Subscribe to our Newsletter | To Post On IoT Central, Click here


Security (131)

For IoT and M2M device security assurance, it's critical to introduce automated software development tools into the development lifecycle. Although software tools' roles in quality assurance is important, it becomes even more so when security becomes part of a new or existing product's requirements.

Automated Software Development Tools

There are three broad categories of automated software development tools that are important for improving quality and security in embedded IoT products:

  • Application lifecycle management (ALM): Although not specific to security, these tools cover requirements analysis, design, coding, testing and integration, configuration management, and many other aspects of software development. However, with a security-first embedded development approach, these tools can help automate security engineering as well. For example, requirements analysis tools (in conjunction with vulnerability management tools) can ensure that security requirements and known vulnerabilities are tracked throughout the lifecycle.  Design automation tools can incorporate secure design patterns and then generate code that avoids known security flaws (e.g. avoiding buffer overflows or checking input data for errors). Configuration management tools can insist on code inspection or static analysis reports before checking in code. Test automation tools can be used to test for "abuse" cases against the system. In general, there is a role for ALM tools in the secure development just as there is for the entire project.
  • Dynamic Application Security Testing (DAST): Dynamic testing tools all require program execution in order to generate useful results. Examples include unit testing tools, test coverage, memory analyzers, and penetration test tools. Test automation tools are important for reducing the testing load on the development team and, more importantly, detecting vulnerabilities that manual testing may miss.
  • Static Application Security Testing (SAST): Static analysis tools work by analyzing source code, bytecode (e,g, compiled Java), and binary executable code. No code is executed in static analysis, but rather the analysis is done by reasoning about the potential behavior of the code. Static analysis is relatively efficient at analyzing a codebase compared to dynamic tools. Static analysis tools also analyze code paths that are untested by other methods and can trace execution and data paths through the code. Static analysis can be incorporated early during the development phase for analyzing existing, legacy, and third-party source and binaries before incorporating them into your product. As new source is added, incremental analysis can be used in conjunction with configuration management to ensure quality and security throughout. 

Figure 1: The application of various tool classes in the context of the software development lifecycle.

Although adopting any class of tools helps productivity, security, and quality, using a combination of these is recommended. No single class of tools is the silver bullet[1]. The best approach is one that automates the use of a combination of tools from all categories, and that is based on a risk-based rationale for achieving high security within budget.

The role of static analysis tools in a security-first approach

Static analysis tools provide critical support in the coding and integration phases of development. Ensuring continuous code quality, both in the development and maintenance phases, greatly reduces the costs and risks of security and quality issues in software. In particular, it provides some of the following benefits:

  • Continuous source code quality and security assurance: Static analysis is often applied initially to a large codebase as part of its initial integration as discussed below. However, where it really shines is after an initial code quality and security baseline is established. As each new code block is written (file or function), it can be scanned by the static analysis tools, and developers can deal with the errors and warnings quickly and efficiently before checking code into the build system. Detecting errors and vulnerabilities (and maintaining secure coding standards, discussed below) in the source at the source (developers themselves) yields the biggest impact from the tools.
  • Tainted data detection and analysis: Analysis of the data flows from sources (i.e. interfaces) to sinks (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data. Any input, whether from a user interface or network connection, if used unchecked, is a potential security vulnerability.  Many attacks are mounted by feeding specially-crafted data into inputs, designed to subvert the behavior of the target system. Unless data is verified to be acceptable both in length and content, it can be used to trigger error conditions or worse. Code injection and data leakage are possible outcomes of these attacks, which can have serious consequences.
  • Third-party code assessment: Most projects are not greenfield development and require the use of existing code within a company or from a third party. Performing testing and dynamic analysis on a large existing codebase is hugely time consuming and may exceed the limits on the budget and schedule. Static analysis is particularly suited to analyzing large code bases and providing meaningful errors and warnings that indicate both security and quality issues. GrammaTech CodeSonar binary analysis can analyze binary-only libraries and provide similar reports as source analysis when source is not available. In addition, CodeSonar binary analysis can work in a mixed source and binary mode to detect errors in the usage of external binary libraries from the source code. 
  • Secure coding standard enforcement: Static analysis tools analyze source syntax and can be used to enforce coding standards. Various code security guidelines are available such as SEI CERT C [2] and Microsoft's Secure Coding Guidelines [3]. Coding standards are good practice because they prevent risky code from becoming future vulnerabilities. As mentioned above, integrating these checks into the build and configuration management system improves the quality and security of code in the product.

As part of a complete tools suite, static analysis provides key capabilities that other tools cannot. The payback for adopting static analysis is the early detection of errors and vulnerabilities that traditional testing tools may miss. This helps ensure a high level of quality and security on an on-going basis.

Conclusion

Machine to machine and IoT device manufacturers incorporating a security-first design philosophy with formal threat assessments, leveraging automated tools, produce devices better secured against the accelerating threats on the Internet. Modifying an existing successful software development process that includes security at the early stages of product development is key. Smart use of automated tools to develop new code and analyze existing and third party code allows development teams to meet strict budget and schedule constraints. Static analysis of both source and binaries plays a key role in a security-first development toolset. 

References

  1. No Silver Bullet – Essence and Accident in Software Engineering, Fred Brooks, 1986
  2. SEI CERT C Coding Standard,
  3. Outsource Code Development Driving Automated Test Tool Market, VDC Research, IoT & Embedded Blog, October 22, 2013

 

Read more…

iot security

By Ben Dickson. This article originally appeared here.

A recent DDoS attack staged against a brick-and-mortar jewelry store highlights just how devastating the negligence of IoT security can become. The attack, as reported by SC Magazine, involved a 35,000 HTTP request per second flood carried out by an IoT botnetof more than 25,000 compromised CCTV cameras scattered across the entire globe, causing the shop’s servers to go down.

As detailed by cybersecurity firm Succuri, the attack is unusual because it has only used IoT devices and also because of its uncommonly lengthy duration. After the initial wave, when the servers were brought back online, a second, bigger attack, with a 50k HTTP RPS, was conducted, which lasted for several days.

A separate report by Computer Weekly details how the LizardStresser malware is creating IoT botnets by exploiting vulnerable devices, and is mounting massive 400 gigabits-per-second DDoS attacks without using amplification techniques.

This is just a glimpse of the opportunities that the Internet of Insecure Things is providing for malicious actors who are always looking for new ways to break into networks to defraud organizations of their cash and valuable assets, or to harm opponents and competitors.

You’ve been warned about IoT botnets before

While the rise in DDoS attacks based on IoT botnets is new, it wasn’t unexpected. In fact, after 2015 became the year of proof-of-concept attacks against the Internet of Things, it had been predicted that IoT devices would become a very attractive target for bot herdersin 2016.

As Dark Reading’s Ericka Chickowski said in this post, “2016 is going to be the year that attackers make a concerted effort to turn the Internet of Things (IoT) into the Botnet of Things.”

Researchers from Incapsula first warned about IoT botnets last year after detailing an attack they discovered which they tracked back to CCTV cameras at a retail store close to their office. And with insecure IoT devices becoming connected to the internet at a chaotic pace, hackers have good reason to give up general purpose computing devices, such as desktop and laptop computers, to go after the easier targets.

What makes IoT device such easy prey for botnet malware?

There are many reasons that IoT devices – and in this case CCTVs – make very attractive targets for bot herders. As Igal Zeifman, senior digital strategist from Imperva, detailed in the Incapsula blog post, “Security cameras are among the most prevalent and least protected IoT devices. Moreover, many have high upload connections, meant to support their remote streaming functionality.”

What makes it easy to conscript CCTVs ­– and other IoT devices for that matter – into botnets? According to Chris Hodson, CISO for EMEA region at cloud security company Zscaler, who spoke with SC Magazine, it’s because the security development lifecycle for IoT devices is often expedited or bypassed due to strict deadlines around time to market or the cost of the hardware.

This is a point that I’ve also raised on several occasions: one of the fundamental problems with IoT security is that the developers often come from an unconnected background, such as embedded systems, which means they have the knowhow to provide functionality but aren’t versed in the principles to write secure code for connected environments. In other cases, security is advertently neglected for the sake of meeting release deadlines of cost requirements.

Researchers at Arbor Networks summed up the prevalence of IoT botnet malware in four reasons:

  • The operating system of IoT devices is usually a stripped-down version of Linux, which means malware can be easily compiled for the target architecture.
  • IoT devices usually have full access to internet and aren’t subject to bandwidth limitations or filtering – which is very true in the case of CCTVs.
  • Minimal operating systems running on IoT devices don’t leave much room for security features such as auditing, which lets attackers compromise and exploit the devices without leaving trace.
  • There’s a lot of hardware and software reuse in IoT development, which means a lot of security-critical components become shared between devices. (Just take a look at “House of Keys” research by SEC Consult, which shows how the reuse HTTPS certificates and SSH keys endangers millions of devices.)

The part that concerns consumers is the carelessness in dealing with IoT device security. Since IoT devices aren’t as personal as, say, smartphones or PCs, users tend to “install and forget” IoT devices. Bad practices such as not changing passwords, or worse, leaving devices installed with factory-default passwords are epidemic in IoT ecosystems, which makes it very easy to find administrative access to the device and install IoT botnet malware into it.

What can be done about the IoT botnets?

I just wanted to raise the challenge of IoT botnets in this post. The response will be the subject of a future article. But very briefly, a lot can be done to mitigate the threat of IoT botnets in the future. For one thing, security should become a major factor in IoT development. As Cesare Garlati, chief security strategist at prpl foundation told SC, “The very fact that patching isn’t high on the priority list for admins is testament to why security in devices like CCTV cameras needs to be ‘baked in’ at the chip or hardware layer.”

We’ve already seen the efficiency of hardware security in the headaches that Apple gave the FBI in the San Bernardino iPhone case. Having devices that are secure at the hardware level will go a long way into hardening our defenses against exploits, including IoT botnets.

Moreover, we should also recognize that some IoT devices can’t be secured at the device level and therefore must be secured at the network level. Deploying network security solutions, like the ones I’ve described in this TNW article can help a lot in providing security against IoT botnets for devices that are inherently insecure.

These are just two tips at fighting back against the rising tide of IoT botnets. I’m sure that a lot of you readers out there have brilliant ideas and innovations that can help deal with this situation. Since I’ll be writing about this very soon, I’m eager to know what you’re doing to deal with the IoT botnet threat. Leave a comment, or better yet contact me, to share your ideas.

FEATURED IMAGE: SAVASYLAN/SHUTTERSTOCK

Read more…

Originally Posted and Written by: Michelle Canaan, John Lucker, & Bram Spector

Connectivity is changing the way people engage with their cars, homes, and bodies—and insurers are looking to keep pace. Even at an early stage, IoT technology may reshape the way insurance companies assess, price, and limit risks, with a wide range of potential implications for the industry.

Insurers’ path to growth: Embrace the future

In 1997, Progressive Insurance pioneered the use of the Internet to purchase auto insurance online, in real time.1 In a conservative industry, Progressive’s innovative approach broke several long-established trade-offs, shaking up traditional distribution channels and empowering consumers with price transparency.

This experiment in distribution ended up transforming the industry as a whole. Online sales quickly forced insurers to evolve their customer segmentation capabilities and, eventually, to refine pricing. These modifications propelled growth by allowing insurers to serve previously uninsurable market segments. And as segmentation became table stakes for carriers, a new cottage industry of tools, such as online rate comparison capabilities, emerged to capture customer attention. Insurers fought to maintain their competitive edge through innovation, but widespread transparency in product pricing over time created greater price competition and ultimately led to product commoditization. The tools and techniques that put the insurer in the driver’s seat slowly tipped the balance of power to the customer.

