foundation is what will take the most time). Your appliances will talk to you in your “smart house” and your “self-driving car” will take you to your super tech office where you will work with ease thanks to all the wonders of technology. But let’s step back to reality and think, how is all this going to come about, what will we do with all the data collected and how will we protect it?

 

First thing first is all the sensors have to be put in place, and many questions have to be addressed. Does a door lock by one vendor communicate with a light switch by another vendor, and do you want the thermostat to be part of the conversation and will anyone else be able to see my info or get into my home? http://www.computerworld.com/article/2488872/emerging-technology/explained--the-abcs-of-the-internet-of-things.html

How will all the needed sensors be installed and will there be any “human” interaction? It will take years to put in place all the needed sensors but there are some that are already engaging in the IOT here in the US. Hotels (as an example but not the only one investing in IOT) are using sensors connected to products that they are available for sale in each room, which is great but I recently had an experience with how “people” are the vital part of “IOT” – I went to check out of a popular hotel in Vegas, when I was asked if I drank one of the coffees in the room, I replied, “no, why” and was told that the sensor showed that I had either drank or moved the coffee, the hotel clerk verified that I had “moved” and not “drank” the coffee but without her, I would have been billed and had to refute the charge. Refuting charges are not exactly good for business and customers service having to handle “I didn’t purchase this” disputes 24/7 wouldn’t exactly make anyone’s day, so thank goodness for human interactions right there on the spot.

 

“The Internet of Things” is not just a US effort - Asia, in my opinion, is far ahead of the US, as far as the internet of things is concerned. If you are waiting in a Korean subway station, commuters can browse and scan the QR codes of products which will later be delivered to their homes. (Source: Tesco) - Transport for London’s central control centers use the aggregated sensor data to deploy maintenance teams, track equipment problems, and monitor goings-on in the massive, sprawling transportation systemTelent’s Steve Pears said in a promotional video for the project that "We wanted to help rail systems like the London Underground modernize the systems that monitor it’s critical assets—everything from escalators to lifts to HVAC control systems to CCTV and communication networks." The new smart system creates a computerized and centralized replacement for a public transportation system that used notebooks and pens in many cases. http://www.fastcolabs.com/3030367/the-london-underground-has-its-own-internet-of-things

 

But isn't the Internet of Things too expensive to implement? Many IoT devices rely on multiple sensors to monitor the environment around them. The cost of these sensors declined 50% in the past decade, according to Goldman Sachs. We expect prices to continue dropping at a steady rate, leading to an even more cost-effective sensor. http://www.businessinsider.com/four-elements-driving-iot-2014-10

 

 

The Internet of Things is not just about gathering of data but also about the analysis and use of data. So all this data generated by the internet of thing, when used correctly, will help us in our everyday life as consumer and help companies keep us safer by predicting and thus avoiding issues that could harm or delay, not to mention the costs that could be reduced from patterns in data for transportation, healthcare, banking, the possibilities are endless.

 

Let’s talk about security and data breaches – Now you may be thinking I’m in analytics or data science why should I be concerned with security? Let’s take a look at several breaches that have made the headlines lately.

 

Target recently suffered a massive security breach thanks to attacker infiltrating a third party. http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data and so did Home depot http://www.usatoday.com/story/money/business/2014/11/06/home-depot-hackers-stolen-data/18613167/ PC world said “Data breach trends for 2015: Credit cards, healthcare records will be vulnerable http://www.pcworld.com/article/2853450/data-breach-trends-for-2015-credit-cards-healthcare-records-will-be-vulnerable.html

 

 

Sony was hit by hackers on Nov. 24, resulting in a company wide computer shutdown and the leak of corporate information, including the multimillion-dollar pre-bonus salaries of executives and the Social Security numbers of rank-and-file employees. A group calling itself the Guardians of Peace has taken credit for the attacks. http://www.nytimes.com/2014/12/04/business/sony-pictures-and-fbi-investigating-attack-by-hackers.html?_r=0

 

1987864?profile=RESIZE_1024x1024

http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf

 

So how do we protect ourselves in a world of BIG DATA and the IOT?
Why should I – as a data scientist or analyst be worried about security, that’s not really part of my job is it? Well if you are a consultant or own your own business it is! Say, you download secure data from your clients and then YOU get hacked, guess who is liable if sensitive information is leaked or gets into the wrong hands? What if you develop a platform where the client’s customers can log in and check their accounts, credit card info and purchase histories are stored on this system, if stolen, it can set you up for a lawsuit. If you are a corporation, you are protected in some extents but what if you operate as a sole proprietor – you could lose your home, company and reputation. Still think security when dealing with big data isn’t important?

