Subscribe to our Newsletter | To Post On IoT Central, Click here


Security (126)

Drones – A hacker’s playground

Original Post from: Vulpoid

Unmanned Aerial Vehicles (UAVs) offer new perspectives, both from a civilian and a military standpoint; yet, they present vulnerabilities having the potential to lead to disastrous consequences regarding public safety if exploited successfully, as evidenced by recent hacks. These repercussions can be prevented by implementing best practices, continuously assessing the technologies used and most importantly by remaining aware of the environment, of the weaknesses that may be exploited and of the threats that may emerge. The purpose of this article is not to provide countermeasures or solutions, but to outline flaws and vulnerabilities to better understand and address potential threats and threat actors.

timeline

Figure 1 UAVs hacks disclosure timeline

As shown by recent hacks, several professional Unmanned Aerial Vehicles (UAV) used byarmed forces, governments, police departments and the private sector are vulnerable to critical attacks which exploit both technical vulnerabilities and design flaws. This can lead to UAVs being spied on, made inoperable or controlled by the attacker unbeknownst to the UAV’s owner.

ecosystem

Figure 2 Drone’s ecosystem vulnerabilities

op_anar

Figure 3 Operation Anarchist base location

From a military intelligence perspective, it’s a godsend to gather valuable information. The GCHQ/NSA joint Operation Anarchist[1] during which Israeli drones’ scrambled video signals were intercepted and reconstructed, providing the US and UK a clear view of Israeli drones’ position, movements, payload and video footage is the perfect example. The Operation Anarchist – which started in 1998, lasted more than a decade and was disclosed only in late December 2015 – was run from the Troodos Mountains, Cyprus, from where encrypted video signals between Israeli drones and their bases were intercepted and unscrambled using open-source software tools.

The obvious drawback however for governments is that the same techniques can be used against them and become a serious threat, particularly when it comes to State security and notably for law enforcement agencies. While entry-level drones present vulnerabilities, their main purpose seems to be to reduce cost. IBM researcher Nils Rodday proved that high-end drones were also vulnerable when he studied professional quadcopters used by law enforcement agencies in the context of his Master’s Thesis[2]  in 2015. He showcased the results of the hacks during the RSA Conference 2016[3]. He also analyzed the quadcopters and discovered that the on-board chips lacked encryption implementation[4] which allowed him to hijack the drone by emulating the commands sent to the UAV through the controlling application. Furthermore, he took advantage of the weak encryption (WEP) used to cipher the link between the drone and its controller.

drone_archi

Figure 4 Drone flow architecture, by Nils Rodday, used in his work

In addition, concerns regarding homeland security have emerged, as shown by the case of the Mexican drug cartel who, in late December 2015, managed to control the US Customs and Border Patrol (CBP) drones’ movements[5]. This allowed the cartel to reroute the US CBP’s drones and to illegally cross the US-Mexican border, enabling them to smuggle drugs and people without being detected. The cartel used GPS jamming and GPS spoofing techniques which respectively disrupted the Command and Control (C&C) link, preventing the drone from receiving GPS signals, overriding legitimate ones and replacing them with fake ones, thus making it deviate from its original route.

gps_jam_spoof

Figure 5 GPS jamming / GPS spoofing

IDF

Figure 6 IDF Drones System hack

Moreover, warfare methods continually evolve and actors integrate new technologies in their arsenal, leveraging on them during actual conflict as evidenced by the recent hack of the Israeli Defense Forces’[6]  (IDF) drone surveillance system. The hack was perpetrated by a member of the Islamic State who gained access to HD footage from IDF’s drones hovering above the Gaza Strip for at least 2 years, starting in 2012 but potentially up until the arrest in February 2016. As a matter of fact, using only commonly available tools such as a satellite dish and a radio receiver[7], the hacker was able to intercept IDF’s drones’ video streams and managed to decode them, thus providing the Islamic State with a clear view of IDF’s drones video footage.

As evidenced by the aforementioned examples, attacks take place in several heterogeneous contexts and originate from actors belonging to different domains and with different levels of skill. In all the above mentioned cases, these events highlight weaknesses and vulnerabilities in the technologies used by UAVs along with flaws in the processes that were put in place by the victims regarding information handling. Military, law enforcement and governments are critical targets; however, the private sector is not spared as drones are being considered more widely by corporations for new services – Amazon Prime Air is a great example of that and may result in very annoying hacking opportunities to say the least. Consequences may be a matter of national security and public safety, therefore implementing best practices, setting up proper countermeasures – such as spread spectrum modulation in the case of signal jamming – and using state-of-the-art technologies proves itself crucial, yet being aware of the threat landscape one’s facing along with one’s own kill-chain is fundamental in order to avoid and mitigate such cases at best.

View the original post by clicking: Here

Read more…
A security-first approach to developing IoT device software is critical, a key ingredient is an end-to-end threat assessment and analysis. A threat assessment includes taking stock of the various physical connections, potential losses/impacts, threats and the the difficulty of the attack. Importantly, addressing these threats needs to be prioritized based on likelihood and potential impact.
Read more…

Credit: ShutterstockCredit: Shutterstock

By Ben Dickson. This article originally appeared here.

The huge benefit that the Internet of Things (IoT) brings to different industries and domains is driving its growth and adoption at an unrelenting pace. Soon billions of connected devices will be spread across smart homes and cities, harvesting data, sending it to huge repositories for analysis and processing, and carrying out commands sent from smart apps and machine-learning-based systems.

While larger numbers of smart devices will unlock bigger opportunities for efficiency, energy and cost saving and revenue increase, they’ll also trail along some serious challenges and difficulties, some which are notably not addressable with current technological and communication infrastructure.

What’s wrong with centralized communications?

As is, all IoT ecosystems depend on client/server communications, centralized trust brokers and protocols such as SSL/TLS or mechanisms such as the Public Key Infrastructure (PKI) to identify network nodes and control communications.

These technologies have proven their worth for communications between generic computing devices for years, and will continue to respond to the needs of small, closed IoT ecosystems, like smart homes. But with the growth of IoT, centralized networks will soon become the bottleneck and cause lags and failures in critical exchanges because of too much network traffic, to say nothing of the extra investment they’ll require in terms of hubs and communications hardware. Imagine what would happen if your smart defibrillator failed to receive a command because your dishwasher, toaster, fridge, kettle and lights are having a nice M2M chat and have clogged up the network.

Decentralizing IoT networks

A solution would be to decentralize IoT networks in order to improve speed and connectivity. In many cases, substituting over-the-internet connectivity for local communication between devices will help increase speed and efficiency. After all why should a command exchange between a smartphone and light-switch have to go through the internet?

However achieving decentralization will present its own set of challenges, namely in the realm of security. And we know that IoT security is much more than just about protecting sensitive data. How do you make ensure security in communications between devices?

Devices would have to be able to communicate in a peer-to-peer manner and ensure security and integrity without the intervention of or dependence on a centralized trust center. The proposed system would have to protect the network and ecosystem against device spoofing and man-in-the-middle (MittM) attacks and make sure each command and message that is exchanged between nodes in a network are coming from a trusted and authenticated source and received by the right recipient.

How blockchain addresses the problem

Fortunately, the decentralization problem has already been solved in another popular technology: Bitcoin. The famous cryptocurrency is powered by a less-known (but no less exciting) technology named blockchain. The blockchain is a data structure that allows the creation and maintenance of a transaction ledger which is shared among the nodes of a distributed network. Blockchain uses cryptography to allow participants to manipulate the ledger without going through a central authority.

The decentralized, secure and trustless nature of the blockchain make it an ideal technology to power communication among nodes in IoT networks. And it is already being embraced by some of the leading brands in enterprise IoT technologies. Samsung and IBM announced their blockchain-based IoT platform called ADEPT at the Consumer Electronics Show (CES) last year.