This case study of insurance innovation and its unintended consequences may be a precursor to the next generation of digital connectivity in the industry. Today, the availability of unlimited new sources of data that can be exploited in real time is radically altering how consumers and businesses interact. And the suite of technologies known as the Internet of Things (IoT) is accelerating the experimentation of Progressive and other financial services companies. With the IoT’s exponential growth, the ways in which citizens engage with their cars, homes, and bodies are getting smarter each day, and they expect the businesses they patronize to keep up with this evolution. Insurance, an industry generally recognized for its conservatism, is no exception.

IoT technology may still be in its infancy, but its potential to reshape the way insurers assess, price, and limit risks is already quite promising. Nevertheless, since innovation inevitably generates unintended possibilities and consequences, insurers will need to examine strategies from all angles in the earliest planning stages.

To better understand potential IoT applications in insurance, the Deloitte Center for Financial Services (DCFS), in conjunction with Wikistrat, performed a crowdsourcing simulation to explore the technology’s implications for the future of the financial services industry. Researchers probed participants (13 doctorate holders, 24 cyber and tech experts, 20 finance experts, and 6 entrepreneurs) from 20 countries and asked them to imagine how IoT technology might be applied in a financial services context. The results (figure 1) are not an exhaustive compilation of scenarios already in play or forthcoming but, rather, an illustration of several examples of how these analysts believe the IoT may reshape the industry.2

ER_2824_Fig.1

CONNECTIVITY AND OPPORTUNITY

Even this small sample of possible IoT applications shows how increased connectivity can generate tremendous new opportunities for insurers, beyond personalizing premium rates. Indeed, if harnessed effectively, IoT technology could potentially boost the industry’s traditionally low organic growth rates by creating new types of coverage opportunities. It offers carriers a chance to break free from the product commoditization trend that has left many personal and commercial lines to compete primarily on price rather than coverage differentiation or customer service.

For example, an insurer might use IoT technology to directly augment profitability by transforming the income statement’s loss component. IoT-based data, carefully gathered and analyzed, might help insurers evolve from a defensive posture—spreading risk among policyholders and compensating them for losses—to an offensive posture: helping policyholders prevent losses and insurers avoid claims in the first place. And by avoiding claims, insurers could not only reap the rewards of increased profitability, but also reduce premiums and aim to improve customer retention rates. Several examples, both speculative and real-life, include:

  • Sensors embedded in commercial infrastructure can monitor safety breaches such as smoke, mold, or toxic fumes, allowing for adjustments to the environment to head off or at least mitigate a potentially hazardous event.
  • Wearable sensors could monitor employee movements in high-risk areas and transmit data to employers in real time to warn the wearer of potential danger as well as decrease fraud related to workplace accidents.
  • Smart home sensors could detect moisture in a wall from pipe leakage and alert a homeowner to the issue prior to the pipe bursting. This might save the insurer from a large claim and the homeowner from both considerable inconvenience and losing irreplaceable valuables. The same can be said for placing IoT sensors in business properties and commercial machinery, mitigating property damage and injuries to workers and customers, as well as business interruption losses.
  • Socks and shoes that can alert diabetics early on to potential foot ulcers, odd joint angles, excessive pressure, and how well blood is pumping through capillaries are now entering the market, helping to avoid costly medical and disability claims as well as potentially life-altering amputations.3

Beyond minimizing losses, IoT applications could also potentially help insurers resolve the dilemma with which many have long wrestled: how to improve the customer experience, and therefore loyalty and retention, while still satisfying the unrelenting market demand for lower pricing. Until now, insurers have generally struggled to cultivate strong client relationships, both personal and commercial, given the infrequency of interactions throughout the insurance life cycle from policy sale to renewal—and the fact that most of those interactions entail unpleasant circumstances: either deductible payments or, worse, claims. This dynamic is even more pronounced in the independent agency model, in which the intermediary, not the carrier, usually dominates the relationship with the client.

The emerging technology intrinsic to the IoT that can potentially monitor and measure each insured’s behavioral and property footprint across an array of activities could turn out to be an insurer’s holy grail, as IoT applications can offer tangible benefits for value-conscious consumers while allowing carriers to remain connected to their policyholders’ everyday lives. While currently, people likely want as few associations with their insurers as possible, the IoT can potentially make insurers a desirable point of contact. The IoT’s true staying power will be manifested in the technology’s ability to create value for both the insurer and the policyholder, thereby strengthening their bond. And while the frequency of engagement shifts to the carrier, the independent agency channel will still likely remain relevant through the traditional client touchpoints.

By harnessing continuously streaming “quantified self” data, using advanced sensor connectivity devices, insurers could theoretically capture a vast variety of personal data and use it to analyze a policyholder’s movement, environment, location, health, and psychological and physical state. This could provide innovative opportunities for insurers to better understand, serve, and connect with policyholders—as well as insulate companies against client attrition to lower-priced competitors. Indeed, if an insurer can demonstrate how repurposing data collected for insurance considerations might help a carrier offer valuable ancillary non-insurance services, customers may be more likely to opt in to share further data, more closely binding insurer and customer.

Leveraging IoT technologies may also have the peripheral advantage of resuscitating the industry’s brand, making insurance more enticing to the relatively small pool of skilled professionals needed to put these strategies in play. And such a shift would be welcome, considering that Deloitte’s Talent in Insurance Survey revealed that the tech-savvy Millennial generation generally considers a career in the insurance industry “boring.”4 Such a reputational challenge clearly creates a daunting obstacle for insurance executives and HR professionals, particularly given the dearth of employees with necessary skill sets to successfully enable and systematize IoT strategies, set against a backdrop of intense competition from many other industries. Implementing cutting-edge IoT strategies could boost the “hip factor” that the industry currently lacks.

With change comes challenges

While most stakeholders might see attractive possibilities in the opportunity for behavior monitoring across the insurance ecosystem, inevitable hurdles stand in the way of wholesale adoption. How insurers surmount each potential barrier is central to successful evolution.

For instance, the industry’s historically conservative approach to innovation may impede the speed and flexibility required for carriers to implement enhanced consumer strategies based on IoT technology. Execution may require more nimble data management and data warehousing than currently in place, as engineers will need to design ways to quickly aggregate, analyze, and act upon disparate data streams. To achieve this speed, executives may need to spearhead adjustments to corporate culture grounded in more centralized location of data control. Capabilities to discern which data are truly predictive versus just noise in the system are also critical. Therefore, along with standardized formats for IoT technology,5 insurers may see an increasing need for data scientists to mine, organize, and make sense of mountains of raw information.

Perhaps most importantly, insurers would need to overcome the privacy concerns that could hinder consumers’ willingness to make available the data on which the IoT runs. Further, increased volume, velocity, and variety of data propagate a heightened need for appropriate security oversight and controls.

For insurers, efforts to capitalize on IoT technology may also require patience and long-term investments. Indeed, while bolstering market share, such efforts could put a short-term squeeze on revenues and profitability. To convince wary customers to opt in to monitoring programs, insurers may need to offer discounted pricing, at least at the start, on top of investments to finance infrastructure and staff supporting the new strategic initiative. This has essentially been the entry strategy for auto carriers in the usage-based insurance market, with discounts provided to convince drivers to allow their performance behind the wheel to be monitored, whether by a device installed in their vehicles or an application on their mobile device.

Results from the Wikistrat crowdsourcing simulation reveal several other IoT-related challenges that respondents put forward. (See figure 2.)6

ER_2824_Fig.2a

Each scenario implies some measure of material impact to the insurance industry. In fact, together they suggest that the same technology that could potentially help improve loss ratios and strengthen policyholder bonds over the long haul may also make some of the most traditionally lucrative insurance lines obsolete.

For example, if embedding sensors in cars and homes to prevent hazardous incidents increasingly becomes the norm, and these sensors are perfected to the point where accidents are drastically reduced, this development may minimize or eliminate the need for personal auto and home liability coverage, given the lower frequency and severity of losses that result from such monitoring. Insurers need to stay ahead of this, perhaps even eventually shifting books of business from personal to product liability as claims evolve from human error to product failure.

Examining the IoT through an insurance lens

Analyzing the intrinsic value of adopting an IoT strategy is fundamental in the development of a business plan, as executives must carefully consider each of the various dimensions to assess the potential value and imminent challenges associated with every stage of operationalization. Using Deloitte’s Information Value Loop can help capture the stages (create, communicate, aggregate, analyze, act) through which information passes in order to create value.7

The value loop framework is designed to evaluate the components of IoT implementation as well as potential bottlenecks in the process, by capturing the series and sequence of activities by which organizations create value from information (figure 3).

ER_2824_Fig.3

To complete the loop and create value, information passes through the value loop’s stages, each enabled by specific technologies. An act is monitored by a sensor that creates information. That information passes through a network so that it can be communicated, and standards—be they technical, legal, regulatory, or social—allow that information to be aggregated across time and space. Augmented intelligence is a generic term meant to capture all manner of analytical support, collectively used to analyze information. The loop is completed via augmented behavior technologies that either enable automated, autonomous action or shape human decisions in a manner leading to improved action.8

For a look at the value loop through an insurance lens, we will examine an IoT capability already at play in the industry: automobile telematics. By circumnavigating the stages of the framework, we can scrutinize the efficacy of how monitoring driving behavior is poised to eventually transform the auto insurance market with a vast infusion of value to both consumers and insurers.

Auto insurance and the value loop

Telematic sensors in the vehicle monitor an individual’s driving to create personalized data collection. The connected car, via in-vehicle telecommunication sensors, has been available in some form for over a decade.9 The key value for insurers is that sensors can closely monitor individual driving behavior, which directly corresponds to risk, for more accuracy in underwriting and pricing.

Originally, sensor manufacturers made devices available to install on vehicles; today, some carmakers are already integrating sensors into showroom models, available to drivers—and, potentially, their insurers—via smartphone apps. The sensors collect data (figure 4) which, if properly analyzed, might more accurately predict the unique level of risk associated with a specific individual’s driving and behavior. Once the data is created, an IoT-based system could quantify and transform it into “personalized” pricing.

ER_2824_Fig.4

Sensors’ increasing availability, affordability, and ease of use break what could potentially be a bottleneck at this stage of the Information Value Loop for other IoT capabilities in their early stages.

IoT technology aggregatesand communicatesinformation to the carrier to be evaluated. To identify potential correlations and create predictive models that produce reliable underwriting and pricing decisions, auto insurers need massive volumes of statistically and actuarially credible telematics data.

In the hierarchy of auto telematics monitoring, large insurers currently lead the pack when it comes to usage-based insurance market share, given the amount of data they have already accumulated or might potentially amass through their substantial client bases. In contrast, small and midsized insurers—with less comprehensive proprietary sources—will likely need more time to collect sufficient data on their own.

To break this bottleneck, smaller players could pool their telematics data with peers either independently or through a third-party vendor to create and share the broad insights necessary to allow a more level playing field throughout the industry.

Insurers analyze data and use it to encourage drivers to act by improving driver behavior/loss costs. By analyzing the collected data, insurers can now replace or augment proxy variables (age, car type, driving violations, education, gender, and credit score) correlated with the likelihood of having a loss with those factors directly contributing to the probability of loss for an individual driver (braking, acceleration, cornering, and average speed, as figure 4 shows). This is an inherently more equitable method to structure premiums: Rather than paying for something that might be true about a risk, a customer pays for what is true based on his own driving performance.

