Subscribe to our Newsletter | To Post On IoT Central, Click here


Security (131)

IoT has opened oceans of opportunities. We can automate just about any inanimate object and make everyday life easier. However, just as we can think of an infinite number of uses for IoT, hackers are doing the same, for all the wrong reasons.

Recently, hackers have been able to hack baby monitors, cars and scarier still, pace makers. All this can be done remotely. Present IoT devices are not adequately equipped with security features. Hence, hackers have no problem hacking into these devices.

Although an IoT device has several components which increase it's vulnerability, in this article I will cover the issue of security updates. This is because a large number of attacks occur through insecure software.

A major component of any IoT device is the software present in it. By introducing security features in the software, we can reduce a large majority of these malicious attacks.

Sophisticated security measures will take time to be developed and implemented but, there are some simple features we can implement immediately:

  • Ensuring periodic updates: By keeping the software updated, we can ensure that there are no vulnerabilities. Then hackers can not use the 'back door' method to hack a device.

  • Encryption of update file. The update file itself must be encrypted to prevent harmful tampering. Then hackers will not be able to introduce viruses within the code.

  • Encryption of network: The network which is used to transmit the update files must be encrypted as well. This will prevent interception of the update file, by unknown third parties, during transmission.

  • Avoiding/encrypting sensitive data: Most often the data that is present in the update file contains sensitive data such as passwords,names etc. This type of data must be avoided wherever possible. If it is absolutely necessary to keep this type of information, then the data must be properly encrypted.
  • Verification by authorized personnel: Before releasing new software updates. It must be thoroughly verified and signed by an authorized personnel.

  • Securing the update server: The update server is another location that most hackers attack. The server must be secured adequately to prevent such attacks. Preferably, the data must be encrypted once in the server.

(The term hacker as used in this article refers to "black hat hackers".)

Read more…

25361054695_9d93fa1e43_h.jpg

RSA Conference 2016, the world’s leading information security conferences and expositions, kicked off its annual show today at San Francisco’s Moscone Center. In its 25th year, the conference brings together the top information security professionals and business leaders to discuss emerging cybersecurity trends and formulate best strategies for tackling current and future threats.

According to Britta Glade of the RSA Conference, during the course of this year’s review process they collectively looked at the "forest" of the submissions together and found that the Internet of Things was the #1 trend that stood out.

Last year they saw a huge uptick in IoT submissions, but this year it moved front and center.  She noted “While last year’s submissions tended to be "observational," this year we seem to have moved into the "solutioning" phase of the maturity curve, evidenced by a slew of new submitting companies—organizations that directly service end consumers and haven’t traditionally participated in our call-for-speaker process.”

Building on top of IoT, conference organizers also saw increased submissions on Industrial Control Systems and the Industrial Internet of Things. In the past, the sessions focused on this just didn’t gain attention. But one year makes a difference as many of the "things" coming alive and online, such as robots, sensors, building automation, are still based on old security protocols and approaches, and breaches here have the very real potential to trigger large-scale disasters.

Late last year when I posted 50 Predictions for the Internet of Things in 2016, security dominated. With the RSA Conference starting today, here’s a recap of some of those IoT security predictions.

Nathaniel Borenstein, inventor of the MIME email protocol and chief scientist Mimecast

“The maturation of the IoT will cause entirely new business models to emerge, just as the Internet did. We will see people turning to connected devices to sell things, including items that are currently "too small" to sell, thus creating a renewed interest in micropayments and alternate currencies. Street performers, for example, might find they are more successful if a passerby had the convenience of waving a key fob at their "donate here" sign. The IoT will complicate all aspects of security and privacy, causing even more organizations to outsource those functions to professional providers of security and privacy services.”

Mark Coderre, National Practice Director, OpenSky

“Attacks on connected cars, connected medical devices, and connected critical infrastructure have all hit the headlines in the recent past; and this is just the tip of the iceberg. The Internet of Things is proving to be a treasure trove for hackers. When developing networked devices, manufacturers are still placing more value on features than on security. "Security by design" must become an integral factor in development so that innovations win over increasingly security-conscious users. Additionally, the relevance of Cyber Threat Intelligence (CTI), as a part of a proactive information security program, will become essential for information security. In response to increasingly dynamic threat situations, it is critical for organizations to be able to identify evolving methods and emerging technology trends used by the cybercriminal, and then to continually assess their capability in this regard. Because many organizations don´t have access to internal specialists, they will need to turn to external experts from the CTI sector. Effective cyber security will require knowledge and understanding of the capabilities and intent of threat actors. Who are they? What do they want? What can they do? Organizations will define threat more specifically (i.e. less reliance on vague terms like "vulnerabilities"). We will see an emphasis on threat actors with means, motive, and opportunity being tracked. Understanding motive will become crucial for prioritizing resources.