When adapted to IoT, the blockchain will use the same mechanism used in financial Bitcoin transactions to establish an immutable record of smart devices and exchanges between them. This will enable autonomous smart devices to directly communicate and verify the validity of transactions without the need for a centralized authority. Devices become registered in blockchains once they enter IoT networks, after which they can process transactions.

There are many use cases for blockchain-based communications. A paper published by IBM and Samsung describes how blockchain can enable a washing machine to become a “semi-autonomous device capable of managing its own consumables supply, performing self-service and maintenance, and even negotiating with other peer devices both in the home and outside to optimize its environment.”

Other IoT domains can benefit from blockchain technology. For instance, an irrigation system can leverage the blockchain to control the flow of water based on direct input it receives from sensors reporting the conditions of the crops. Oil platforms can similarly use the technology to enable communications between smart devices and adjust functionality based on weather conditions.

What are the challenges?

In spite of all its benefits, the blockchain model is not without its flaws and shortcomings. The Bitcoin crew itself is suffering from inner feuds over how to deal with scalability issues pertaining to the Blockchain, which are casting a shadow over the future of the cryptocurrency.

There are also concerns about the processing power required to perform encryption for all the objects involved in a blockchain-based ecosystem. IoT ecosystems are very diverse. In contrast to generic computing networks, IoT networks are comprised of devices that have very different computing capabilities, and not all of them will be capable to run the same encryption algorithms at the desired speed.

Storage too will be a hurdle. Blockchain eliminates the need for a central server to store transactions and device IDs, but the ledger has to be stored on the nodes themselves. And the ledger will increase in size as time passes. That is beyond the capabilities of a wide range of smart devices such as sensors, which have very low storage capacity.

Other challenges are involved, including how the combination of IoT and blockchain technology will affect the marketing and sales efforts of manufacturers.

It’s still too early to say that blockchain will revolutionize and conquer the IoT industry. But it sure looks like a promising offer especially if its challenges can be met. We’ll see more of this in the coming months and years, as IoT continues to grow and become more and more ingrained in our lives.

Read more…

An Internet of Buildings (IoB) that really works and can’t be hacked?

The IOT holds great promise for nearly every aspect of society and, of course, is rife with business opportunity, as well. One of the most exciting opportunities on both fronts remains the opportunity to create connected buildings.

The U.S. Department of Energy poses the challenge in this way: “Buildings will no longer be passive objects that consume resources, but rather active participants engaged in the energy system and our community.”

What exactly is meant by “connected buildings” on a practical level? Some of these characteristics include:

  • Buildings are self-aware and continuously anticipate and adapt to changes in weather, time of day, occupant needs, and socioeconomics.
  • Buildings will transact with utilities (including electricity, gas, and water), local power sources, and other buildings to provide services that will benefit building owners, utility operators, and the entire community.
  • Buildings will minimize their life-cycle cost while meeting their objective functions through optimizing energy and water use, enhancing health and the productivity of occupants, contributing to a cleaner environment, and actively supporting better living.

Smart Buildings: A brief history

Most people don’t think of the first “smart” buildings and think of the lowly thermostat. However, that technology was really the first step toward a “self-aware” building. As you might imagine, other controls introduced during the early days of building management were of the order of the thermostat and managed manually. In the 1980s, many of these systems became digital and by the 1990s, Building Management Systems (BMS) might have been computerized, might have yielded reports that helped facilities manage resources better—however these systems were often fragmented.

From “Green Biz Insights” June 23, 2014

These challenges culminate today in the difficulty of creating open protocol for many different structures under different ownership. We are now seeing important efforts to that end by governments and businesses that collaborate together to forward the promise of smart buildings. These initiatives and the data they generate contribute to an interrelated web of information – a data-rich ecosystem that benefits both the structures’ occupants and the communities where they stand.

Just two short years ago, a Green Biz article proclaimed, “We are now in the era where big data technologies enable us to capture data from different sources, in diverse formats and with varying context. From being a catalyst, data is now becoming a driver of actions. Less human effort is required to manage even though the complexity around data has increased massively. We are essentially at the cusp of what we call the era of 'Internet of Buildings.' This will be the future age of Internet of Buildings, where we will see interoperability and seamless data interchange.”

So how far have we come?

The Present State of the IOB

According to an article in TechVibes, In February at the IBM InterConnect 2016, Siemens Building Technologies Division and IBM’s Watson IoT Business Unit  “announced cloud-based solutions that will leverage Siemens’ building expertise and IBM's Internet of Things capabilities to maximize the potential of connected buildings and the data they create, helping corporate real estate owners across multiple industries drive business results and meet energy efficiency goals.”

IBM's open standards-based Watson IoT Cloud platform can solve a lot of the open protocol issues that industry wonks were bemoaning in 2014. The move toward open standards platform integration in other cities and for other IoB initiatives will ensure that the “language” of connected buildings converges. Then, smart buildings can speak seamlessly among themselves in smart cities that protect resources and create additional opportunities for improving the lives of the people who live there. 

Keeping the IoB secure

Other solid news from the IoB front include government and industry partnerships to control the security risks inherent with the advent of “smart cities.” Entities as diverse as the Department of Homeland Security’s Office of Cyber and Infrastructure Analysis, Stanford University’s Center for the Internet and Society, Drawbridge Technologies, IBM, and others in the public and private sectors have mustered efforts to institute changes. These ensure that “risk assessment methods and security measures (that) often don't scale well from the asset or system to the level of political jurisdictions” are adjusted to manage threats to smart buildings, and, by extension, smart cities.

A recent research report identified the threat of a “shadow” IoT” built right into several North American connected buildings that were managed by the same company:

“A survey of building automation system software by researchers at IBM X-Force found that the systems suffer from a range of security issues, from weak authentication and authorization controls.

“Administrative web interfaces used to provide remote access to the systems also are vulnerable to application based attacks and lack basic security controls,” said X-Force researcher Paul Ionescu.

In a “red team” exercise performed for the firm, the IBM researchers found they were able to compromise the company’s main monitoring and control server, which was used to manage several locations in North America. Ionescu told Security Ledger that the attack exploited a weakly secured DLink router that was used to link the building automation system to the Internet.”

In the same article, we learn that “the compromise of Target Stores in 2014 was linked to heating, ventilation and air conditioning (HVAC) systems running within Target’s headquarters.” This incident made the papers when consumer credit cards were compromised; however few knew about the follow-up report blaming the BMS at headquarters. These public relations incidents have the capacity to make a public that is already leery of the “Big Brother” implications of having their house “watching them.”

As we enter the era of smart buildings and smart cities, it’s clear that IoB companies, in partnership with government, need to seek a common goal: Keep the IoB safe and keep working together to ensure that the IoB revolution lives up to its name—but does not include the infighting and disruption that has characterized non-techie revolutions across time.

Read more…

Security-First Design for IoT Devices

Machine to Machine (M2M) and Internet of Things (IoT) realities mean that more and more devices are being deployed and connected to each other. This connectivity is both the promise of IoT (data gathering, intelligent control, analytics, etc.) and its Achilles’ heel. With ubiquitous connectivity comes security threats -- the reason security has received such a high profile in recent discussions of IoT.
Read more…

Wearable technology is a type of device that is worn by a user and often includes tracking information related to their health and fitness which it can then upload to the cloud. Other wearable tech includes devices that have motion sensors and cameras to take photos and sync with your mobile devices. Wearable devices can be quite useful, but they may present a huge danger to your privacy.

So far, the market has consisted mainly of early adopter businesses assessing the technology. This large group includes Tesco, which gave armbands to workers at a distribution center in Ireland to track products, allocate jobs and measure movement within the complex, with the goal of improving efficiency and accuracy. And health insurer 'Pru Health' offers a 'Fitbug' health and fitness device to their members as a part of it's 'Vitality' program.

It seems inevitable that in the next few years more businesses will begin to explore the potential commercial uses of wearable devices or even begin offering them to their employees, business partners or consumers. In addition, the next few years will no doubt see many employees bringing their own wearable technology into the workplace, for many reasons, such as health benefits and improving productivity.