But even armed with all the data necessary to improve underwriting for “personalized” pricing, insurers need a way to convince millions of reluctant customers to opt in. To date, insurers have used the incentive of potential premium discounts to engage consumers in auto telematics monitoring.10 However, this model is not necessarily attractive enough to convince the majority of drivers to relinquish a measure of privacy and agree to usage-based insurance. It is also unsustainable for insurers that will eventually have to charge rates actually based on risk assessment rather than marketing initiatives.

Substantiating the point about consumer adoption is a recent survey by the Deloitte Center for Financial Services of 2,193 respondents representing a wide variety of demographic groups, aiming to understand consumer interest in mobile technology in financial services delivery, including the use of auto telematics monitoring. The survey identified three distinct groups among respondents when asked whether they would agree to allow an insurer to track their driving experience, if it meant they would be eligible for premium discounts based on their performance (figure 5).11 While one-quarter of respondents were amenable to being monitored, just as many said they would require a substantial discount to make it worth their while (figure 5), and nearly half would not consent.

ER_2824_Fig.5

While the Deloitte survey was prospective (asking how many respondents would be willing to have their driving monitored telematically), actual recruits have been proven to be difficult to bring on board. Indeed, a 2015 Lexis-Nexis study on the consumer market for telematics showed that usage-based insurance enrollment has remained at only 5 percent of households from 2014 to 2015 (figure 6).12

ER_2824_Fig.6

Both of these survey results suggest that premium discounts alone have not and likely will not induce many consumers to opt in to telematics monitoring going forward, and would likely be an unsustainable model for insurers to pursue. The good news: Research suggests that, while protective of their personal information, most consumers are willing to trade access to that data for valuable services from a reputable brand.13 Therefore, insurers will likely have to differentiate their telematics-based product offerings beyond any initial early-adopter premium savings by offering value-added services to encourage uptake, as well as to protect market share from other players moving into the telematics space.

In other words, insurers—by offering mutually beneficial, ongoing value-added services—can use IoT-based data to become an integral daily influence for connected policyholders. Companies can incentivize consumers to opt in by offering real-time, behavior-related services, such as individualized marketing and advertising, travel recommendations based on location, alerts about potentially hazardous road conditions or traffic, and even diagnostics and alerts about a vehicle’s potential issues (figure 7).14 More broadly, insurers could aim to serve as trusted advisers to help drivers realize the benefits of tomorrow’s connected car.15

Many IoT applications offer real value to both insurers and policyholders: Consider GPS-enabled geo-fencing, which can monitor and send alerts about driving behavior of teens or elderly parents. For example, Ford’s MyKey technology includes tools such as letting parents limit top speeds, mute the radio until seat belts are buckled, and keep the radio at a certain volume while the vehicle is moving.16 Other customers may be attracted to “green” monitoring, in which they receive feedback on how environmentally friendly their driving behavior is.

Insurers can also look to offer IoT-related services exclusive of risk transfer—for example, co-marketing location-based services with other providers, such as roadside assistance, auto repairs, and car washes may strengthen loyalty to a carrier. They can also include various nonvehicle-related service options such as alerts about nearby restaurants and shopping, perhaps in conjunction with points earned by good driving behavior in loyalty programs or through gamification, which could be redeemed at participating vendors. Indeed, consumers may be reluctant to switch carriers based solely on pricing, knowing they would be abandoning accumulated loyalty points as well as a host of personalized apps and settings.

For all types of insurance—not just auto—the objective is for insurers to identify the expectations that different types of policyholders may have, and then adapt those insights into practical applications through customized telematic monitoring to elevate the customer experience.

Telematics monitoring has demonstrated benefits even beyond better customer experience for policyholders. Insurers can use telematics tools to expose an individual’s risky driving behavior and encourage adjustments. Indeed, people being monitored by behavior sensors will likely improve their driving habits and reduce crash rates—a result to everyone’s benefit. This “nudge effect” indicates that the motivation to change driving behavior is likely linked to the actual surveillance facilitated by IoT technology.

The power of peer pressure is another galvanizing influence that can provoke beneficial consumer behavior. Take fitness wearables, which incentivize individuals to do as much or more exercise than the peers with whom they compete.17 In fact, research done in several industries points to an individual’s tendency to be influenced by peer behavior above most other factors. For example, researchers asked four separate groups of utility consumers to cut energy consumption: one for the good of the planet, a second for the well-being of future generations, a third for financial savings, and a fourth because their neighbors were doing it. The only group that elicited any drop in consumption (at 10 percent) was the fourth—the peer comparison group.18

Insurers equipped with not only specific policyholder information but aggregated data that puts a user’s experience in a community context have a real opportunity to influence customer behavior. Since people generally resist violating social norms, if a trusted adviser offers data that compares customer behavior to “the ideal driver”—or, better, to a group of friends, family, colleagues, or peers—they will, one hopes, adapt to safer habits.

ER_2824_Fig.7a

The future ain’t what it used to be—what should insurers do?

After decades of adherence to traditional business models, the insurance industry, pushed and guided by connected technology, is taking a road less traveled. Analysts expect some 38.5 billion IoT devices to be deployed globally by 2020, nearly three times as many as today,19 and insurers will no doubt install their fair share of sensors, data banks, and apps. In an otherwise static operating environment, IoT applications present insurers with an opportunity to benefit from technology that aims to improve profits, enable growth, strengthen the consumer experience, build new market relevance, and avoid disruption from more forward-looking traditional and nontraditional competitors.

Incorporating IoT technology into insurer business models will entail transformation to elicit the benefits offered by each strategy.

  • Carriers must confront the barriers associated with conflicting standards—data must be harvested and harnessed in a way that makes the information valid and able to generate valuable insights. This could include making in-house legacy systems more modernized and flexible, building or buying new systems, or collaborating with third-party sources to develop more standardized technology for harmonious connectivity.
  • Corporate culture will need a facelift—or, likely, something more dramatic—to overcome longstanding conventions on how information is managed and consumed across the organization. In line with industry practices around broader data management initiatives,20 successfully implementing IoT technology will require supportive “tone at the top,” change management initiatives, and enterprisewide training.
  • With premium savings already proving insufficient to entice most customers to allow insurers access to their personal usage data, companies will need to strategize how to convince or incentivize customers to opt in—after all, without that data, IoT applications are of limited use. To promote IoT-aided connectivity, insurers should look to market value-added services, loyalty points, and rewards for reducing risk. Insurers need to design these services in conjunction with their insurance offerings, to ensure that both make best use of the data being collected.
  • Insurers will need to carefully consider how an interconnected world might shift products from focusing on cleaning up after disruptions to forestalling those disruptions before they happen. IoT technology will likely upend certain lines of businesses, potentially even making some obsolete. Therefore, companies must consider how to heighten flexibility in their models, systems, and culture to counterbalance changing insurance needs related to greater connectivity.
  • IoT connectivity may also potentially level the playing field among insurers. Since a number of the broad capabilities that technology is introducing do not necessarily require large data sets to participate (such as measuring whether containers in a refrigerated truck are at optimal temperatures to prevent spoilage21 or whether soil has the right mix of nutrients for a particular crop22), small to midsized players or even new entrants may be able to seize competitive advantages from currently dominant players.
  • And finally, to test the efficacy of each IoT-related strategy prior to implementation, a framework such as the Information Value Loop may become an invaluable tool, helping forge a path forward and identify potential bottlenecks or barriers that may need to be resolved to get the greatest value out of investments in connectivity.

The bottom line: IoT is here to stay, and insurers need look beyond business as usual to remain competitive.

The IoT is here to stay, the rate of change is unlikely to slow anytime soon, and the conservative insurance industry is hardly impervious to connectivity-fueled disruption—both positive and negative. The bottom line: Insurers need to look beyond business as usual. In the long term, no company can afford to engage in premium price wars over commoditized products. A business model informed by IoT applications might emphasize differentiating offerings, strengthening customer bonds, energizing the industry brand, and curtailing risk either at or prior to its initiation.

IoT-related disruptors should also be considered through a long-term lens, and responses will likely need to be forward-looking and flexible to incorporate the increasingly connected, constantly evolving environment. With global connectivity reaching a fever pitch amid increasing rates of consumer uptake, embedding these neoteric schemes into the insurance industry’s DNA is no longer a matter of if but, rather, of when and how.

You can view the original post in its entirety Here

Read more…

Originally Posted by: Shawn Wasserman

Shodan search results show that over half a million devices use the 10-year-old OpenSSH 4.3 software. This puts all these devices at risk.

Shodan search results show that over half a million devices use the 10-year-old OpenSSH 4.3 software. This puts all these devices at risk.

One doesn’t have to look too far to realize how vulnerable the Internet of Things (IoT) can be. It just takes a quick search on IoT search engines like BullGuard and Shodan.io.

During a presentation at PTC LiveWorx 2016, Rob Black, senior director of product management at PTC, outlined how black hat hackers could get into over half a million connected devices using an old software known as OpenSSH 4.3.

OpenSSH is a secure shell (SSH) protocol used to allow users access to networks from a remote location. It’s harmless, even useful, if used by the right user in a controlled way.

Unfortunately, a popular version of the software, OpenSSH 4.3, has been out for about a decade. As a result, it has developed a laundry list of vulnerabilities that hackers can use to gain access to systems.

According to the Shodan IoT device search engine, over half a million devices on the ‘net still use this outdated software.

“Half a million devices are on the open Internet with 10-year-old software that allows you to tunnel inside to their network. Who thinks that’s good?” Black rhetorically questioned. “This is one example. One search. One software. One version of a software. There are millions of exposed resources on the Internet.”

The scary thing is that Black explained that some search results will bring up IoT devices associated with power plants and wind tunnels. According to AdaptiveMobile, a mobile network security company, up to 80 percent of connected devices on the IoT do not have the security measures they need to protect us. Once you find a device on Shodan, you can see many characteristics on that device which will help hackers get into it.

These attacks can even prove deadly depending on the IoT application. Take an integrated clinical environment (ICE) like an IoT-enabled hospital. Without proper security, many types of attacks have the potential to risk lives. According to a report published by the Industrial Internet Consortium, these attacks fall into five categories.

Five IoT hacking attacks that can risk lives. Examples from an integrated clinical environment (ICE). (Table from the Industrial Internet Consortium.)
Five IoT hacking attacks that can risk lives. Examples from an integrated clinical environment (ICE). (Table from the Industrial Internet Consortium.)

Engineers are designing these IoT devices, sensors and edge points. To ensure that hackers are kept at bay, these engineers need to understand and learn from their software engineer and IT cousins.

“From a design point of view, engineers need to learn about hacking security. You need security at the edge point to make an intelligent analytic device,” said Michael Wendenburg, CEO at Michael Wendendenburg Online Redaktion. “If you hack into that point, you hack into all this data. Engineers are not prepared for that.”

Black agreed, saying, “It’s our role as practitioners of IoT is to really manage those devices that we have in a smart way.”

How Do IoT and Cloud Security Differ?

Black explained that unlike in cloud security, humans may not be in the loop when it comes to IoT security. It’s not feasible for millions of users to be there to hit “Okay” to update software in billions of devices.

Black explained that unlike in cloud security, humans may not be in the loop when it comes to IoT security. It’s not feasible for millions of users to be there to hit “Okay” to update software in billions of devices.

