Subscribe to our Newsletter | To Post On IoT Central, Click here


Security (124)

Data Security Trends for 2016

Data Security Professionals: What You Need to Know NOW: Trends for 2016

There are some scary things happening in data security. Along with the rise of the Internet of Things there has been a corresponding push by hackers to wrest the cloud from us law-abiding folks.

“Gartner is predicting that 6.4 billion connected “things" will be in use globally by the end of 2016 - up 30 percent from 2015 - and that number is expected to reach 20.8 billion by the year 2020. As more Internet connected devices hit the market, so too do the vulnerabilities that come with them, as evidenced by highly-publicized incidents of 2015 where researchers exploited vulnerabilities in planes, guns, medical devices and automobiles.

As the Internet of Things market expands and innovates, researchers will continue to find and uncover exploitable vulnerabilities in these newly connected “things,” which will in turn continue to fan the flames of responsible disclosure.”- Information Management

Companies are having a difficult time finding data security pros who know how to conquer this new frontier of data security in this “every business is an IT business age.”

Information Management Magazine had some cool ideas on this front:

Consolidation of IT Security

Big companies are buying out medium companies and then these really big companies are eating all of the “little fish” in sight. Dell buys EMC. Cisco buys Lancope. They all begin to buy companies like Adallom, Aorato and Secure Islands. It’s not going to stop next year, in fact, it will accelerate.

“It’s worth noting that offering up a “one stop shop” experience is completely different than being able to integrate technologies together to offer a seamless user experience.” Will that seamless user experience include seamless security?

Responsible Disclosure

You’ve got a Certified Hacker on staff who has uncovered some issues that overlap into the public domain. How much are you legally (never mind morally) required to divulge to regulators and/or competitors? According to IM, this issue will only get thornier as 2016 progresses: 

“White hat” hackers, hired to scope out flaws in systems, are already facilitating company / researcher relationships within the technology industry via bug bounty programs. However, it seems that many segments of the manufacturing industry would rather utilize lawyers to block research altogether than address the vulnerabilities that are uncovered. Another option for security researchers to consider is self-regulation, where they accept the risks and responsibilities associated with their findings.”

Smaller Businesses Up Security Spending

Remember the famous hacks of 2015? They were publicized more than ever before.  Companies like "LastPass, Securus Technologies, VTech and TalkTalk (are being targeted by) cybercriminals because they’re seen as less secure, while oftentimes owning valuable customer data.” These cyberattacks will grow in 2016.

People in the Cloud Share Responsibility

If you deploy in the cloud you share security responsibilities. Small to medium companies are hiring internally or taking advantage of Cloud Services’ security add-ons in contracts. To get a quick primer, check out Amazon’s shared responsibility model.

The other items in Information Management’s list include improved incident response protocols including communications and crisis management to calm investors and consumers; and enhanced collaboration among our communities as “security professionals are utilizing tools and platforms in order to better share and collaborate on security research and uncovering and responding to threats.” The folks at IM “expect this to increase and become more formalized amongst organizations, industry verticals and individual practitioners over the next year.”

What trends would you like us to keep an eye on for you as a cutting-edge data security specialist or leader? Let us know! We’d love to include your favorite topics right here.Email me. Until then, stay safe!

Read more…

How Secure are Home IOT Devices, Actually?

The Internet of Things (IoT) is a phenomenon that is currently experiencing huge year on year growth. One of the fastest growing areas within the industry is in the market of home IoT devices. These are devices designed to make life easier, such as connected garage door openers, smart switches, smoke alarms, and even IP surveillance cameras. There are almost 5 billion connected devices being used today, and according to Gartner Research, that number is expected to grow by 500% in the next 5 years.All of this shows a promising industry, but unfortunately the risks are never covered as much as the growth figures. IoT devices are often designed without a necessary focus on security or user privacy, and this is something that the industry needs to address.

Security Risks for IoT in the Consumer Space

Although IoT can be found in industries as diverse as medical and even manufacturing, it is the home markets that garner the headlines and consumer mindshare. People have come to expect that their security cannot always be maintained online. But the difference with IoT is that we’re not simply talking about passwords, emails, and social media accounts. Instead, we’re talking about access to the garage door, the front door, or even knowing whether or not somebody is home.