A key danger for the wearable device market is that a large amount of personal data could be collected from most of these devices. Health and fitness devices could capture extremely sensitive details about a user’s health, and then send it automatically to the cloud for processing by the vendor, who then share it with third parties for 'big data' profiling and targeted advertising.

The 'big data' example really highlights the lack of current regulation for wearable devices and gadgets. Although the analytics and profiling might benefit some of those involved, including in some cases the user, it will become difficult for consumers to keep track of how much of their private data is shared by corporations, and where it's stored. And while many users may be ready to trade their data and lose control over it in exchange for some perceived benefits. Cloud Security is another major concern, and if breached, much of your personal data could be stolen or released.

Your data's security is a very important issue. Cloud Security has been breached numerous times in the past, and If exploited, wearable devices can expose a large amount of very intimate and extensive personal data about a user, including their health, current location, and their behavior. This of course already happens with smartphones, tablets and laptops, but the scale and intrusiveness of data breaches involving wearable devices could be unprecedented.

In the long term, there are data protection reforms in the works, which in their current state include the very controversial 'right to be forgotten' and the right not to be 'profiled' without their consent. If correctly implemented, these reforms could, give users of wearable devices the right to have all their personal data deleted, and could require suppliers in the industry to ask for consent before sending their personal data to be analyzed or for predictions about their work performance, current health, location, behavior or personal preferences. Consent would need to be very specific and actively communicated to the user, so sweeping consents or burying important terms in the fine print may not be enough.

The changes are, however, still being heavily debated, with the goal of being finalized soon. In any case, they could possibly result in ongoing compliance costs for corporations in the wearable device industry.

Ultimately, as is often the case with emerging technologies, it falls to the industry to grapple with these compliance issues. Until the law catches up, device manufacturers, tech vendors and businesses that use or allow employees to use wearables need to address the legal challenges in order to exploit this new technology in a lawful way whilst realizing the potential benefits of wearable technology in business.

Originally posted on Data Science Central

Follow us @IoTCtrl | Join our Community

Read more…

The Internet of Things is changing the world, heralded as one of the most pivotal technology trends of the modern era. We are getting ready to enter a time where everything, quite literally, is connected to the Internet.

For the industrial sector, this is a new area of exploration. Factories have smart infrastructures that use sensors to relay data about machine performance. Cities have smart grids that monitor everything from traffic to the energy used by streetlights. Hospitals can monitor the health of high-risk, at-home patients.

In other words, we are entering a hacker's dream world.

Recent attacks, like the Christmas 2015 attack on the Ukraine power grid, have shown that the Internet of Things possesses severe vulnerabilities. These weak points can be everything from back doors that allow a hacker access to a system to lack of proper use by untrained workers. If your business uses IoT devices, there’s a good chance they are not secure.

Why are so many systems left vulnerable? Weaknesses often come from the same set of five drivers:

 

Source: Allerin

Whether your company is struggling because your devices were deployed too quickly or operational costs constraints got in the way, your team must take measures to fix security risks. Here are four security flaws:

1. Lack of Encryption

Any device that is connected to the Internet to relay data needs encryption. When communication between devices and facility machines are now encrypted, it provides a doorway for hackers to send malicious updates, steal data, and even take control of the system. 

In 2014, an Israeli security firm took control of cars using a specific connected telematics device that failed to use proper encryption.

2. Failing to Install Updates

Once you have a machine-to-machine communication​ system working properly, it can be easy to forget to install the necessary updates to keep the network secure. 

Yet, hackers are constantly updating their strategies and tactics. Failing to install updates and patches leaves your system vulnerable. 

Even if you’re worried about breaking integrations between systems, you should at the least install every security update released by the vendor. These updates are specifically designed to address vulnerabilities discovered in your devices. After all, if your vendor releases a security update, it’s because they found a problem.

You also should know that updates and patches are not always the final solution to security vulnerabilities. Unfortunately, many manufacturers are not able or willing to provide the necessary support to continue updating their devices. 

To avoid this risk, shop carefully for systems that provide updates and are backed by a trusted company.

3. Poorly Built Networks

The modern industrial network is designed to get tasks done. If the design focuses too much on completing that task, it will leave weak points in security. Things that are obvious when building IT networks are sometimes less obvious when creating industrial DNP3 and other network architecture.

The solution to this risk is fairly simple. Those tasked with building industrial networks need to ensure they are partnering with IT professionals to build networks that are safer from attacks. Security features, like deep packet inspection and network segmentation, should be in place from the beginning.

4. Sensors Outside of the Company's Control

Most of the sensors and other connected pieces that make up a network are controlled by the company. But for some companies, that is not the case. For example, power companies have sensors in their customer's homes. 

Sensors outside of the company's immediate control are hard to secure, which gives hackers access. Currently, cloud-based security using public key services to authenticate devices may be the best solution to this problem.

Don't Take The Risk

Industrial security breaches can cause devastating consequences.​ Therefore, the above risks need to be addressed.

As more industrial facilities rely on the Internet of Things, it's important for company teams to be aware of the potential vulnerabilities. Take security into full consideration.

Read more…

IoT, as we all know, is not without issues--though we have become reliant upon it in many ways.. In 2015, there were some very viable and tangible proofs that the IoT field is fraught with real peril and that we as IoT designers, developers and companies need to be paying more attention to security. Just how many different IoT companies and arenas were breached? The answer might surprise you-- not to mention terrify you.

Most of us read about the car that was taken over and driven into a ditch. The ramifications of that were clear to all of us, but some even more frightening things have taken place this year..

Did you know that a flight was taken over-- and the man who took over the flight bragged that he had also manipulated the space station?

 In the past year, the following hacks have taken place.

Medical devices--The FDA ordered that specific drug pumps be no longer used. The software was bad enough that hackers could change the dosage being delivered to people who were using them.So we have the possibility of murder by internet??http://www.securityweek.com/fda-issues-alert-over-vulnerabl…

The DOE--According to a June 2015 Congressional Research Service (CRS) report, hackers successfully compromised U.S. Department of Energy computer systems more than 150 times between 2010 and 2014. "Records show 53 of the 159 successful intrusions were "root compromises " "http://www.usatoday.com/…/cyber-attacks-doe-energy/71929786/

A Steel Mill --An entire steel mill was breached resulting in "massive destruction of equipment" http://www.wired.com/…/…/german-steel-mill-hack-destruction/

The US National Nuclear Security Administration--The people who are responsible for managing and securing the entire nation's nuclear weapons stockpile, experienced 19 successful cyber attacks during the four-year period of 2010 - 2014


Firearms--TrackingPoint makes a smart rifle--what it does is to digitally "tag" a target, and then locks the trigger until the gun is perfectly positioned to hit it --and it can hit up to half a mile away but... now there has been a serious flaw found in the software so that a hacker could make a law enforcement hit the hostage rather than the intended target.http://money.cnn.com/2015/07/29/technology/hack-smart-rifle/

Offshore Oil Rigs --Hackers have also shut down an oil rig by tilting it sideways..They hit another rig so hard with malware it was not seaworthy for 19 days..

Government Buildings Department of Homeland Security recently disclosed that hackers had managed to penetrate a state government facility and a manufacturing plant in New Jersey--now all they did was change the temperature, but what COULD they have done.. really think about that.

Last.. but not least.. go ahead and buy that cool toaster and refrigerator..... a funny thing happened with hundreds of kitchens in the UK. All of tehm were hacked and the resultant hack wouldn't allow them to make certan kinds of food in their toaster or store it in their fridge.http://www.cbronline.com/…/iot-security-breach-forces-kitch…

IOT is a time saver and offers us incredible convenience, but as we're beginning to find out, there are some real ramifications to the use of IoT devices that we need to be aware of. More to the point, companies and industries who are offering these devices need to take full responsibility to assure the security of the devices they are offering. IoT security workers and developers are more important than ever before..

For more information about IOT and Security check out our new websitewww.internetofthingsrecruting.com  - Need to update you IOT Security Team - Click Here to schedule a free IOT Needs Assessment Call. 