An engineer might think that as long as the cloud system utilized by the IoT device is secure, then all is well. However, there are differences between an IoT system and a cloud system.

Black explained that on the cloud, users and applications are both managed. There are security tools and permissions put into place. On the operations side, servers will be secured and ports will be closed and audited. This takes a lot of testing, but it’s been done before. IoT security, on the other hand, adds complexity.

“Cloud security has been around for a long time and there are lots of good strong practices and management around cloud applications. For IoT, the key difference is we connect things,” clarified Black. “A lot of the challenge is the number of devices to manage and the differences between these devices.”

“There are a bunch of new issues out there like rogue sensors and rogue data sources,” said Andy Rhodes, division head of IoT at Dell. “If you’re orchestrating a turbine or a damn and someone hacks into that and changes the settings, then there are catastrophic issues.”  

Here are some other key differences between cloud and IoT applications:

  • IoT has a stronger potential for damage as water mains can be shut off, power plants can become critical and cars made unresponsive on the road.
  • IoT has a diverse number of devices, operating systems and protocols making it hard to consolidate and standardize as companies grow and products change.
  • Human interactions with all the devices is not scalable. For instance, humans many not be there to hit “Okay” for an update.

The key is to work together. Engineers and IT professionals need to demolish their silos and learn from one another to make the IoT ecosystem secure. However, just because the IT crew has the ecosystem covered on the cloud doesn’t mean the devices and sensors are secure.

“IT [Information Technology] knows how to do security and a lot of this is still traditional IT security working alongside the OT [Operations Technology] people to understand how to secure the sensors as well,” described Rhodes. “You need [security on the device] and network security on the IT side because data flows two ways so you have to secure both ends of that spectrum.”

How to Manage Your Connected Device

Black demonstrating an IoT security architecture.

Black demonstrating an IoT security architecture.

With current IoT trends, if your device isn’t connected to the Internet, it soon will be. Otherwise, it will not keep up with the 30 billion other connected devices Gartner expects to see in the market by 2020.

So the question may not be whether to get into the IoT market given all the security risks. It should be a question of how to manage connected devices with all these security risks.

Black demonstrated what a simple IoT architecture might look like. It includes devices within a firewall, wireless devices outside the firewall and having those devices connecting into the IoT platform. Then, all of this will be used in an application that will use the data from the devices to perform a function. All of these systems, applications and development tools used to make the system must be made secure.

The issue is that because all of these different systems are under the control of various organizations on the vendor, customer and public levels, it can be confusing to establish who is really responsible for all of this IoT security.

“I argue that for IoT we have a shared security responsibility,” noted Black. “This is not a one-entity responsibility. It is shared between the providers of the infrastructure, service, platform, application and the end customers.”

Importance of User Roles on IoT Security

Given all of the organizations and users that might be associated with one IoT system, defining roles for these organizations and users is of high importance.

Each user and organization will have different roles, which will define levels of control over the IoT system. For instance, you don’t want to give your customers visibility into and control over all of the IoT devices on your ecosystem. This could make the data of your other customers insecure, as competitors might gain insights due to the information on your system and the lack of roles governing the system.

However, a maintenance team that services all the devices sent to customers will need to see which devices from each customer will be up for servicing.

The key takeaway is that as your system grows on the IoT, much of this role management should be automated. Otherwise, the role management will not scale with the IoT system if a human remains in the role assignment loop.

“From a visibility and permission standpoint, what you really want are mechanisms to drive that behavior,” instructed Black. “When new devices are added, if you have a manual process, that is not going to scale when you [have] tens of thousands of devices. You are going to need a system that drives this behavior automatically. You just need to set the rules beforehand to ensure the users are put in the right groups.”

Division of Systems is Key to a Secure IoT Ecosystem

The division of permissions shouldn’t just be between roles. It should also be between systems within the IoT device itself. Engineers must design some systems and subsystems to be independent and separate from all other systems. This will ensure that if a hacker compromises your device, they will not be able to take control of key systems.

After all, there is no reason for an entertainment system in a car to be linked to the steering, brakes and accelerator of a car. As the WIRED video below shows, though, this was the case with the Jeep Cherokee. As a result, hackers were able to mess with one reporter’s drive on the highway with hilarious outcomes—but the joke isn’t funny anymore if people actually get hurt.

“The way some of these systems are designed, if you have access to this you have access to multiple design elements in the car,” said Frank Antonysamy, head of engineering and manufacturing solutions at Cognizant. “The way we are dealing with this is to isolate as much as possible and then get the data.”

“When you look at it from a system design [perspective], in an automobile for example, there is still a fair amount of isolation written into the design,” said Antonysamy. “Because I have access to my control panel doesn’t mean I have access to the accelerator. That kind of design-based isolation is critical at least until we get a zero-vulnerability scenario.”

Eric van Gemeren, vice president of R&D at Flowserve, explained that the automobile industry and other IoT device creators can learn a lot from the process industry on the separation of systems within a design.

“In the process industry, it’s different from having a car that’s IoT-enabled and someone can hack into it,” said van Gemeren. “In the process industry, there are well-established IEC [International Electrotechnical Commission] and ISO [International Organization for Standardization] standards for safety and compliance. The control communication network is always separate and independent from the diagnostics and asset management network. It’s very clear that when you design that solution, there are certain features and functions that will never be available through wireless, in a discrete controlled domain, with an entirely different protocols and with robust security on top of it.”

“A lot of the stuff we are talking about in the IoT space is all about gathering outbound asset information,” added van Gemeren. “You can’t send back control information or directions that can hijack the device.”

In other words, van Gemeren explained that if a safety system like fire suspension sprinklers were installed in a process plant, they will need to be on an isolated system.

Do Your Devices Need to Talk to Other Devices?

Black explained the scenarios in which you need to use device-to-device

Black explained the scenarios in which you need to use device-to-device

When people think about the IoT, many of them think of connected devices communicating with each other over the Internet.

Though there are situations when the data should be sent to the cloud, there are also situations where it is faster and more efficient for devices to talk to each other directly.

“You could go up to the cloud and negotiate up there and bring it back down but that is not using bandwidth efficiently and what happens if you lose network connectivity? Will your devices fail? Do you want them to be dependent on the network?” asked Black.

When connected device need to talk directly, you will need a way to authenticate the devices mutually as well as a method of authorizing the devices to an appropriate level of interactions.

“It doesn’t make sense for one car to have the authorization to turn on the windshield wipers for another car,” joked Black.

The Importance of Provisioning and Approval of an IoT Device

This brings us to another key step in setting up a secure IoT system: ensuring your processes can set up provisioning and approval for device-to-device communication, data ownership, de-provisioning and more.

“Any process that runs off of administration approval will fail on an IoT scale,” remarked Black. This is similar to the creation of roles the human needs to be out of the loop. Black added, “You can’t design a process based on admin approval—it might work for a hundred devices but it won’t work on a large-scale system.”

Unfortunately, you can’t just let all devices interconnect without a provisioning and approval process either. Take the Superfish scandal, for example. The program was intended to provide advertisers with a way to show ads based on a user’s Internet searches.

This sounds innocuous enough until you realize that, at the time, all Lenovo laptops had the same self-signed certification key for all the laptops that shipped out with the program. This allowed for man-in-the-middle hacking attacks that could intercept the Internet communications of any Lenovo laptop with the Superfish program still installed.

“Ensuring trust when you’re bootstrapping a device is challenging even big laptop manufacturers can make mistakes,” said Black. “We need to think through some of those processes to see how do we get secrets onto a device. You need a well-defined mechanism for establishing trust on your device.”

One method Black suggested to get your devices onto your IoT system with secure provisioning and approval is to use your enterprise resource planning (ERP) system. If your ERP system were connected to the IoT system, then the provisioning and approval process will expect to see the device. Not only would this system be secure, it can also be made scalable as there will be no need to have a human in the loop.

The Importance of De-Provisioning When You Re-Sell a Connected Device

Black explained the importance of factory resets and de-provisioning when selling used devices.

Black explained the importance of factory resets and de-provisioning when selling used devices.

There is a lot of confidential information that can be stored on a connected device. Therefore, if users aren’t careful, they could be giving a hacker everything they need to get into the system when re-selling these devices.

The average user would know enough to delete their personal and business data from the device, but there still might be information on the re-sold device that can open doors to hackers.

For instance, the device might store digital keys that were used to encrypt the data you were sending and receiving from the Internet. If you were to sell that equipment without changing those keys, then whomever you sold that equipment to could now be able to decrypt all of the data you sent and received while operating the device. Assuming the hacker intercepted that data in full knowledge that you were to sell the equipment, they now have gathered a lot of information on your personal or business operations.

As a result, engineers should design easy to use de-provisioning procedures for the users of their devices.

Whose Data Is It Anyway? Where the Contract’s Made Up and Protection Should Matter.

Black asked the question: Whose data is it anyway?

Black asked the question: Whose data is it anyway?

One point of contention for the development of IoT security is the question of who owns the data.

Is it the device manufacturer, systems operator, device operator or the maintenance operator?

Will the answer be dependent on the IoT device application?

These questions need answers if robust security measures are to be put into place. Otherwise, the right information might end up in the wrong hands.

“We’ve seen a range of responses about data ownership and a lot revolves around privacy,” said Colm Pendergast, director of IoT technology at Analog Devices. “To a large extent, it will come down to negotiations between various partners in an ecosystem.”

“[Who owns the data] is a question that is always on the table,” said Chris May, account executive at ARIDEA SOLUTIONS. “It depends on the type of data being acquired. If it’s general weather data, then people are not very concerned. The weather is the weather… When you get to environmental data, it’s a completely different story. They are very protective of that data. [What] If the wrong person gets that data and they don’t understand how to interpret it? [What] if they can’t understand it’s a sensor being recalibrated and they think a water shed was contaminated? It would be massive lawsuits.”

It appears that though 54 percent of surveyed consumers might be comfortable sharing their data with companies, the reverse is not always true.

Alternatively, Black used an example of a medical device company. If the company is sold, then it makes sense for whomever buys the company to also own the data. After all, it will, in theory, be using said data to service the same clients. It isn’t in the client’s interest for the data to start at point zero.

However, does the answer of selling data ownership change with the scenario? What if, instead of a company being sold, it’s a house? Who owns all the data of the smart home—the previous tenants or the incoming tenants? It might be useful for the new tenants to know the power usage history of the house so they can budget their expenses, but do you want strangers to have data like that?

“When you think about how many different entities are involved with an IoT implementation, there are a lot of them,” said Black. “Some of them probably have rights to some of that data and some it’s probably better if they don’t have it.”

Before security walls are put up for an IoT device, these questions must be answered. Otherwise, an owner of the data might be cut off from their property. This can lead to some serious legal ramifications. On the other hand, not understanding where the line in the sand is for data can also open up security risks.

“If there was one single challenge that people are concerned about and has slowed IoT deployments is the question of security and integrating security solutions all over that technology stack. It is one of the bigger challenges,” said Pendergast.

However, one solutions to the IoT data question may not lie with the engineers, programmers or designers. It might be in the hands of public relations educating the public about IoT security and what data is and isn’t being collected.

“We deal with the medical device market and we constantly face the issue that we can’t send patient data—and we are a cloud-based platform, so that is a challenge,” said Puneet Pandit, CEO of Glassbeam. “We are not taking the patient data; we are taking the operation data. I think that is a constant question. There is a lot of education that has to be done in the industry to clarify what IoT data means at the end of the day. People have created security barriers for all the right reasons, but in the context of IoT you are taking machine and operational data and that isn’t something that is included on data privacy.”