Laurent Philonenko, CTO, Avaya

“Surge in connected devices will flood the network – the increasing volume of data and need for bandwidth for a growing number of IoT connected devices such as healthcare devices, security systems and appliances will drive traditional networks to the breaking point. Mesh topologies and Fabric-based technologies will quickly become adopted as cost-effective solutions that can accommodate the need for constant changes in network traffic.”

Lila Kee, Chief Product Officer and Vice President, Business Development, GlobalSign

“Prediction: PKI becomes ubiquitous security technology within the Internet of Things (IoT) market. It's hard to think of a consumer device that isn't connected to the Internet these days - from our baby monitors to our refrigerators to our fitness devices. With the increase of connected devices of course comes risk of exposing privacy and consumer data. But, what happens when industrial devices and critical infrastructure connect to the Internet and get hacked? The results can be catastrophic. Security and safety are real concerns for the Internet of Things (IoT) and especially in the Industrial Internet of Things (IIoT). Regarding security, the industrial world has been a bit of a laggard, but now equipment manufacturers are looking to build security in right at the design and development stages. Unless the security challenges of IIoT can be managed, the exciting progress that has been made in this area of connected devices will slow down dramatically. PKI has been identified as a key security technology in the IIoT space by the analyst community and organizations supporting the IIoT security standards. In 2016, we expect that PKI will become ubiquitous security technology within the IoT market. There will be an increased interest in PKI, how it plays in the IoT market and how it needs to advance and scale to meet the demands of billions of devices managed in the field.”

Lasse Andresen, CTO, ForgeRock

“Chip to cloud (or device to cloud) security protection will be the new normal As business technology advances, the security data chain continues to grow, presenting an increasing number of opportunities for hackers to break in. With most data chains now spanning the full spectrum of chip, device, network and cloud (plus all stages in between), many organizations are starting to realize a piecemeal approach to protection simply isn't effective. This realization is spurring the adoption of more 'chip to cloud' security strategies, starting at the silicon level and running right through to cloud security. In this model, all objects with online capabilities are secured the moment they come online, meaning their identity is authenticated immediately. In doing so, it eliminates any window hackers have to hijack the identity of unsecured objects, thus compromising the entire data chain via a single entry point.”

Thorsten Held, Co-Founder and Managing Partner, whiteCryption Corp.

“Ransomware, a means whereby a hacker takes over a device and demands a ransom to remove the restrictions, will creep into biomedical devices in 2016. To thwart life-threatening consequences, medical device manufacturers will be looking for diverse ways to address these types of security flaws using more stringent, agile security solutions against the malware threats.”

Sam Rehman, Chief Technology Officer, Arxan Technologies

“Security regulation will make a meaningful impact for medical and other IoT devices: Regulatory requirements have generally been viewed as helping to drive organizations to meet minimum security standards. However, the overall security effectiveness or impact of regulatory requirements has been nominal. We can expect to see a much more meaningful advancement in the rigor of security requirements laid down by the regulators in 2016. This is partly due to accelerated advancements in public-private threat intel-sharing, and the regulators' acknowledgement of the need to seek out cutting-edge threat data and security best practices from the organizations that are on the front lines of defending against them. For example, in IoT, the FDA is making significant improvements in beefing up minimum security requirements for medical devices, which could otherwise pose grave safety risks to people, care providers, and medical device manufacturers that depend on their trusted operation. Since the vertical markets are so intimately interconnected, we will also see more teeth behind enforcement of security requirements.

Marty P. Kamden, CMO, NordVPN.com

“While facing the major transformation of our daily lives because of IoT, we are not completely ready to face related security issues. Since IoT networks will significantly grow in 2016, privacy and security issues related to web-enabled devices will mirror this change. For example, in August of 2015 hackers remotely seized control of over a million Chrysler automobiles, showing ability of having the full control of the cars – activating the windshield wipers, turning the radio and air conditioning on or disengaging the car’s transmission. To start tackling increasing online security threats, there are simple security measures that every Internet user should learn about, one of them being VPN (Virtual Private Network). VPNs will be increasingly popular in 2016 as security and privacy issues online will become more prominent, encouraging people to start encrypting their devices' online data, securing transfer of sensitive data, etc. NordVPN, one of the most advanced VPN service providers on the market, 256-bit AES encryption, is available on 6 devices on one account and has zero log policy.”