Read more…

The Internet of Things (IoT) concept promises to improve our lives by embedding billions of cheap purpose-built sensors into devices, objects and structures that surround us (appliances, homes, clothing, wearables, vehicles, buildings, healthcare tech, industrial equipment, manufacturing, etc.).

IoT Market Map -- Goldman Sachs

What this means is that billions of sensors, machines and smart devices will simultaneously collect volumes of big data, while processing real-time fast data from almost everything and... almost everyone!!!

IoT vision is not net reality

Simply stated, the Internet of Things is all about the power of connections.

Consumers, for the moment anyway, seem satisfied to have access to gadgets, trendy devices and apps which they believe will make them more efficient (efficient doesn't necessarily mean productive), improve their lives and promote general well-being.

Corporations on the other hand, have a grand vision that convergence of cloud computing, mobility, low-cost sensors, smart devices, ubiquitous networks and fast-data will help them achieve competitive advantages, market dominance, unyielding brand power and shareholder riches.

Global Enterprises (and big venture capital firms) will spend billions on the race for IoT supremacy. These titans of business are chomping at the bit to develop IoT platforms, machine learning algorithms, AI software applications & advanced predictive analytics. The end-game of these initiatives is to deploy IoT platforms on a large scale for;

  • real-time monitoring, control & tracking (retail, autonomous vehicles, digital health, industrial & manufacturing systems, etc.)
  • assessment of consumers, their emotions & buying sentiment,
  • managing smart systems and operational processes,
  • reducing operating costs & increasing efficiencies,
  • predicting outcomes, and equipment failures, and
  • monetization of consumer & commercial big data, etc.

 

IoT reality is still just a vision

No technology vendor (hardware or software), service provider, consulting firm or self-proclaimed expert can fulfill the IoT vision alone.

Recent history with tech hype-cycles has proven time and again that 'industry experts' are not very accurate predicting the future... in life or in business!

Having said this, it only makes sense that fulfilling the promise of IoT demands close collaboration & communication among many stake-holders.

A tech ecosystem is born

IoT & Industrial IoT comprise a rapidly developing tech ecosystem. Momentum is building quickly and will drive sustainable future demand for;

  • low-cost hardware platforms (sensors, smart devices, etc.),
  • a stable base of suppliers, developers, vendors & distribution,
  • interoperability & security (standards, encryption, API's, etc.),
  • local to global telecom & wireless services,
  • edge to cloud networks & data centers,
  • professional services firms (and self-proclaimed experts),
  • global strategic partnerships,
  • education and STEM initiatives, and
  • broad vertical market development.

I'll close with one final thought; "True IoT leaders and visionaries will first ask why, not how..!"

Read more…

Guest blog by Bill Graham, follow him here. The post was originally posted here

Every IoT and embedded device manufacturer endeavors to field secure and safe products. However, even with the robust development processes, it's difficult to ensure complete security in finished products more so in legacy products. As the ever-expanding IoT marketplace puts a bigger emphasis on embedded device security, better techniques are required to improve security. I wrote a blog series this fall on improving IoT security with source-based static analysis and binary static analysis coupled with software hardening, but I focused primarily on the static analysis part of the equation. GrammaTech's software hardening techniques complement our static analysis know-how to greatly improve the current and future robustness of embedded software. 

Binary Analysis and Static Rewriting

Analyzing application binaries allows GrammaTech's rewriting tools to discover the use of potentially problematic code patterns, libraries, or OS functions. The rewritten binaries have wrappers around such code to prevent erroneous behavior. For example, function call stack usage can be instrumented to prevent stack overflow and subsequent code injection. Another example would be preventing calls to known problematic library functions like strcpy() from causing buffer overflow errors.

Rewriting a binary executable into a robust hardened version provides quality and security assurance for any version of the application -- current and future versions are protected.

GrammaTech Software Hardening

GrammaTech's hardening tools static rewrite binaries into more robust and secure applications.

Confinement and Diversification: Binary Rewriting Techniques

The goal of confinement is to prevent undetected vulnerabilities from causing a failure in an executing application. Techniques to detect and prevent certain specific classes of vulnerabilities already exist to some extent, but often lead to a program failure state -- which, in turn, leads to a denial of service. Although an attack might be prevented, these consequences are unacceptable in critical systems. GrammaTech has been researching sophisticated confinement techniques that allow applications to detect the same kinds of attacks, but continue operation (while still containing the vulnerability). Combining binary analysis to detect the potential vulnerability with static rewriting to confine the exploit, it's possible to greatly reduce and even eliminate the impact.

Diversification techniques are used to alter the default code and memory layout to prevent potential exploits. By rearranging the subroutine calling sequence, stack, heap, and global data layout, it's possible to prevent vulnerabilities from being exploited. Stack overflow errors that lead to code injection exploits, for example, can be thwarted with these techniques. 

Protection Now and in the Future

Binary analysis and rewriting by nature doesn't require source and is version-independent. As such, IoT device manufacturers can use GrammaTech's hardening techniques on every release of their applications, making software hardening a standard procedure in the software release process. In doing so, organizations can assure better robustness and security for even minor upgrades, without huge re-testing costs. 


CONCLUSION:

Security defines the success of IoT. Good software development techniques are a good start, but adding software hardening is even better. GrammaTech's software hardening techniques provide version-independent protection from vulnerabilities and runtime errors while maintaining system functionality. In addition to the improved security and safety provided, software hardening offers compelling reductions in cost, risk, and time savings. 

Read more…

Guest blog post by Nate Vickery


In a recent Economist Intelligence Unit survey of 476 executives from around the globe, more than a third of respondents said that their companies suffered significant data losses over the course of last 12 months. On the other hand, more than 80% of respondents said that their protection procedures are at least “somewhat” effective. However, executives at organizations that suffered big data breaches – like the US Government – were presumably confident that their protection systems are safe too, until they discovered that they were in fact not.

The term big data came around 2005; the phrase refers to a wide range of information sets that are too large to be managed and processed by traditional data management tools. 2015 was a big year for big data; some of the major tools and platforms achieved mainstream adaptation. Now that big data has become essential for all business enterprises, major security problems have come to the forefront.  Therefore, let us look at some of the biggest data security challenges companies of all sizes are facing in 2016.

User Data Privacy

You would be surprised to know how the amount of data collected about each person in particular can be processed and analyzed to provide a surprisingly complete picture. Consequently, establishments that own the information are legally responsible for the security of their data. Attempts to make anonymous certain data are useless in protecting people’s privacy, because there is so much data available, that you can use some of it as a link for identification purposes. User information is in transit all the time, being accessed by the inside users, outside contractors, and business partners sharing it for research.

Granular Access 

One of the greatest challenges when implementing a big data security system is respecting privacy concerns while still permitting the usage and analysis to continue. While a privacy breach has ethical and legal implications, a large amount of data is useless without being able to use it. This is one of the reasons only 0.5% of data is being used and analyzed at the moment. Granular access control acts on every piece of data individually, ensuring a high level of both security and usability. However, some major problems with efficient implementation of granular access control are keeping track of privacy requirements and policies in a cluster-computing setting; keeping track of user access and the proper employment of security requirements.

Monitoring in Real-time

Real-time monitoring is designed to alert the company at the very first sign of an attack; however, the amount of feedback from SIEM (security information and event management) system, whose aim is to provide the big-picture feedback of the data, is enormous. Companies that have the resources to closely monitor this feedback and separate the real attacks from the false ones are rare. Fortunately, there are providers that can offer an alternative through a remote support software, for both small businesses and larger enterprises.

Granular Audits

As we discussed in the last paragraph, the goal of monitoring in real-time is to give the company the heads-up at the first sign of trouble. Since this does not always happen because of the challenges of identifying the real risks among the huge number of false alarms, it is crucial to have regular, granular audits to recognize breaches after the fact. Audit information can help to identify exactly what happened, so that future breaches can be identified and avoided. An effective inspection depends on numerous factors – controlled and timely access to information, the integrity of the information, etc.