Reducing IoT Attack Surfaces: Do You Need Access to the Open Web?

Shodan is only able to show the IoT devices that are on the open web. The number, as well as types, of devices that it can find is certainly scary.

“[Security is] still the top-two or -three concern of customers when you read surveys and speak to them,” said Rhodes. “What you’ve basically done is you’ve opened up a surface of attack either as a gateway or the things themselves.”

Does your device need to be on the open web? Do multiple surfaces of attack need to exist? The answer is no—not if engineers design the device to be the one to initiate communications.

“Different IoT solutions have the capability to perform device-initiated communication,” said Black. “That means that from a connection standpoint, if your device initiates communications, then that device is exclusively paired with one server on the cloud. That device is only going to communicate with that server.”

In other words, the device won’t be generally available on the Internet.

“It’s something to think about. Can I communicate with this device from every [access point] on the earth or is it tied to a single server? Because you are really reducing your attack surface with that kind of capability,” Black explained. “You reduce your attack surface so you are not worried about everything in the world. You are only connected to a very limited set of servers.”

If your device can connect to any endpoint on the Internet, then any hacker at any location could in theory send a command to that device. However, if the device is connected only to one server via a device-initiated communication, then only that server can send commands. The theory is that your server will be within internal IT infrastructures and securities.

However, there is a downside to device-initiated connectivity. You will have to rely on the device to connect to the system in order to initiate an update or collect data. In other words, you can lose connections to the device as soon as a customer changes firewall securities or the network is interrupted. 

As a result, if engineers chooses to use device-initiated connections for an IoT system, then they will need to inform the customer. The customer will need to understand if the firewall and network connection isn’t interfering with the connection.

“We’ve seen a lot of software partners changing their architecture to support intermittent connectivity,” said Gerald Kleyn, director of engineering at Hewlett Packard Enterprise (HPE). “In some cases, if the weather gets bad and [satellite communication] goes down, then when it comes back up it starts releasing things that have been stored on the edge back up to the cloud.”

What to Do When You Find a Vulnerability on Your Connected Device

The longer your device is in the real world, the more likely it is that a vulnerability will be found. As a result, engineers will need to design software update compatibility into their devices.

“You need a software distribution mechanism that will work for all of your devices that’s scalable, secure, flexible and efficient,” said Black. “It needs to be flexible because all your devices are different, so they need different processes and procedures.”

“You need to be able to say, if the install isn’t going right, that you need to hold back and notify your system. You need to be able to say, ‘do this for North America first, or Europe or everyone but that customer that doesn’t want updates,’” added Black. “Without a plan, you will be sad when the next Heartbleed comes out. You are going to have to patch. So what is the mechanism you are going to utilize?”

This all must seem very complicated, but much of this IoT security issues will be answered when you choose the IoT platform to run, manage design the system. Black says that when choosing your IoT platform, keep these three main security challenges in mind:

  1. Managing the complex interactions between devices and user
  2. Patching security updates to your devices in an easy and secure fashion
  3.  Reducing the risk by mitigating cyber-attacks form finding your device

You can view the original post Here

Read more…

As the silicon designs inside the connected devices of the Internet of Things transition from specifications to tapeouts, electronics companies have come to the stark realization that software security is simply not adequate. Securing silicon is now a required, not optional, part of the silicon design processes.

http://www.tortugalogic.com/blog/2016/6/28/software-security-is-necessary-but-not-sufficient

Read more…

Drones – A hacker’s playground

Original Post from: Vulpoid

Unmanned Aerial Vehicles (UAVs) offer new perspectives, both from a civilian and a military standpoint; yet, they present vulnerabilities having the potential to lead to disastrous consequences regarding public safety if exploited successfully, as evidenced by recent hacks. These repercussions can be prevented by implementing best practices, continuously assessing the technologies used and most importantly by remaining aware of the environment, of the weaknesses that may be exploited and of the threats that may emerge. The purpose of this article is not to provide countermeasures or solutions, but to outline flaws and vulnerabilities to better understand and address potential threats and threat actors.

timeline

Figure 1 UAVs hacks disclosure timeline

As shown by recent hacks, several professional Unmanned Aerial Vehicles (UAV) used byarmed forces, governments, police departments and the private sector are vulnerable to critical attacks which exploit both technical vulnerabilities and design flaws. This can lead to UAVs being spied on, made inoperable or controlled by the attacker unbeknownst to the UAV’s owner.

ecosystem

Figure 2 Drone’s ecosystem vulnerabilities

op_anar

Figure 3 Operation Anarchist base location

From a military intelligence perspective, it’s a godsend to gather valuable information. The GCHQ/NSA joint Operation Anarchist[1] during which Israeli drones’ scrambled video signals were intercepted and reconstructed, providing the US and UK a clear view of Israeli drones’ position, movements, payload and video footage is the perfect example. The Operation Anarchist – which started in 1998, lasted more than a decade and was disclosed only in late December 2015 – was run from the Troodos Mountains, Cyprus, from where encrypted video signals between Israeli drones and their bases were intercepted and unscrambled using open-source software tools.

The obvious drawback however for governments is that the same techniques can be used against them and become a serious threat, particularly when it comes to State security and notably for law enforcement agencies. While entry-level drones present vulnerabilities, their main purpose seems to be to reduce cost. IBM researcher Nils Rodday proved that high-end drones were also vulnerable when he studied professional quadcopters used by law enforcement agencies in the context of his Master’s Thesis[2]  in 2015. He showcased the results of the hacks during the RSA Conference 2016[3]. He also analyzed the quadcopters and discovered that the on-board chips lacked encryption implementation[4] which allowed him to hijack the drone by emulating the commands sent to the UAV through the controlling application. Furthermore, he took advantage of the weak encryption (WEP) used to cipher the link between the drone and its controller.

drone_archi

Figure 4 Drone flow architecture, by Nils Rodday, used in his work

In addition, concerns regarding homeland security have emerged, as shown by the case of the Mexican drug cartel who, in late December 2015, managed to control the US Customs and Border Patrol (CBP) drones’ movements[5]. This allowed the cartel to reroute the US CBP’s drones and to illegally cross the US-Mexican border, enabling them to smuggle drugs and people without being detected. The cartel used GPS jamming and GPS spoofing techniques which respectively disrupted the Command and Control (C&C) link, preventing the drone from receiving GPS signals, overriding legitimate ones and replacing them with fake ones, thus making it deviate from its original route.

gps_jam_spoof

Figure 5 GPS jamming / GPS spoofing

IDF

Figure 6 IDF Drones System hack

Moreover, warfare methods continually evolve and actors integrate new technologies in their arsenal, leveraging on them during actual conflict as evidenced by the recent hack of the Israeli Defense Forces’[6]  (IDF) drone surveillance system. The hack was perpetrated by a member of the Islamic State who gained access to HD footage from IDF’s drones hovering above the Gaza Strip for at least 2 years, starting in 2012 but potentially up until the arrest in February 2016. As a matter of fact, using only commonly available tools such as a satellite dish and a radio receiver[7], the hacker was able to intercept IDF’s drones’ video streams and managed to decode them, thus providing the Islamic State with a clear view of IDF’s drones video footage.

As evidenced by the aforementioned examples, attacks take place in several heterogeneous contexts and originate from actors belonging to different domains and with different levels of skill. In all the above mentioned cases, these events highlight weaknesses and vulnerabilities in the technologies used by UAVs along with flaws in the processes that were put in place by the victims regarding information handling. Military, law enforcement and governments are critical targets; however, the private sector is not spared as drones are being considered more widely by corporations for new services – Amazon Prime Air is a great example of that and may result in very annoying hacking opportunities to say the least. Consequences may be a matter of national security and public safety, therefore implementing best practices, setting up proper countermeasures – such as spread spectrum modulation in the case of signal jamming – and using state-of-the-art technologies proves itself crucial, yet being aware of the threat landscape one’s facing along with one’s own kill-chain is fundamental in order to avoid and mitigate such cases at best.

View the original post by clicking: Here

Read more…
A security-first approach to developing IoT device software is critical, a key ingredient is an end-to-end threat assessment and analysis. A threat assessment includes taking stock of the various physical connections, potential losses/impacts, threats and the the difficulty of the attack. Importantly, addressing these threats needs to be prioritized based on likelihood and potential impact.
Read more…

Credit: ShutterstockCredit: Shutterstock

By Ben Dickson. This article originally appeared here.

The huge benefit that the Internet of Things (IoT) brings to different industries and domains is driving its growth and adoption at an unrelenting pace. Soon billions of connected devices will be spread across smart homes and cities, harvesting data, sending it to huge repositories for analysis and processing, and carrying out commands sent from smart apps and machine-learning-based systems.

While larger numbers of smart devices will unlock bigger opportunities for efficiency, energy and cost saving and revenue increase, they’ll also trail along some serious challenges and difficulties, some which are notably not addressable with current technological and communication infrastructure.

What’s wrong with centralized communications?

As is, all IoT ecosystems depend on client/server communications, centralized trust brokers and protocols such as SSL/TLS or mechanisms such as the Public Key Infrastructure (PKI) to identify network nodes and control communications.

These technologies have proven their worth for communications between generic computing devices for years, and will continue to respond to the needs of small, closed IoT ecosystems, like smart homes. But with the growth of IoT, centralized networks will soon become the bottleneck and cause lags and failures in critical exchanges because of too much network traffic, to say nothing of the extra investment they’ll require in terms of hubs and communications hardware. Imagine what would happen if your smart defibrillator failed to receive a command because your dishwasher, toaster, fridge, kettle and lights are having a nice M2M chat and have clogged up the network.

Decentralizing IoT networks

A solution would be to decentralize IoT networks in order to improve speed and connectivity. In many cases, substituting over-the-internet connectivity for local communication between devices will help increase speed and efficiency. After all why should a command exchange between a smartphone and light-switch have to go through the internet?

However achieving decentralization will present its own set of challenges, namely in the realm of security. And we know that IoT security is much more than just about protecting sensitive data. How do you make ensure security in communications between devices?

Devices would have to be able to communicate in a peer-to-peer manner and ensure security and integrity without the intervention of or dependence on a centralized trust center. The proposed system would have to protect the network and ecosystem against device spoofing and man-in-the-middle (MittM) attacks and make sure each command and message that is exchanged between nodes in a network are coming from a trusted and authenticated source and received by the right recipient.

How blockchain addresses the problem

Fortunately, the decentralization problem has already been solved in another popular technology: Bitcoin. The famous cryptocurrency is powered by a less-known (but no less exciting) technology named blockchain. The blockchain is a data structure that allows the creation and maintenance of a transaction ledger which is shared among the nodes of a distributed network. Blockchain uses cryptography to allow participants to manipulate the ledger without going through a central authority.

The decentralized, secure and trustless nature of the blockchain make it an ideal technology to power communication among nodes in IoT networks. And it is already being embraced by some of the leading brands in enterprise IoT technologies. Samsung and IBM announced their blockchain-based IoT platform called ADEPT at the Consumer Electronics Show (CES) last year.

When adapted to IoT, the blockchain will use the same mechanism used in financial Bitcoin transactions to establish an immutable record of smart devices and exchanges between them. This will enable autonomous smart devices to directly communicate and verify the validity of transactions without the need for a centralized authority. Devices become registered in blockchains once they enter IoT networks, after which they can process transactions.