There are plenty of examples where common IoT devices have been found to be unsecure, or at least at risk of being compromised with relatively little effort.

The Fortify Security Software Unit at HP released case studies last year where they compared ten of the most popular devices used in home IoT. They found that seven out of ten devices had significant security issues. An average revealed 25 security risks in each individual product. The most prevalent problem was that IoT data was unencrypted as it was transferred through wireless networks. Worryingly, six of the devices didn’t even download firmware from encrypted sources. This leaves a possible risk where malicious firmware could be directed to home devices, providing external access for malicious parties.

HP isn’t the only company to have taken an interest in IoT security. Veracode recently published a report that was based on a similar survey of consumer devices. While the HP survey focused on devices like thermostats and lawn sprinklers, the Veracode study included critical devices, such as the Chamberlain MyQ Garage door opener, and the Wink Relay wall control unit. Veracode’s study looked more at risk than actual vulnerabilities, but the results were still significant.

The Wink Relay, if compromised, could allow external audio surveillance inside a user’s home. Information could be used for blackmail, to aid identity theft, or even for industrial espionage in relation to the resident’s employer. The Chamberlain garage door opener, if compromised, could mean that a third party could tell whether a garage door was open or not, allowing opportunities for easy, unauthorized entry.

Even if these devices connect to a relatively secure cloud platform, there’s always a risk that a home network could be compromised, and the fact is, few consumers are even aware of the dangers.

As we move forward, it is clear that security needs to be a top priority within the Internet of Things marketplace. Which means that stakeholders need to:

  • Understand the security risks involved with connecting home control devices to the cloud
  • Provide necessary security on their platforms
  • Educate consumers about security risks, and how they can protect themselves
  • Focus on building a talent pool of network security professionals to complement their core IoT development teams

Internet of Things represents an exciting time in the evolution of consumer, corporate, service based, and industrial technologies. It is important that key developers and manufacturers don’t lose sight of security during times of rapid innovation. With the right talent, and the right approach, the industry can build highly secure infrastructure and devices. This will ensure trust and desirability remains high, with the potential to drive adoption and overall market growth.

 

How does your team ensure practical security with its connected products?

Read more…

What's Hot in Hiring: Data Security Consulting!

Big Growth in Data Security Provides Opportunities for Consultants

By 2016, the worldwide data security market is expected to approach almost $90 billion in total value. This means that security is big business, and it should be. Data security has become increasingly critical as businesses utilize increasingly complex technology. Likewise, businesses that are directly involved in technology, such as Internet of Things and connected devices startups, cloud service providers, and even internet service providers, all have a vested interest in maintaining the security of their data.

Three Core Influencers on the Security Market

There are three core areas of influence that are driving the key players in data security consulting. Market influencers, according to Gartner Research, include BYOD (Bring Your Own Device), big data, and the security threats themselves.

BYOD is changing the way that SMBs and enterprise clients think about security. In the past, security solutions could be rolled out and controlled across a limited number of devices that were usually owned and maintained by employers. Today, it is more common for executives and staff at all levels to bring their own devices, which can then connect to company applications and networks. This creates the challenge of implementing robust security policies and technologies that can cover a range of devices and access methods.

Increased connectivity has led to increasing levels of "big data" in business. Considering all of the channels where data is collected, whether it be through software, customer interactions, or even data that comes from IoT connected devices, it is becoming critical that big data is not only collected, identified, and categorized, but that it is kept secure. Security in the future will be essential for protecting IP, trade sensitive information, and maintaining privacy.

Finally, the increasing number of security threats that are present, are reshaping the market, and will continue to do so in the future. In addition to the attacks and exploits that have been common in the past, data security consulting professionals now have new technologies where compromises must be patched and anticipated. IoT devices, SaaS solutions, and an increasingly widespread cloud adoption will be major factors that shape the needs of future data security.

 

Data Security Consulting: What is Hot?

Recent graduates, professionals looking for new opportunities, and even CIOs within existing organizations can anticipate the opportunities and needs, by identifying current roles and niches in the data security consulting market.