The majority of solutions and platforms are still struggling to handle the vast volume, variety and velocity of big data. So far, security has been a tack-on feature to the managing tools; however, it is now evident that the value of big data lies in both the company’s ability to leverage it for better products and its ability to protect it from outside attacks. 

Follow us @IoTCtrl | Join our Community

Read more…

IoT Security trends

Security threats are the biggest concern among the main concerns on the Internet of Things. Due to its very nature, it is a target of interest for those who want to commit either industrial or national espionage. By hacking into these systems and putting them under a denial of service, or other attacks, an entire network of systems can be taken out. This has caused cyber criminals to become very interested in the IoT and the possibilities that surround its misuse.

Fortunately, companies are realizing that there are many potential problems with their framework. This has caused a new trend of companies reviewing these areas and coming up with an effective solution. Until that is done, those using these devices should remain wary. The IoT allows devices to exchange contextual information and to execute certain decisions based on this information. This means cars, homes, power supplies, and even water supplies using the IoT could potentially be at risk. In these cases, physical security is irrelevant, as a simple change of data could impact the control of systems and cause them to function as a dangerous item.

The idea of a security breach through the IoT isn’t something that is a possibility that could happen either. There are already cases of hackers breaking into the systems. Two cars were hacked, their brakes were disabled, and the lights turned off. All without the driver having the ability to control them in a test situation. Another instance of a yacht being taken off course by a hijacked GPS system is another.

Even in the home, people are at risk. Devices that have video cameras, children’s monitors, and similar devices that should be safe are actually giving hackers the chance to cause havoc in the home. Smart wired homes are having their temperature settings and lights flickering on and off, as these hackers explore the possibilities that are out there. Even the latest electric power meters that are digital are allowing hackers to steal power with ease.

But these device annoyances aren’t where the heart and soul of the IoT lies. Instead, it is the possibility of what can be done with these systems. Since everything is attached through the internet, these devices have the potential to perform a third party attack on websites. If millions of devices hit a website at the same time, it can overwhelm the bandwidth and potentially take down a competitor’s website, effectively crippling them until they find a workaround solution. Corporate espionage becomes a real concern as competition realizes they can turn simple devices against their main competition and draw in their business.

All this means that the virtual world has the ability to have an impact on the physical world. The solution right now is to boost security on our devices that use the IoT. With added security tools and advanced API that can detect usage that goes beyond what the system is designed to do, there is a lower risk for the world.

With terrorism one of the main concerns in the world, and growing dangers around us, we need to be smart how we use technology. That’s why when we look at the IoT that we don’t write these devices off as being nothing more than simple tools to make our lives easier, but recognize them for the potential dangers they could also possess.

For more information about looking for IOT/Security Talent check our our website atwww.internetofthingsrecruiting.com 

Read more…

Top Three Skills for Data Security Pros

What you need to succeed in data security? Compliance, Governance and Data Security Experts

If 2016 shapes up anything like the last quarter of 2015, data security in the IOT will continue to be a hot topic for all of us working to protect our work in the Cloud. In mylast article, I discussed several trends that we are monitoring at SoftNet Search’s IOT practice area. This time, I will weigh in on the kinds of people who will fulfill the needs of companies who are staying ahead of data security trends.

IT Headcount Going Up

According to all the people that matter, IT will continue to hire data security and other pros in 2016. For example, Computerworld’s recent survey showed that “37% of the 182 IT professionals who responded to the survey said they plan to increase head count in the upcoming year -- that's a significant jump from last year, when only 24% said they planned to add new staff. Moreover, 24% of those polled this year listed "attracting new talent" as first among their business priorities for the next 12 months.”

So how will they find the data security specialists they need? They will focus on these top three skills:

1) Security (General) – General security projects rated number two in the “most important IT projects that survey respondents have underway.” General security specialists, including data security pros, will command higher salaries, with Robert Half Technology 2016 Salary Guide predicting a 5% to 7% rise this year, hitting a range of 100K to 200K on average.

2) Compliance- Small-to-medium sized businesses are racing to ensure that their compliance policies are up to speed, especially if they’re working in the IOT. Healthcare continues to head up the compliance market in this field, with financial services and consumer privacy goals (customer information safety) coming in a close second and third, respectively. Data security specialists and database analysts will continue to command higher salaries—and a track record of managing big data in the cloud – and providing compliance leadership for functional business partners—is a must.  Computerworld again: “Exactly 50% of the IT professionals who participated in our Forecast 2016 survey said they plan to increase spending on security technologies in the next 12 months.” Making sure these technologies include built-in compliance gate keeping will be top of mind for data security leaders all throughout 2016.

3) Governance- Many large corporations have a lock on their governance policies because they have the headcount to ensure that Cloud and SaaS solutions across the enterprise fold into their existing governance plans. They can also pull together IT governance committees to get ahead of this issue and ensure that data security guardrails are firmly in place via smart governance plans.

Who owns your data security governance policy?

The problem is, many companies have had to institute ad hoc governance because they don’t have the time to control these policies in a centralized way. Functional, siloed IT business partners might “own” the governance policies for say, customer information, with others guarding HR or manufacturing data. Data security pros with backgrounds in IT governance can help answer IT leaders’ most pressing governance questions in an enterprise-wide manner and ensure that governance rules don’t languish in silos, making your company prone to breaches of policy. Hire someone to answer these questions:

  • How to start instituting a cohesive governance strategy that grows with the company (and its technologies)?
  • Who should we include on our team
  • How long it will take until the governance policy works on its own to cover all of our technologies and foreseeable ones?
  • Who should manage the project and become accountable from the beginning?

 

If your data security pros don’t have the answers to these questions or have not worked as a team to define governance for the IOT, chances are they will need to get up to speed—and quickly.

 

What doesn’t work as well?

We’ve watched some companies hire a consultant to help the Corporate Governance Officers (CGOs) with the IT end of their jobs. The problem with that solution is that IOT and cloud-based data security and governance should not be placed on the table in front of a bunch of lawyers that, no matter how skilled, can’t be expected to keep up with best practices in the field. Hiring internal IT governance headcount, if even on a contract basis, works better in the long run and will cost you thousands less without costing you your peace of mind.

 If you’d like to know more about the highly-skilled data security specialists I’ve seen in my practice; or if your enterprise requires help with IT compliance, governance or data security in general, definitely give me  a shout.

Looking to hire Data Security Professionals -  Click Here for your free Search Assessment Call  

Read more…

One of the biggest barriers to IOT success is a dearth of data security talent. Find supermen and –women to get your enterprise to the next level

This week, Batman vs. Superman opens in theatres. Batman’s got his gadgets and Superman, his alien powers. What out-of-this-world powers will you need to get your IOT data security talent on board-- up to speed?

There are so many challenges to sourcing IOT talent, it seems like you need superpowers to simply suss out the best candidates. Experts agree --finding talent remains one of the biggest barriers to getting value out of the IOT—and data security experts are often the most in demand.

David Weldon’s recent article in Information Management pointed to some disturbing trends in IOT security—as in, will security issues remain the biggest hurdle IOT practitioners face in getting projects off the ground?

The study from TEK in that article boldly stated that: “While 55% expect IoT initiatives to have a ‘transformational’ or ‘significant’ impact - just 22% of IoT initiatives have progressed to the implementation stage.”

That’s a huge gap! So what is standing in our way? Survey respondents from 200+ companies said that security and ROI are the biggest problems and that “information security experts are cited as the most difficult skill set to find.”