There are many use cases for blockchain-based communications. A paper published by IBM and Samsung describes how blockchain can enable a washing machine to become a “semi-autonomous device capable of managing its own consumables supply, performing self-service and maintenance, and even negotiating with other peer devices both in the home and outside to optimize its environment.”

Other IoT domains can benefit from blockchain technology. For instance, an irrigation system can leverage the blockchain to control the flow of water based on direct input it receives from sensors reporting the conditions of the crops. Oil platforms can similarly use the technology to enable communications between smart devices and adjust functionality based on weather conditions.

What are the challenges?

In spite of all its benefits, the blockchain model is not without its flaws and shortcomings. The Bitcoin crew itself is suffering from inner feuds over how to deal with scalability issues pertaining to the Blockchain, which are casting a shadow over the future of the cryptocurrency.

There are also concerns about the processing power required to perform encryption for all the objects involved in a blockchain-based ecosystem. IoT ecosystems are very diverse. In contrast to generic computing networks, IoT networks are comprised of devices that have very different computing capabilities, and not all of them will be capable to run the same encryption algorithms at the desired speed.

Storage too will be a hurdle. Blockchain eliminates the need for a central server to store transactions and device IDs, but the ledger has to be stored on the nodes themselves. And the ledger will increase in size as time passes. That is beyond the capabilities of a wide range of smart devices such as sensors, which have very low storage capacity.

Other challenges are involved, including how the combination of IoT and blockchain technology will affect the marketing and sales efforts of manufacturers.

It’s still too early to say that blockchain will revolutionize and conquer the IoT industry. But it sure looks like a promising offer especially if its challenges can be met. We’ll see more of this in the coming months and years, as IoT continues to grow and become more and more ingrained in our lives.

Read more…

An Internet of Buildings (IoB) that really works and can’t be hacked?

The IOT holds great promise for nearly every aspect of society and, of course, is rife with business opportunity, as well. One of the most exciting opportunities on both fronts remains the opportunity to create connected buildings.

The U.S. Department of Energy poses the challenge in this way: “Buildings will no longer be passive objects that consume resources, but rather active participants engaged in the energy system and our community.”

What exactly is meant by “connected buildings” on a practical level? Some of these characteristics include:

  • Buildings are self-aware and continuously anticipate and adapt to changes in weather, time of day, occupant needs, and socioeconomics.
  • Buildings will transact with utilities (including electricity, gas, and water), local power sources, and other buildings to provide services that will benefit building owners, utility operators, and the entire community.
  • Buildings will minimize their life-cycle cost while meeting their objective functions through optimizing energy and water use, enhancing health and the productivity of occupants, contributing to a cleaner environment, and actively supporting better living.

Smart Buildings: A brief history

Most people don’t think of the first “smart” buildings and think of the lowly thermostat. However, that technology was really the first step toward a “self-aware” building. As you might imagine, other controls introduced during the early days of building management were of the order of the thermostat and managed manually. In the 1980s, many of these systems became digital and by the 1990s, Building Management Systems (BMS) might have been computerized, might have yielded reports that helped facilities manage resources better—however these systems were often fragmented.

From “Green Biz Insights” June 23, 2014

These challenges culminate today in the difficulty of creating open protocol for many different structures under different ownership. We are now seeing important efforts to that end by governments and businesses that collaborate together to forward the promise of smart buildings. These initiatives and the data they generate contribute to an interrelated web of information – a data-rich ecosystem that benefits both the structures’ occupants and the communities where they stand.

Just two short years ago, a Green Biz article proclaimed, “We are now in the era where big data technologies enable us to capture data from different sources, in diverse formats and with varying context. From being a catalyst, data is now becoming a driver of actions. Less human effort is required to manage even though the complexity around data has increased massively. We are essentially at the cusp of what we call the era of 'Internet of Buildings.' This will be the future age of Internet of Buildings, where we will see interoperability and seamless data interchange.”

So how far have we come?

The Present State of the IOB

According to an article in TechVibes, In February at the IBM InterConnect 2016, Siemens Building Technologies Division and IBM’s Watson IoT Business Unit  “announced cloud-based solutions that will leverage Siemens’ building expertise and IBM's Internet of Things capabilities to maximize the potential of connected buildings and the data they create, helping corporate real estate owners across multiple industries drive business results and meet energy efficiency goals.”

IBM's open standards-based Watson IoT Cloud platform can solve a lot of the open protocol issues that industry wonks were bemoaning in 2014. The move toward open standards platform integration in other cities and for other IoB initiatives will ensure that the “language” of connected buildings converges. Then, smart buildings can speak seamlessly among themselves in smart cities that protect resources and create additional opportunities for improving the lives of the people who live there. 

Keeping the IoB secure

Other solid news from the IoB front include government and industry partnerships to control the security risks inherent with the advent of “smart cities.” Entities as diverse as the Department of Homeland Security’s Office of Cyber and Infrastructure Analysis, Stanford University’s Center for the Internet and Society, Drawbridge Technologies, IBM, and others in the public and private sectors have mustered efforts to institute changes. These ensure that “risk assessment methods and security measures (that) often don't scale well from the asset or system to the level of political jurisdictions” are adjusted to manage threats to smart buildings, and, by extension, smart cities.

A recent research report identified the threat of a “shadow” IoT” built right into several North American connected buildings that were managed by the same company:

“A survey of building automation system software by researchers at IBM X-Force found that the systems suffer from a range of security issues, from weak authentication and authorization controls.

“Administrative web interfaces used to provide remote access to the systems also are vulnerable to application based attacks and lack basic security controls,” said X-Force researcher Paul Ionescu.

In a “red team” exercise performed for the firm, the IBM researchers found they were able to compromise the company’s main monitoring and control server, which was used to manage several locations in North America. Ionescu told Security Ledger that the attack exploited a weakly secured DLink router that was used to link the building automation system to the Internet.”

In the same article, we learn that “the compromise of Target Stores in 2014 was linked to heating, ventilation and air conditioning (HVAC) systems running within Target’s headquarters.” This incident made the papers when consumer credit cards were compromised; however few knew about the follow-up report blaming the BMS at headquarters. These public relations incidents have the capacity to make a public that is already leery of the “Big Brother” implications of having their house “watching them.”

As we enter the era of smart buildings and smart cities, it’s clear that IoB companies, in partnership with government, need to seek a common goal: Keep the IoB safe and keep working together to ensure that the IoB revolution lives up to its name—but does not include the infighting and disruption that has characterized non-techie revolutions across time.

Read more…

Security-First Design for IoT Devices

Machine to Machine (M2M) and Internet of Things (IoT) realities mean that more and more devices are being deployed and connected to each other. This connectivity is both the promise of IoT (data gathering, intelligent control, analytics, etc.) and its Achilles’ heel. With ubiquitous connectivity comes security threats -- the reason security has received such a high profile in recent discussions of IoT.
Read more…

Wearable technology is a type of device that is worn by a user and often includes tracking information related to their health and fitness which it can then upload to the cloud. Other wearable tech includes devices that have motion sensors and cameras to take photos and sync with your mobile devices. Wearable devices can be quite useful, but they may present a huge danger to your privacy.

So far, the market has consisted mainly of early adopter businesses assessing the technology. This large group includes Tesco, which gave armbands to workers at a distribution center in Ireland to track products, allocate jobs and measure movement within the complex, with the goal of improving efficiency and accuracy. And health insurer 'Pru Health' offers a 'Fitbug' health and fitness device to their members as a part of it's 'Vitality' program.

It seems inevitable that in the next few years more businesses will begin to explore the potential commercial uses of wearable devices or even begin offering them to their employees, business partners or consumers. In addition, the next few years will no doubt see many employees bringing their own wearable technology into the workplace, for many reasons, such as health benefits and improving productivity.

A key danger for the wearable device market is that a large amount of personal data could be collected from most of these devices. Health and fitness devices could capture extremely sensitive details about a user’s health, and then send it automatically to the cloud for processing by the vendor, who then share it with third parties for 'big data' profiling and targeted advertising.

The 'big data' example really highlights the lack of current regulation for wearable devices and gadgets. Although the analytics and profiling might benefit some of those involved, including in some cases the user, it will become difficult for consumers to keep track of how much of their private data is shared by corporations, and where it's stored. And while many users may be ready to trade their data and lose control over it in exchange for some perceived benefits. Cloud Security is another major concern, and if breached, much of your personal data could be stolen or released.

Your data's security is a very important issue. Cloud Security has been breached numerous times in the past, and If exploited, wearable devices can expose a large amount of very intimate and extensive personal data about a user, including their health, current location, and their behavior. This of course already happens with smartphones, tablets and laptops, but the scale and intrusiveness of data breaches involving wearable devices could be unprecedented.

In the long term, there are data protection reforms in the works, which in their current state include the very controversial 'right to be forgotten' and the right not to be 'profiled' without their consent. If correctly implemented, these reforms could, give users of wearable devices the right to have all their personal data deleted, and could require suppliers in the industry to ask for consent before sending their personal data to be analyzed or for predictions about their work performance, current health, location, behavior or personal preferences. Consent would need to be very specific and actively communicated to the user, so sweeping consents or burying important terms in the fine print may not be enough.

The changes are, however, still being heavily debated, with the goal of being finalized soon. In any case, they could possibly result in ongoing compliance costs for corporations in the wearable device industry.

Ultimately, as is often the case with emerging technologies, it falls to the industry to grapple with these compliance issues. Until the law catches up, device manufacturers, tech vendors and businesses that use or allow employees to use wearables need to address the legal challenges in order to exploit this new technology in a lawful way whilst realizing the potential benefits of wearable technology in business.

Originally posted on Data Science Central

Follow us @IoTCtrl | Join our Community

Read more…

The Internet of Things is changing the world, heralded as one of the most pivotal technology trends of the modern era. We are getting ready to enter a time where everything, quite literally, is connected to the Internet.

For the industrial sector, this is a new area of exploration. Factories have smart infrastructures that use sensors to relay data about machine performance. Cities have smart grids that monitor everything from traffic to the energy used by streetlights. Hospitals can monitor the health of high-risk, at-home patients.

In other words, we are entering a hacker's dream world.

Recent attacks, like the Christmas 2015 attack on the Ukraine power grid, have shown that the Internet of Things possesses severe vulnerabilities. These weak points can be everything from back doors that allow a hacker access to a system to lack of proper use by untrained workers. If your business uses IoT devices, there’s a good chance they are not secure.

Why are so many systems left vulnerable? Weaknesses often come from the same set of five drivers:

 

Source: Allerin

Whether your company is struggling because your devices were deployed too quickly or operational costs constraints got in the way, your team must take measures to fix security risks. Here are four security flaws:

1. Lack of Encryption

Any device that is connected to the Internet to relay data needs encryption. When communication between devices and facility machines are now encrypted, it provides a doorway for hackers to send malicious updates, steal data, and even take control of the system. 

In 2014, an Israeli security firm took control of cars using a specific connected telematics device that failed to use proper encryption.

2. Failing to Install Updates

Once you have a machine-to-machine communication​ system working properly, it can be easy to forget to install the necessary updates to keep the network secure. 

Yet, hackers are constantly updating their strategies and tactics. Failing to install updates and patches leaves your system vulnerable. 

Even if you’re worried about breaking integrations between systems, you should at the least install every security update released by the vendor. These updates are specifically designed to address vulnerabilities discovered in your devices. After all, if your vendor releases a security update, it’s because they found a problem.