Organizations need to get better at protecting themselves and discovering that they’ve been breached plus we, the consultants, need to do a better job of protecting our own data and that means you can’t use password as a password! Let’s not make it easy for the hackers and let’s be sure that when we collect sensitive data and yes, even the data collected from cool technology toys connected to the internet, that we are security minded, meaning check your statements, logs and security messages - verify everything! When building your database, use all the security features available (masking, obfuscation, encryption) so that if someone does gain access, what they steal is NOT usable!

 

Be safe and enjoy what tech has to offer with peace of mind and at all cost, protect your DATA.

 

I’ll leave you with a few things to think about:


“Asset management critical to IT security”
"A significant number of the breaches are often caused by vendors but it's only been recently that retailers have started to focus on that," said Holcomb. "It's a fairly new concept for retailers to look outside their walls." (Source:  http://www.fierceretail.com/)

 

“Data Scientist: Owning Up to the Title”
Enter the Data Scientist; a new kind of scientist charged with understanding these new complex systems being generated at scale and translating that understanding into usable tools. Virtually every domain, from particle physics to medicine, now looks at modeling complex data to make our discoveries and produce new value in that field. From traditional sciences to business enterprise, we are realizing that moving from the "oil" to the "car", will require real science to understand these phenomena and solve today's biggest challenges. (Source:  http://www.datasciencecentral.com/profiles/blogs/data-scientist-owning-up-to-the-title)

 

 

Forget about data (for a bit) what’s your strategic vision to address your market?

Where are the opportunities given global trends and drivers? Where can you carve out new directions based on data assets? What is your secret sauce? What do you personally do on an everyday basis to support that vision? What are your activities? What decisions do you make as a part of those activities? Finally what data do you use to support these decisions?

http://www.datasciencecentral.com/profiles/blogs/top-down-or-bottom-up-5-tips-to-make-the-most-of-your-data-assets



Originally posted on Data Science Central 

Follow us @IoTCtrl | Join our Community

Read more…

Security challenges for IoT

 

Guest blog post by vozag
 

Emergence of IoT presents security challenges more challenging than any industrial systems have seen.

 

endian-src-Endian-Connect-Switchboard.jpg

Open Web Application Security Project (OWASP) is a reputed international organization which focuses on improving the security of the software. It sponsors the hugely  popular Top ten project which publishes the top ten security risks for web applications all over the world.

 

The “OWASP Internet of Things (IoT) Top 10” project defines the top ten security surface areas presented by IoT systems. The project aims to provide practical security recommendations for builders, breakers, and users of IoT systems.

 

Last year HP which started this project used it as a baseline to evaluate top ten IoT devices which are were widely used and released a report. The study concluded that on an average each device studied had 25 vulnerabilities listed as a part of project.

 

The top 10 vulnerabilities impact of each vulnerability and the link in the order listed in project are given below:

 

Insecure Web Interface

Insecure web interfaces can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete device takeover.

 

Insufficient Authentication/Authorization

Insufficient authentication/authorization can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete compromise of the device and/or user accounts.

 

Insecure Network Services

Insecure network services can result in data loss or corruption, denial of service or facilitation of attacks on other devices.

 

Lack of Transport Encryption

Lack of transport encryption can result in data loss and depending on the data exposed, could lead to complete compromise of the device or user accounts.

 

Privacy concerns

Collection of personal data along with a lack of protection of that data can lead to compromise of a user's personal data.

 

Insecure Cloud Interface

An insecure cloud interface could lead to compromise of user data and control over the device.

 

Insecure Mobile Interface

An insecure mobile interface could lead to compromise of user data and control over the device.

 

Insufficient Security Configurability

Insufficient security configurability could lead to compromise of the device whether intentional or accidental and/or data loss.

 

Insecure_Software/Firmware

Insecure software/firmware could lead to compromise of user data, control over the device and attacks against other devices.

 

Poor Physical Security

Insufficient physical security could lead to compromise of the device itself and any data stored on that device.

 

Read more…
RSS
Email me when there are new items in this category –

Premier Sponsors