This same group of IOT leaders was asked where IOT initiatives would have the most impact in the next five years. We’ve used their responses to help you track the super skills you need for your data security team:

Survey respondents were very clear on where they expected IoT initiatives to impact their business on a long-term basis, factoring a five-year planning horizon. Top impacts expected were:

  • 64 percent said creating better user and customer experiences – Here we have the data security expert who is often sourced from Cloud-based technology services that are outward facing, such as sales and CRM systems. A consumer-based data security pro will often help you check off your IOT bases faster than any other.
  • 56 percent said sparking innovation - Data security experts who have done time protecting business development functions, start-ups, or tech product launches along the IOT can help you see the big picture. It doesn’t hurt to have an MBA-level degree in IT innovation (especially if they have worked as an IT innovations leader from within an executive committee in one of the industries your company serves.)
  • 52 percent said creating new and more efficient working practices and business processes – One of the key differentiators among IT talent is their ability to lead process change and gain buy-in from key players in the company. In the field of IOT data security, make sure your security pros have spent time in the functional trenches of your industry. If they don’t understand the value levers in your particular business, they won’t know to protect them.
  • 50 percent said creating new revenue streams, including new products and services – This is indeed the superpower to possess! Along with innovations experience, your data security leader should have new product experience—especially during launch, when experts agree, IOT start-up data is at the most risk. Commonly, “white hat hackers” in small- to- medium businesses fit the bill.
  • 36 percent said an increased ROI on IT infrastructure – Too often data security is cut into two functions in large IT corporations—infrastructure and external. Your data security leader must be adept at identifying security challenges in both areas, or she won’t be able to calm the fears of your key investors or decision-makers when they ask what to build and how she will make it a safe platform for their IOT springboard.
  • 35 percent said substantial cost savings and operational efficiencies—Our data security pro might seem too good to be true by now, but one thing we know he isn’tis a spendthrift. He should also be able to measure the value of what IOT data security leadership can do before any resources go into it—and clearly outline the risk of not spending enough on security to protect the whole shebang. A data security pro who is only concerned with the 1s and Os and not with the dollars and cents will cost more than he or she is worth.

If you want to make sure your IOT initiatives get off the ground, track where they will make the most difference to your business and then find data security professionals with IT experience in those areas.

A word of caution: The popular “Security as a Service” (SECaaS) outsourcing model for security management might not work, according to another guru, Stephanie Ibo, at IM. “The irony lies within the fact that SECaaS will use the cloud as a mainstream deployment platform, when part of its own reason of existence is to enhance the protection of…the cloud!”

I would argue that “large security service providers (who) integrate their products into a corporate infrastructure on a subscription basis, making security more cost effective to large corporations” will have a difficult time reaching “the ultimate objective of security implementation – “Security at the Core” – even if popular ousourced services like authentication and security event management get the enterprise a few steps closer.

I believe that having an internal IOT security head will ensure that you have all of your bases covered. Let me know what you think! Call me for a free checklist and consultation at 303-337-7871. Follow us on Twitter and LinkedIn for more IOT data security talent sourcing information.

Read more…

IoT has opened oceans of opportunities. We can automate just about any inanimate object and make everyday life easier. However, just as we can think of an infinite number of uses for IoT, hackers are doing the same, for all the wrong reasons.

Recently, hackers have been able to hack baby monitors, cars and scarier still, pace makers. All this can be done remotely. Present IoT devices are not adequately equipped with security features. Hence, hackers have no problem hacking into these devices.

Although an IoT device has several components which increase it's vulnerability, in this article I will cover the issue of security updates. This is because a large number of attacks occur through insecure software.

A major component of any IoT device is the software present in it. By introducing security features in the software, we can reduce a large majority of these malicious attacks.

Sophisticated security measures will take time to be developed and implemented but, there are some simple features we can implement immediately:

  • Ensuring periodic updates: By keeping the software updated, we can ensure that there are no vulnerabilities. Then hackers can not use the 'back door' method to hack a device.

  • Encryption of update file. The update file itself must be encrypted to prevent harmful tampering. Then hackers will not be able to introduce viruses within the code.

  • Encryption of network: The network which is used to transmit the update files must be encrypted as well. This will prevent interception of the update file, by unknown third parties, during transmission.

  • Avoiding/encrypting sensitive data: Most often the data that is present in the update file contains sensitive data such as passwords,names etc. This type of data must be avoided wherever possible. If it is absolutely necessary to keep this type of information, then the data must be properly encrypted.
  • Verification by authorized personnel: Before releasing new software updates. It must be thoroughly verified and signed by an authorized personnel.

  • Securing the update server: The update server is another location that most hackers attack. The server must be secured adequately to prevent such attacks. Preferably, the data must be encrypted once in the server.

(The term hacker as used in this article refers to "black hat hackers".)

Read more…

25361054695_9d93fa1e43_h.jpg

RSA Conference 2016, the world’s leading information security conferences and expositions, kicked off its annual show today at San Francisco’s Moscone Center. In its 25th year, the conference brings together the top information security professionals and business leaders to discuss emerging cybersecurity trends and formulate best strategies for tackling current and future threats.

According to Britta Glade of the RSA Conference, during the course of this year’s review process they collectively looked at the "forest" of the submissions together and found that the Internet of Things was the #1 trend that stood out.

Last year they saw a huge uptick in IoT submissions, but this year it moved front and center.  She noted “While last year’s submissions tended to be "observational," this year we seem to have moved into the "solutioning" phase of the maturity curve, evidenced by a slew of new submitting companies—organizations that directly service end consumers and haven’t traditionally participated in our call-for-speaker process.”

Building on top of IoT, conference organizers also saw increased submissions on Industrial Control Systems and the Industrial Internet of Things. In the past, the sessions focused on this just didn’t gain attention. But one year makes a difference as many of the "things" coming alive and online, such as robots, sensors, building automation, are still based on old security protocols and approaches, and breaches here have the very real potential to trigger large-scale disasters.

Late last year when I posted 50 Predictions for the Internet of Things in 2016, security dominated. With the RSA Conference starting today, here’s a recap of some of those IoT security predictions.

Nathaniel Borenstein, inventor of the MIME email protocol and chief scientist Mimecast

“The maturation of the IoT will cause entirely new business models to emerge, just as the Internet did. We will see people turning to connected devices to sell things, including items that are currently "too small" to sell, thus creating a renewed interest in micropayments and alternate currencies. Street performers, for example, might find they are more successful if a passerby had the convenience of waving a key fob at their "donate here" sign. The IoT will complicate all aspects of security and privacy, causing even more organizations to outsource those functions to professional providers of security and privacy services.”

Mark Coderre, National Practice Director, OpenSky

“Attacks on connected cars, connected medical devices, and connected critical infrastructure have all hit the headlines in the recent past; and this is just the tip of the iceberg. The Internet of Things is proving to be a treasure trove for hackers. When developing networked devices, manufacturers are still placing more value on features than on security. "Security by design" must become an integral factor in development so that innovations win over increasingly security-conscious users. Additionally, the relevance of Cyber Threat Intelligence (CTI), as a part of a proactive information security program, will become essential for information security. In response to increasingly dynamic threat situations, it is critical for organizations to be able to identify evolving methods and emerging technology trends used by the cybercriminal, and then to continually assess their capability in this regard. Because many organizations don´t have access to internal specialists, they will need to turn to external experts from the CTI sector. Effective cyber security will require knowledge and understanding of the capabilities and intent of threat actors. Who are they? What do they want? What can they do? Organizations will define threat more specifically (i.e. less reliance on vague terms like "vulnerabilities"). We will see an emphasis on threat actors with means, motive, and opportunity being tracked. Understanding motive will become crucial for prioritizing resources.

Laurent Philonenko, CTO, Avaya

“Surge in connected devices will flood the network – the increasing volume of data and need for bandwidth for a growing number of IoT connected devices such as healthcare devices, security systems and appliances will drive traditional networks to the breaking point. Mesh topologies and Fabric-based technologies will quickly become adopted as cost-effective solutions that can accommodate the need for constant changes in network traffic.”