You also should know that updates and patches are not always the final solution to security vulnerabilities. Unfortunately, many manufacturers are not able or willing to provide the necessary support to continue updating their devices. 

To avoid this risk, shop carefully for systems that provide updates and are backed by a trusted company.

3. Poorly Built Networks

The modern industrial network is designed to get tasks done. If the design focuses too much on completing that task, it will leave weak points in security. Things that are obvious when building IT networks are sometimes less obvious when creating industrial DNP3 and other network architecture.

The solution to this risk is fairly simple. Those tasked with building industrial networks need to ensure they are partnering with IT professionals to build networks that are safer from attacks. Security features, like deep packet inspection and network segmentation, should be in place from the beginning.

4. Sensors Outside of the Company's Control

Most of the sensors and other connected pieces that make up a network are controlled by the company. But for some companies, that is not the case. For example, power companies have sensors in their customer's homes. 

Sensors outside of the company's immediate control are hard to secure, which gives hackers access. Currently, cloud-based security using public key services to authenticate devices may be the best solution to this problem.

Don't Take The Risk

Industrial security breaches can cause devastating consequences.​ Therefore, the above risks need to be addressed.

As more industrial facilities rely on the Internet of Things, it's important for company teams to be aware of the potential vulnerabilities. Take security into full consideration.

Read more…

IoT, as we all know, is not without issues--though we have become reliant upon it in many ways.. In 2015, there were some very viable and tangible proofs that the IoT field is fraught with real peril and that we as IoT designers, developers and companies need to be paying more attention to security. Just how many different IoT companies and arenas were breached? The answer might surprise you-- not to mention terrify you.

Most of us read about the car that was taken over and driven into a ditch. The ramifications of that were clear to all of us, but some even more frightening things have taken place this year..

Did you know that a flight was taken over-- and the man who took over the flight bragged that he had also manipulated the space station?

 In the past year, the following hacks have taken place.

Medical devices--The FDA ordered that specific drug pumps be no longer used. The software was bad enough that hackers could change the dosage being delivered to people who were using them.So we have the possibility of murder by internet??http://www.securityweek.com/fda-issues-alert-over-vulnerabl…

The DOE--According to a June 2015 Congressional Research Service (CRS) report, hackers successfully compromised U.S. Department of Energy computer systems more than 150 times between 2010 and 2014. "Records show 53 of the 159 successful intrusions were "root compromises " "http://www.usatoday.com/…/cyber-attacks-doe-energy/71929786/

A Steel Mill --An entire steel mill was breached resulting in "massive destruction of equipment" http://www.wired.com/…/…/german-steel-mill-hack-destruction/

The US National Nuclear Security Administration--The people who are responsible for managing and securing the entire nation's nuclear weapons stockpile, experienced 19 successful cyber attacks during the four-year period of 2010 - 2014


Firearms--TrackingPoint makes a smart rifle--what it does is to digitally "tag" a target, and then locks the trigger until the gun is perfectly positioned to hit it --and it can hit up to half a mile away but... now there has been a serious flaw found in the software so that a hacker could make a law enforcement hit the hostage rather than the intended target.http://money.cnn.com/2015/07/29/technology/hack-smart-rifle/

Offshore Oil Rigs --Hackers have also shut down an oil rig by tilting it sideways..They hit another rig so hard with malware it was not seaworthy for 19 days..

Government Buildings Department of Homeland Security recently disclosed that hackers had managed to penetrate a state government facility and a manufacturing plant in New Jersey--now all they did was change the temperature, but what COULD they have done.. really think about that.

Last.. but not least.. go ahead and buy that cool toaster and refrigerator..... a funny thing happened with hundreds of kitchens in the UK. All of tehm were hacked and the resultant hack wouldn't allow them to make certan kinds of food in their toaster or store it in their fridge.http://www.cbronline.com/…/iot-security-breach-forces-kitch…

IOT is a time saver and offers us incredible convenience, but as we're beginning to find out, there are some real ramifications to the use of IoT devices that we need to be aware of. More to the point, companies and industries who are offering these devices need to take full responsibility to assure the security of the devices they are offering. IoT security workers and developers are more important than ever before..

For more information about IOT and Security check out our new websitewww.internetofthingsrecruting.com  - Need to update you IOT Security Team - Click Here to schedule a free IOT Needs Assessment Call. 

Read more…

The Internet of Things (IoT) concept promises to improve our lives by embedding billions of cheap purpose-built sensors into devices, objects and structures that surround us (appliances, homes, clothing, wearables, vehicles, buildings, healthcare tech, industrial equipment, manufacturing, etc.).

IoT Market Map -- Goldman Sachs

What this means is that billions of sensors, machines and smart devices will simultaneously collect volumes of big data, while processing real-time fast data from almost everything and... almost everyone!!!

IoT vision is not net reality

Simply stated, the Internet of Things is all about the power of connections.

Consumers, for the moment anyway, seem satisfied to have access to gadgets, trendy devices and apps which they believe will make them more efficient (efficient doesn't necessarily mean productive), improve their lives and promote general well-being.

Corporations on the other hand, have a grand vision that convergence of cloud computing, mobility, low-cost sensors, smart devices, ubiquitous networks and fast-data will help them achieve competitive advantages, market dominance, unyielding brand power and shareholder riches.

Global Enterprises (and big venture capital firms) will spend billions on the race for IoT supremacy. These titans of business are chomping at the bit to develop IoT platforms, machine learning algorithms, AI software applications & advanced predictive analytics. The end-game of these initiatives is to deploy IoT platforms on a large scale for;

  • real-time monitoring, control & tracking (retail, autonomous vehicles, digital health, industrial & manufacturing systems, etc.)
  • assessment of consumers, their emotions & buying sentiment,
  • managing smart systems and operational processes,
  • reducing operating costs & increasing efficiencies,
  • predicting outcomes, and equipment failures, and
  • monetization of consumer & commercial big data, etc.

 

IoT reality is still just a vision

No technology vendor (hardware or software), service provider, consulting firm or self-proclaimed expert can fulfill the IoT vision alone.

Recent history with tech hype-cycles has proven time and again that 'industry experts' are not very accurate predicting the future... in life or in business!

Having said this, it only makes sense that fulfilling the promise of IoT demands close collaboration & communication among many stake-holders.

A tech ecosystem is born

IoT & Industrial IoT comprise a rapidly developing tech ecosystem. Momentum is building quickly and will drive sustainable future demand for;

  • low-cost hardware platforms (sensors, smart devices, etc.),
  • a stable base of suppliers, developers, vendors & distribution,
  • interoperability & security (standards, encryption, API's, etc.),
  • local to global telecom & wireless services,
  • edge to cloud networks & data centers,
  • professional services firms (and self-proclaimed experts),
  • global strategic partnerships,
  • education and STEM initiatives, and
  • broad vertical market development.

I'll close with one final thought; "True IoT leaders and visionaries will first ask why, not how..!"

Read more…

Guest blog by Bill Graham, follow him here. The post was originally posted here

Every IoT and embedded device manufacturer endeavors to field secure and safe products. However, even with the robust development processes, it's difficult to ensure complete security in finished products more so in legacy products. As the ever-expanding IoT marketplace puts a bigger emphasis on embedded device security, better techniques are required to improve security. I wrote a blog series this fall on improving IoT security with source-based static analysis and binary static analysis coupled with software hardening, but I focused primarily on the static analysis part of the equation. GrammaTech's software hardening techniques complement our static analysis know-how to greatly improve the current and future robustness of embedded software. 

Binary Analysis and Static Rewriting

Analyzing application binaries allows GrammaTech's rewriting tools to discover the use of potentially problematic code patterns, libraries, or OS functions. The rewritten binaries have wrappers around such code to prevent erroneous behavior. For example, function call stack usage can be instrumented to prevent stack overflow and subsequent code injection. Another example would be preventing calls to known problematic library functions like strcpy() from causing buffer overflow errors.

Rewriting a binary executable into a robust hardened version provides quality and security assurance for any version of the application -- current and future versions are protected.

GrammaTech Software Hardening

GrammaTech's hardening tools static rewrite binaries into more robust and secure applications.

Confinement and Diversification: Binary Rewriting Techniques

The goal of confinement is to prevent undetected vulnerabilities from causing a failure in an executing application. Techniques to detect and prevent certain specific classes of vulnerabilities already exist to some extent, but often lead to a program failure state -- which, in turn, leads to a denial of service. Although an attack might be prevented, these consequences are unacceptable in critical systems. GrammaTech has been researching sophisticated confinement techniques that allow applications to detect the same kinds of attacks, but continue operation (while still containing the vulnerability). Combining binary analysis to detect the potential vulnerability with static rewriting to confine the exploit, it's possible to greatly reduce and even eliminate the impact.

Diversification techniques are used to alter the default code and memory layout to prevent potential exploits. By rearranging the subroutine calling sequence, stack, heap, and global data layout, it's possible to prevent vulnerabilities from being exploited. Stack overflow errors that lead to code injection exploits, for example, can be thwarted with these techniques. 

Protection Now and in the Future

Binary analysis and rewriting by nature doesn't require source and is version-independent. As such, IoT device manufacturers can use GrammaTech's hardening techniques on every release of their applications, making software hardening a standard procedure in the software release process. In doing so, organizations can assure better robustness and security for even minor upgrades, without huge re-testing costs. 


CONCLUSION:

Security defines the success of IoT. Good software development techniques are a good start, but adding software hardening is even better. GrammaTech's software hardening techniques provide version-independent protection from vulnerabilities and runtime errors while maintaining system functionality. In addition to the improved security and safety provided, software hardening offers compelling reductions in cost, risk, and time savings. 

Read more…

Guest blog post by Nate Vickery


In a recent Economist Intelligence Unit survey of 476 executives from around the globe, more than a third of respondents said that their companies suffered significant data losses over the course of last 12 months. On the other hand, more than 80% of respondents said that their protection procedures are at least “somewhat” effective. However, executives at organizations that suffered big data breaches – like the US Government – were presumably confident that their protection systems are safe too, until they discovered that they were in fact not.

The term big data came around 2005; the phrase refers to a wide range of information sets that are too large to be managed and processed by traditional data management tools. 2015 was a big year for big data; some of the major tools and platforms achieved mainstream adaptation. Now that big data has become essential for all business enterprises, major security problems have come to the forefront.  Therefore, let us look at some of the biggest data security challenges companies of all sizes are facing in 2016.

User Data Privacy

You would be surprised to know how the amount of data collected about each person in particular can be processed and analyzed to provide a surprisingly complete picture. Consequently, establishments that own the information are legally responsible for the security of their data. Attempts to make anonymous certain data are useless in protecting people’s privacy, because there is so much data available, that you can use some of it as a link for identification purposes. User information is in transit all the time, being accessed by the inside users, outside contractors, and business partners sharing it for research.

Granular Access 

One of the greatest challenges when implementing a big data security system is respecting privacy concerns while still permitting the usage and analysis to continue. While a privacy breach has ethical and legal implications, a large amount of data is useless without being able to use it. This is one of the reasons only 0.5% of data is being used and analyzed at the moment. Granular access control acts on every piece of data individually, ensuring a high level of both security and usability. However, some major problems with efficient implementation of granular access control are keeping track of privacy requirements and policies in a cluster-computing setting; keeping track of user access and the proper employment of security requirements.