A data security role may be completely specialized, or in some cases, generalized and more leadership based, depending on the size of an organization.

Information security can be broken down into two main areas. These areas are hardware, and software. A data security consultant may be expected to have a wider understanding of their industry, but in reality they will only specialize in some key areas. This means that employers need to be specific about who they’re looking for and the technologies that they use. It also means that jobseekers need to be upfront about their expertise, or they may risk finding themselves in a position that is beyond their current skillset, which could lead to career impacting underperformance.

As a consultant, the role is to advise, develop, and implement change. This change is usually to address a problem that already exists. In the case of data security, this could mean that a security threat has already been identified, or it could be to mitigate possible threats with new technologies.

  • Consultants need superior application and network penetration skills. This means that they should be able to break down, and analyze the way that software works within any environment. This includes input and output channels. Networks need to be understood in the same way. The purpose of this knowledge, is to identify where risks exist, or where existing security breaches are occurring.

  • Software algorithms are known to provide false positives, so a consultant needs to be able to identify these, and should have skill in determining viable threats. This will help the consultant to allocate resources where they are most necessary, which can benefit their employer, financially.

  • Consultants should build an understanding of the technologies used by their employer. Whenever working on a contract, a consultant will deal with systems that they are unfamiliar with. Understanding the underlying technologies will be critical to implementing successful security solutions. This may require knowledge of cloud computing and infrastructure, IoT protocols and industry practices, or even specifics of networking or programming languages.

  • Successful consultants will be experts in risk management. This should not just include software and hardware, but also their employer’s strategy when it comes to risk management. Some companies are willing to accept higher levels of risk, while some have more stringent expectations. Understanding the culture of any particular company will be critical.

 

As Data Becomes More Important, Security Consulting Becomes a Necessity

It does not matter whether a business processes EPS payments, collects consumer information for a large retail operation, or even deals exclusively in cloud technology and the Internet of Things. The reality is that, as long as they are collecting and storing data, they will need dedicated security professionals.

Protecting that data for commercial and privacy reasons, will best be achieved with the right candidates, who have the skills and experience to deal with security threats in the modern business landscape.

I found a great resource for planning for and making decisions about information security at the Gartner Research Security and Risk Management page.

Read more…

Security challenges for IoT

Guest blog post by vozag
 

Emergence of IoT presents security challenges more challenging than any industrial systems have seen.

Open Web Application Security Project (OWASP) is a reputed international organization which focuses on improving the security of the software. It sponsors the hugely  popular Top ten project which publishes the top ten security risks for web applications all over the world.

 

The “OWASP Internet of Things (IoT) Top 10” project defines the top ten security surface areas presented by IoT systems. The project aims to provide practical security recommendations for builders, breakers, and users of IoT systems.

 

Last year HP which started this project used it as a baseline to evaluate top ten IoT devices which are were widely used and released a report. The study concluded that on an average each device studied had 25 vulnerabilities listed as a part of project.

 

The top 10 vulnerabilities impact of each vulnerability and the link in the order listed in project are given below:

 

Insecure Web Interface

Insecure web interfaces can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete device takeover.

 

Insufficient Authentication/Authorization

Insufficient authentication/authorization can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete compromise of the device and/or user accounts.

 

Insecure Network Services

Insecure network services can result in data loss or corruption, denial of service or facilitation of attacks on other devices.

 

Lack of Transport Encryption

Lack of transport encryption can result in data loss and depending on the data exposed, could lead to complete compromise of the device or user accounts.

 

Privacy concerns

Collection of personal data along with a lack of protection of that data can lead to compromise of a user's personal data.

 

Insecure Cloud Interface

An insecure cloud interface could lead to compromise of user data and control over the device.

 

Insecure Mobile Interface

An insecure mobile interface could lead to compromise of user data and control over the device.

 

Insufficient Security Configurability

Insufficient security configurability could lead to compromise of the device whether intentional or accidental and/or data loss.

 

Insecure_Software/Firmware

Insecure software/firmware could lead to compromise of user data, control over the device and attacks against other devices.

 

Poor Physical Security

Insufficient physical security could lead to compromise of the device itself and any data stored on that device.


Read more…
RSS
Email me when there are new items in this category –