Lila Kee, Chief Product Officer and Vice President, Business Development, GlobalSign

“Prediction: PKI becomes ubiquitous security technology within the Internet of Things (IoT) market. It's hard to think of a consumer device that isn't connected to the Internet these days - from our baby monitors to our refrigerators to our fitness devices. With the increase of connected devices of course comes risk of exposing privacy and consumer data. But, what happens when industrial devices and critical infrastructure connect to the Internet and get hacked? The results can be catastrophic. Security and safety are real concerns for the Internet of Things (IoT) and especially in the Industrial Internet of Things (IIoT). Regarding security, the industrial world has been a bit of a laggard, but now equipment manufacturers are looking to build security in right at the design and development stages. Unless the security challenges of IIoT can be managed, the exciting progress that has been made in this area of connected devices will slow down dramatically. PKI has been identified as a key security technology in the IIoT space by the analyst community and organizations supporting the IIoT security standards. In 2016, we expect that PKI will become ubiquitous security technology within the IoT market. There will be an increased interest in PKI, how it plays in the IoT market and how it needs to advance and scale to meet the demands of billions of devices managed in the field.”

Lasse Andresen, CTO, ForgeRock

“Chip to cloud (or device to cloud) security protection will be the new normal As business technology advances, the security data chain continues to grow, presenting an increasing number of opportunities for hackers to break in. With most data chains now spanning the full spectrum of chip, device, network and cloud (plus all stages in between), many organizations are starting to realize a piecemeal approach to protection simply isn't effective. This realization is spurring the adoption of more 'chip to cloud' security strategies, starting at the silicon level and running right through to cloud security. In this model, all objects with online capabilities are secured the moment they come online, meaning their identity is authenticated immediately. In doing so, it eliminates any window hackers have to hijack the identity of unsecured objects, thus compromising the entire data chain via a single entry point.”

Thorsten Held, Co-Founder and Managing Partner, whiteCryption Corp.

“Ransomware, a means whereby a hacker takes over a device and demands a ransom to remove the restrictions, will creep into biomedical devices in 2016. To thwart life-threatening consequences, medical device manufacturers will be looking for diverse ways to address these types of security flaws using more stringent, agile security solutions against the malware threats.”

Sam Rehman, Chief Technology Officer, Arxan Technologies

“Security regulation will make a meaningful impact for medical and other IoT devices: Regulatory requirements have generally been viewed as helping to drive organizations to meet minimum security standards. However, the overall security effectiveness or impact of regulatory requirements has been nominal. We can expect to see a much more meaningful advancement in the rigor of security requirements laid down by the regulators in 2016. This is partly due to accelerated advancements in public-private threat intel-sharing, and the regulators' acknowledgement of the need to seek out cutting-edge threat data and security best practices from the organizations that are on the front lines of defending against them. For example, in IoT, the FDA is making significant improvements in beefing up minimum security requirements for medical devices, which could otherwise pose grave safety risks to people, care providers, and medical device manufacturers that depend on their trusted operation. Since the vertical markets are so intimately interconnected, we will also see more teeth behind enforcement of security requirements.

Marty P. Kamden, CMO, NordVPN.com

“While facing the major transformation of our daily lives because of IoT, we are not completely ready to face related security issues. Since IoT networks will significantly grow in 2016, privacy and security issues related to web-enabled devices will mirror this change. For example, in August of 2015 hackers remotely seized control of over a million Chrysler automobiles, showing ability of having the full control of the cars – activating the windshield wipers, turning the radio and air conditioning on or disengaging the car’s transmission. To start tackling increasing online security threats, there are simple security measures that every Internet user should learn about, one of them being VPN (Virtual Private Network). VPNs will be increasingly popular in 2016 as security and privacy issues online will become more prominent, encouraging people to start encrypting their devices' online data, securing transfer of sensitive data, etc. NordVPN, one of the most advanced VPN service providers on the market, 256-bit AES encryption, is available on 6 devices on one account and has zero log policy.”

Ian Worrall, CEO, Encrypted Labs, Inc.

"The Blockchain has the ability to transform business similar to the Internet. With IoT, a major issue inhibiting its growth is how to manage the vast amount of data that will be stored around it. I think the answer to this is by leveraging distributed system technologies such as permissioned-server networks (Private Blockchains) or maybe even utilizing the Bitcoin Blockchain. A key aspect of this is inter-corporate collaboration between the networks of big data companies. This is crucial because the larger a single datacenter (one company) becomes, the harder it is to manage & secure. To do so efficiently it would involve (in some cases) competitors working together. This not only facilitates the management of this data, but secures it more effectively through distributed storage encryption. The companies willing to collaborate will succeed, while those overly competitive to control the space will inevitably fail long-term and short-term are impeding industry growth.”

Trevor Daughney, EVP, INSIDE Secure

"IoT device makers are realizing that they need to secure IoT devices to protect their reputations and customers. In 2016, IoT device manufacturers will pivot from asking 'why is security needed' to asking 'how do I implement security.' They will look to control data access and protect data at-rest, in-motion and in-process using a combination of software and hardware security measures."

More thoughts on IoT security can be found in our post here.

Read more…

BYOD + IOT ≠ Security.

Last year, the number of smartphones in the world hit a new record. Out of the 4.55 billion cell phone users worldwide, 1.75 billion of those were using smartphones. Users are rapidly switching to smartphones as these devices become more affordable, and as 3G and 4G networks are introduced into key markets, allowing faster than ever data transfer rates. For businesses, this increasing smartphone penetration has significant implications. As more businesses adopt BYOD (Bring your own Device), IT security professionals and CIO leaders will need to address the issues of security that are introduced as business data is taken on the road, and exposed to external networks.

How Does BYOD Impact IT Security?

Data security consultants, and anyone involved in information technology or management, will need to be clear on the risks that are introduced with BYOD.

A company that allows BYOD is able to receive great benefits from doing so. Systems that allow for users to bring their own devices mean that staff are able to use devices that are familiar to them, which can reduce training time and increase efficiency. At the same time, businesses can save significant amounts of money on IT procurement, because users are bringing their own cell phones, tablets, and even laptops, from home.

There are even benefits to recruiting - new hires will be more comfortable with their own device and the option to bring it in, instead of having to juggle phones and computers.

Even with these key advantages, there are some problem to overcome. The biggest challenge with BYOD is security. A BYOD device would be almost worthless if it didn’t have sufficient access to a corporate network, so that a staff member can easily obtain the information and run the applications that they need to perform their jobs. This means opening up access to systems which would have previously been protected by closed networks accessed by in-house devices, with security enforced through strict and robust security policies.

Another challenge exists when employees leave a company. Because they take their devices with them, there needs to be a mechanism in place that prevents access from devices that are no longer associated with an authorized staff member. Compared to a model without BYOD, this adds another layer of security, and a number of process layers within the organizational structure of a business. Without addressing this type of situation, businesses would be putting themselves at significant risk.

Security Is Even More Important than Ever with IoT

The Internet of Things has been called the future of business, computing, and entertainment. Indeed, IoT covers all of these areas, whether you look at a smart TV, an internet capable MRI machine, or even the cloud services that deliver email, streaming video, or music, to devices that will work from anyplace where there is an internet connection.

IoT exists in complex industries, too. Consider a production line that utilizes networked sensors along the line, which then transmit data in real time between ordering systems, packing robots, and even dispatch centers, to coordinate logistics. Considering the data that is collected using IoT sensors, and then the possibilities there are to interface with this data by using BYOD devices, it becomes clear that a system utilizing IoT technologies and BYOD access policies, needs to be secured to the highest industry standards.

Security breaches could mean that an unauthorized party is able to gain access to production data or even sensitive manufacturing secrets, or that a previous employee is able to take data and learnings to a competitor, using their own device that was once legitimately authorized through BYOD policies.

Similar risks exist in any industry. If you are an IT data security consultant within a contact center business, you could be tasked with protecting CRM systems, billing information, payment gateways, and other critical systems. Sales reps, telephone agents, and remote staff could all be using BYOD devices to connect to a decentralized cloud solution. Ensuring that access control and other security measures are present, will be a core aspect of the solutions that you design and implement. The reality is that a single violation can expose your entire network, making it critical to hire the right people and solve for these problems internally and for your clients.