Monitoring in Real-time

Real-time monitoring is designed to alert the company at the very first sign of an attack; however, the amount of feedback from SIEM (security information and event management) system, whose aim is to provide the big-picture feedback of the data, is enormous. Companies that have the resources to closely monitor this feedback and separate the real attacks from the false ones are rare. Fortunately, there are providers that can offer an alternative through a remote support software, for both small businesses and larger enterprises.

Granular Audits

As we discussed in the last paragraph, the goal of monitoring in real-time is to give the company the heads-up at the first sign of trouble. Since this does not always happen because of the challenges of identifying the real risks among the huge number of false alarms, it is crucial to have regular, granular audits to recognize breaches after the fact. Audit information can help to identify exactly what happened, so that future breaches can be identified and avoided. An effective inspection depends on numerous factors – controlled and timely access to information, the integrity of the information, etc.

The majority of solutions and platforms are still struggling to handle the vast volume, variety and velocity of big data. So far, security has been a tack-on feature to the managing tools; however, it is now evident that the value of big data lies in both the company’s ability to leverage it for better products and its ability to protect it from outside attacks. 

Follow us @IoTCtrl | Join our Community

Read more…

IoT Security trends

Security threats are the biggest concern among the main concerns on the Internet of Things. Due to its very nature, it is a target of interest for those who want to commit either industrial or national espionage. By hacking into these systems and putting them under a denial of service, or other attacks, an entire network of systems can be taken out. This has caused cyber criminals to become very interested in the IoT and the possibilities that surround its misuse.

Fortunately, companies are realizing that there are many potential problems with their framework. This has caused a new trend of companies reviewing these areas and coming up with an effective solution. Until that is done, those using these devices should remain wary. The IoT allows devices to exchange contextual information and to execute certain decisions based on this information. This means cars, homes, power supplies, and even water supplies using the IoT could potentially be at risk. In these cases, physical security is irrelevant, as a simple change of data could impact the control of systems and cause them to function as a dangerous item.

The idea of a security breach through the IoT isn’t something that is a possibility that could happen either. There are already cases of hackers breaking into the systems. Two cars were hacked, their brakes were disabled, and the lights turned off. All without the driver having the ability to control them in a test situation. Another instance of a yacht being taken off course by a hijacked GPS system is another.

Even in the home, people are at risk. Devices that have video cameras, children’s monitors, and similar devices that should be safe are actually giving hackers the chance to cause havoc in the home. Smart wired homes are having their temperature settings and lights flickering on and off, as these hackers explore the possibilities that are out there. Even the latest electric power meters that are digital are allowing hackers to steal power with ease.

But these device annoyances aren’t where the heart and soul of the IoT lies. Instead, it is the possibility of what can be done with these systems. Since everything is attached through the internet, these devices have the potential to perform a third party attack on websites. If millions of devices hit a website at the same time, it can overwhelm the bandwidth and potentially take down a competitor’s website, effectively crippling them until they find a workaround solution. Corporate espionage becomes a real concern as competition realizes they can turn simple devices against their main competition and draw in their business.

All this means that the virtual world has the ability to have an impact on the physical world. The solution right now is to boost security on our devices that use the IoT. With added security tools and advanced API that can detect usage that goes beyond what the system is designed to do, there is a lower risk for the world.

With terrorism one of the main concerns in the world, and growing dangers around us, we need to be smart how we use technology. That’s why when we look at the IoT that we don’t write these devices off as being nothing more than simple tools to make our lives easier, but recognize them for the potential dangers they could also possess.

For more information about looking for IOT/Security Talent check our our website atwww.internetofthingsrecruiting.com 

Read more…

Top Three Skills for Data Security Pros

What you need to succeed in data security? Compliance, Governance and Data Security Experts

If 2016 shapes up anything like the last quarter of 2015, data security in the IOT will continue to be a hot topic for all of us working to protect our work in the Cloud. In mylast article, I discussed several trends that we are monitoring at SoftNet Search’s IOT practice area. This time, I will weigh in on the kinds of people who will fulfill the needs of companies who are staying ahead of data security trends.

IT Headcount Going Up

According to all the people that matter, IT will continue to hire data security and other pros in 2016. For example, Computerworld’s recent survey showed that “37% of the 182 IT professionals who responded to the survey said they plan to increase head count in the upcoming year -- that's a significant jump from last year, when only 24% said they planned to add new staff. Moreover, 24% of those polled this year listed "attracting new talent" as first among their business priorities for the next 12 months.”

So how will they find the data security specialists they need? They will focus on these top three skills:

1) Security (General) – General security projects rated number two in the “most important IT projects that survey respondents have underway.” General security specialists, including data security pros, will command higher salaries, with Robert Half Technology 2016 Salary Guide predicting a 5% to 7% rise this year, hitting a range of 100K to 200K on average.

2) Compliance- Small-to-medium sized businesses are racing to ensure that their compliance policies are up to speed, especially if they’re working in the IOT. Healthcare continues to head up the compliance market in this field, with financial services and consumer privacy goals (customer information safety) coming in a close second and third, respectively. Data security specialists and database analysts will continue to command higher salaries—and a track record of managing big data in the cloud – and providing compliance leadership for functional business partners—is a must.  Computerworld again: “Exactly 50% of the IT professionals who participated in our Forecast 2016 survey said they plan to increase spending on security technologies in the next 12 months.” Making sure these technologies include built-in compliance gate keeping will be top of mind for data security leaders all throughout 2016.

3) Governance- Many large corporations have a lock on their governance policies because they have the headcount to ensure that Cloud and SaaS solutions across the enterprise fold into their existing governance plans. They can also pull together IT governance committees to get ahead of this issue and ensure that data security guardrails are firmly in place via smart governance plans.

Who owns your data security governance policy?

The problem is, many companies have had to institute ad hoc governance because they don’t have the time to control these policies in a centralized way. Functional, siloed IT business partners might “own” the governance policies for say, customer information, with others guarding HR or manufacturing data. Data security pros with backgrounds in IT governance can help answer IT leaders’ most pressing governance questions in an enterprise-wide manner and ensure that governance rules don’t languish in silos, making your company prone to breaches of policy. Hire someone to answer these questions:

  • How to start instituting a cohesive governance strategy that grows with the company (and its technologies)?
  • Who should we include on our team
  • How long it will take until the governance policy works on its own to cover all of our technologies and foreseeable ones?
  • Who should manage the project and become accountable from the beginning?

 

If your data security pros don’t have the answers to these questions or have not worked as a team to define governance for the IOT, chances are they will need to get up to speed—and quickly.

 

What doesn’t work as well?

We’ve watched some companies hire a consultant to help the Corporate Governance Officers (CGOs) with the IT end of their jobs. The problem with that solution is that IOT and cloud-based data security and governance should not be placed on the table in front of a bunch of lawyers that, no matter how skilled, can’t be expected to keep up with best practices in the field. Hiring internal IT governance headcount, if even on a contract basis, works better in the long run and will cost you thousands less without costing you your peace of mind.

 If you’d like to know more about the highly-skilled data security specialists I’ve seen in my practice; or if your enterprise requires help with IT compliance, governance or data security in general, definitely give me  a shout.

Looking to hire Data Security Professionals -  Click Here for your free Search Assessment Call  

Read more…

One of the biggest barriers to IOT success is a dearth of data security talent. Find supermen and –women to get your enterprise to the next level

This week, Batman vs. Superman opens in theatres. Batman’s got his gadgets and Superman, his alien powers. What out-of-this-world powers will you need to get your IOT data security talent on board-- up to speed?

There are so many challenges to sourcing IOT talent, it seems like you need superpowers to simply suss out the best candidates. Experts agree --finding talent remains one of the biggest barriers to getting value out of the IOT—and data security experts are often the most in demand.

David Weldon’s recent article in Information Management pointed to some disturbing trends in IOT security—as in, will security issues remain the biggest hurdle IOT practitioners face in getting projects off the ground?

The study from TEK in that article boldly stated that: “While 55% expect IoT initiatives to have a ‘transformational’ or ‘significant’ impact - just 22% of IoT initiatives have progressed to the implementation stage.”

That’s a huge gap! So what is standing in our way? Survey respondents from 200+ companies said that security and ROI are the biggest problems and that “information security experts are cited as the most difficult skill set to find.”

This same group of IOT leaders was asked where IOT initiatives would have the most impact in the next five years. We’ve used their responses to help you track the super skills you need for your data security team:

Survey respondents were very clear on where they expected IoT initiatives to impact their business on a long-term basis, factoring a five-year planning horizon. Top impacts expected were:

  • 64 percent said creating better user and customer experiences – Here we have the data security expert who is often sourced from Cloud-based technology services that are outward facing, such as sales and CRM systems. A consumer-based data security pro will often help you check off your IOT bases faster than any other.
  • 56 percent said sparking innovation - Data security experts who have done time protecting business development functions, start-ups, or tech product launches along the IOT can help you see the big picture. It doesn’t hurt to have an MBA-level degree in IT innovation (especially if they have worked as an IT innovations leader from within an executive committee in one of the industries your company serves.)
  • 52 percent said creating new and more efficient working practices and business processes – One of the key differentiators among IT talent is their ability to lead process change and gain buy-in from key players in the company. In the field of IOT data security, make sure your security pros have spent time in the functional trenches of your industry. If they don’t understand the value levers in your particular business, they won’t know to protect them.
  • 50 percent said creating new revenue streams, including new products and services – This is indeed the superpower to possess! Along with innovations experience, your data security leader should have new product experience—especially during launch, when experts agree, IOT start-up data is at the most risk. Commonly, “white hat hackers” in small- to- medium businesses fit the bill.
  • 36 percent said an increased ROI on IT infrastructure – Too often data security is cut into two functions in large IT corporations—infrastructure and external. Your data security leader must be adept at identifying security challenges in both areas, or she won’t be able to calm the fears of your key investors or decision-makers when they ask what to build and how she will make it a safe platform for their IOT springboard.
  • 35 percent said substantial cost savings and operational efficiencies—Our data security pro might seem too good to be true by now, but one thing we know he isn’tis a spendthrift. He should also be able to measure the value of what IOT data security leadership can do before any resources go into it—and clearly outline the risk of not spending enough on security to protect the whole shebang. A data security pro who is only concerned with the 1s and Os and not with the dollars and cents will cost more than he or she is worth.

If you want to make sure your IOT initiatives get off the ground, track where they will make the most difference to your business and then find data security professionals with IT experience in those areas.

A word of caution: The popular “Security as a Service” (SECaaS) outsourcing model for security management might not work, according to another guru, Stephanie Ibo, at IM. “The irony lies within the fact that SECaaS will use the cloud as a mainstream deployment platform, when part of its own reason of existence is to enhance the protection of…the cloud!”

I would argue that “large security service providers (who) integrate their products into a corporate infrastructure on a subscription basis, making security more cost effective to large corporations” will have a difficult time reaching “the ultimate objective of security implementation – “Security at the Core” – even if popular ousourced services like authentication and security event management get the enterprise a few steps closer.

I believe that having an internal IOT security head will ensure that you have all of your bases covered. Let me know what you think! Call me for a free checklist and consultation at 303-337-7871. Follow us on Twitter and LinkedIn for more IOT data security talent sourcing information.

Read more…
RSS
Email me when there are new items in this category –

Upcoming IoT Events

More IoT News

How wearables can improve healthcare | TECH(talk)

Wearable tech can help users track their fitness goals, but these devices can also give wearers ownership of their electronic health records. TECH(talk)'s Juliet Beauchamp and Computerworld's Lucas Mearian take a look at how wearable health tech can… Continue

IoT Career Opportunities