Who are The Big Players in IT Security Today?

You only need to look at the world’s largest information security consultancies to see that data security is a big business.

Deloitte, currently the biggest player in IT security, made over $2 billion in revenue from security consulting in 2014. Other leading companies are seeing similar growth, with all of the top five, including IBM and KPMG, seeing revenue growth in security consulting. All of the top five exceeded 5% growth between 2013 and 2014.

This means that not only is there a clear growing need for security consulting, but also that there will be an increased demand for IT security consultants who are experienced in the latest technologies, including cloud and IoT technologies. The demand has been partially spurred on by high profile data security breaches, especially those at government level.

Businesses and Professionals Should Prepare for a Growing Market

Not only do businesses need to assess and respond to their needs regarding BYOD, IT security, and overall risk management, but they will need to begin to seek the most qualified consultants to lead their security initiatives.

Likewise, qualified candidates who are entering the job market need to seek out the most promising opportunities. Such as those that exist with businesses where they will have the opportunity to demonstrate their expertise in new and emerging IT technologies.

Moving forward, the businesses and professionals who recognize the importance and opportunity within data security consultancy, will be the ones who benefit the most in the next five years, when both IoT and IT Security are expected to experience drastic market growth.

How are you hiring to fill the need? Let's talk and see how your BYOD security concerns can be solved with a single hire - IOT Security Officer.

Read more…

Cloud computing vulnerabilities

When contemplating to migrate to cloud computing, you have to consider the following security issues for you to enhance your data safety.

Session Riding

Session riding occurs when an online attacker steals an internet user’s cookie to use the application later as the real user. The attackers might also use the CSRF attacks for them to trick the user to send authentic requests to random websites to accomplish various missions.

Virtual Machine Escape

Within virtualized settings, the physical servers operate multiple virtual apparatuses on top of the hypervisors. An online attacker can remotely exploit a hypervisor by using a weakness present in that particular hypervisor. However, such vulnerabilities are pretty rare, but they are real. Also, a virtual machine can avoid the virtualized sandbox setting to gain access to the hypervisor. Consequently, all the virtual machines ultimately run on the virtual machine.

Unsafe Cryptography

Cryptography algorithms normally use random number generators. They use unpredictable information sources to produce actual random numbers that are needed to get a large entropy pool. When the random number generators provide only a limited entropy pool, the numbers can be forced. In a client’s computer, the major source of randomization is user mouse operations and the key presses. Servers however normally operate without user interaction. That consequently means that there will be a lower number of sources for randomization. Hence, the virtual machines usually rely on the sources that are available to them. That could lead to easily guessable numbers that do not give much uncertainty in cryptographic algorithms.

CSP Lock-in

You have to choose a provider that has guarantee cloud security will enable you to shift easily to another provider when necessary. You do not want to choose a CSP that will force you to use its services. That is because sometimes you would prefer to use a CSP in one thing and another CSP for something different.

Cloud computing threats

Before you decide to shift to the cloud computing, you have to put into consideration the platform’s security vulnerabilities. You also need to assess the possible threats to determine whether the cloud platform is worth the risk due to the numerous advantages it has to offer. The following are the major security threats experienced regarding cloud security.

Ease of Use

It is a reality that cloud computing services can easily be exploited by malicious attackers since its registration process is pretty simple. You are only required to have valid credit card to get started on this platform. In some cases, you can even pay for the cloud computing charges by through PayPal, Payza, Bitcoin, Western Union or Litecoin. By using the payment methods, you can stay completely anonymous. The cloud platform can be used maliciously for various ill purposes like malware distribution, botnet C&C servers, spamming, DDoS, hash cracking and password cracking.

Secure Data Transmission

When sending the data from clients to a cloud computing platform, the data can be transferred by using a secure, encrypted communication channel such as SSL/TLS. That prevents various attacks like the dreaded MITM. During these attacks, your online data could be stolen by an attacker intercepting your communication.

Insecure APIs

Most cloud services are exposed by their application programming interfaces. Since the APIs are easily accessible from any location on the Internet, malicious attackers can exploit them to compromise the integrity and confidentiality of the internet users. An attacker has access to a token used by a legit user to access the service through cloud computing. The API can apply the same token to interfere with the customer data. Hence, it is imperative that all cloud services provide a safe API to prevent such attacks.

Malicious Insiders

It is possible for a staff member at a cloud service provider to have complete access to your confidential resources. Therefore, cloud service providers should set proper security measures to track their employee actions. Normally, cloud service providers never follow the best security procedures and fail to implement security policies. Hence, their employees can collect confidential information from customers without getting detected.


Originally posted on Data Science Central

Read more…

With the cloud changing the way modernizations of big data is done, service providers and security organizations have to work harder to ensure security of Big Data to their consumers. The reason for increased security breaches is because the traditional security technologies have no capacity required to detect and protect against such attacks. In view of this rising issue, let's look at what companies in Silicon Valley are doing to make big data more secure.


IBM and security of Big Data


IBM has launched a security intelligence with Big Data platform to ensure threats and risk are detected. IBM's platform can help business address the ATPs, fraud and insider threats. IBM is helping its clients to answer questions that could never have been answered before. For instance, the new security intelligence with Big Data platform helps clients analyze emails, transactions, social media data, documents and full packet data over years of activity. With these kind of analytic capabilities, organizations can find malicious activities hidden in the big masses of data.


HP's Big Data Security strategy


HP makes use of Knowledge management apps and Autonomy enterprise search and integrate them with Security-event and information management (SIEM) to analyze the massive data. According to Varun Kohli, the director of product market and enterprise security products, it is possible to reveal rogue employee's behavior related to the data leaks of information, and learn in advance plots against the organization by cyber criminals. HP believes autonomy gives meaning to the data to ensure analyst are able to find out what people are saying, both negative and positive.


Platform services


The Blue Coat (bluecoat.com) security platform is uniquely positioned to ensure secure data for its clients on five advanced solutions areas. They include Advanced Threat Protection, Advanced web and cloud security, Encrypted Traffic management, Incidence Response & Network Forensics and Network Performance & Optimization. The platform aims to deliver cohesive visibility, protection and integration including:


- Providing a management environment to ensure operational teams can manage, enforce policies using a single platform whether in the cloud, on premise or across the platform. The plat


- Intelligence – protection of data is real-time, an effort that requires integrated intelligence to ensure an organization is able to adapt to rapid advancing threats.


Microsoft Big Data Security


To help all its clients move to the cloud and feel more secure, Microsoft launched its new security features of its well-known Azure SQL Database. New security steps include:


- Encryption – referred as "always encrypted", it helps businesses protect sensitive data without "having to relinquish the encryption keys to Azure SQL Database". This means that data remains encrypted on disks, in memory, on transit and during processing.


- Transparent data encryption – helps business comply with requirements using associated backups, encrypting the databases, transaction log files without making changes in the applications.


- Azure SQL database – to support authentication.


- Threat detection – alerts the users on suspicious database activities on logical server or the database itself.


The reasons why companies may not have their Big Data secure is because:


- They fail to view data security in all dimensions.


- Failure to have a cutting-edge comprehensive information security plan.


- Failure for many businesses to see data security as a business problem but instead as an "IT Problem".


- Failure to classify data and trade secrets.


The importance of securing Big Data for the business includes:


- Ensure accuracy – when data in the cloud is secure, every employee has confidence in the values and information.


- Security of confidential information – an organization has to ensure trade secrets and employee personal information are protected among other information to ensure the business does not run in to a crisis.


- Availability – when data is secure, it is accessible as long as internet connection is available. Security of Big Data means information can be accessed at any time regardless of location.


- Prevent opportunistic hacking – when Big Data is not secure, hackers may try to breach the low security level with the aim of destruction and stealing confidential information.

Originally posted on Data Science Central

Follow us @IoTCtrl | Join our Community

Read more…
RSS
Email me when there are new items in this category –

IoT Open Discussion Forums

Upcoming IoT Events

More IoT News

IoT Career Opportunities