Ian Worrall, CEO, Encrypted Labs, Inc.

"The Blockchain has the ability to transform business similar to the Internet. With IoT, a major issue inhibiting its growth is how to manage the vast amount of data that will be stored around it. I think the answer to this is by leveraging distributed system technologies such as permissioned-server networks (Private Blockchains) or maybe even utilizing the Bitcoin Blockchain. A key aspect of this is inter-corporate collaboration between the networks of big data companies. This is crucial because the larger a single datacenter (one company) becomes, the harder it is to manage & secure. To do so efficiently it would involve (in some cases) competitors working together. This not only facilitates the management of this data, but secures it more effectively through distributed storage encryption. The companies willing to collaborate will succeed, while those overly competitive to control the space will inevitably fail long-term and short-term are impeding industry growth.”

Trevor Daughney, EVP, INSIDE Secure

"IoT device makers are realizing that they need to secure IoT devices to protect their reputations and customers. In 2016, IoT device manufacturers will pivot from asking 'why is security needed' to asking 'how do I implement security.' They will look to control data access and protect data at-rest, in-motion and in-process using a combination of software and hardware security measures."

More thoughts on IoT security can be found in our post here.

Read more…

BYOD + IOT ≠ Security.

Last year, the number of smartphones in the world hit a new record. Out of the 4.55 billion cell phone users worldwide, 1.75 billion of those were using smartphones. Users are rapidly switching to smartphones as these devices become more affordable, and as 3G and 4G networks are introduced into key markets, allowing faster than ever data transfer rates. For businesses, this increasing smartphone penetration has significant implications. As more businesses adopt BYOD (Bring your own Device), IT security professionals and CIO leaders will need to address the issues of security that are introduced as business data is taken on the road, and exposed to external networks.

How Does BYOD Impact IT Security?

Data security consultants, and anyone involved in information technology or management, will need to be clear on the risks that are introduced with BYOD.

A company that allows BYOD is able to receive great benefits from doing so. Systems that allow for users to bring their own devices mean that staff are able to use devices that are familiar to them, which can reduce training time and increase efficiency. At the same time, businesses can save significant amounts of money on IT procurement, because users are bringing their own cell phones, tablets, and even laptops, from home.

There are even benefits to recruiting - new hires will be more comfortable with their own device and the option to bring it in, instead of having to juggle phones and computers.

Even with these key advantages, there are some problem to overcome. The biggest challenge with BYOD is security. A BYOD device would be almost worthless if it didn’t have sufficient access to a corporate network, so that a staff member can easily obtain the information and run the applications that they need to perform their jobs. This means opening up access to systems which would have previously been protected by closed networks accessed by in-house devices, with security enforced through strict and robust security policies.

Another challenge exists when employees leave a company. Because they take their devices with them, there needs to be a mechanism in place that prevents access from devices that are no longer associated with an authorized staff member. Compared to a model without BYOD, this adds another layer of security, and a number of process layers within the organizational structure of a business. Without addressing this type of situation, businesses would be putting themselves at significant risk.

Security Is Even More Important than Ever with IoT

The Internet of Things has been called the future of business, computing, and entertainment. Indeed, IoT covers all of these areas, whether you look at a smart TV, an internet capable MRI machine, or even the cloud services that deliver email, streaming video, or music, to devices that will work from anyplace where there is an internet connection.

IoT exists in complex industries, too. Consider a production line that utilizes networked sensors along the line, which then transmit data in real time between ordering systems, packing robots, and even dispatch centers, to coordinate logistics. Considering the data that is collected using IoT sensors, and then the possibilities there are to interface with this data by using BYOD devices, it becomes clear that a system utilizing IoT technologies and BYOD access policies, needs to be secured to the highest industry standards.

Security breaches could mean that an unauthorized party is able to gain access to production data or even sensitive manufacturing secrets, or that a previous employee is able to take data and learnings to a competitor, using their own device that was once legitimately authorized through BYOD policies.

Similar risks exist in any industry. If you are an IT data security consultant within a contact center business, you could be tasked with protecting CRM systems, billing information, payment gateways, and other critical systems. Sales reps, telephone agents, and remote staff could all be using BYOD devices to connect to a decentralized cloud solution. Ensuring that access control and other security measures are present, will be a core aspect of the solutions that you design and implement. The reality is that a single violation can expose your entire network, making it critical to hire the right people and solve for these problems internally and for your clients.

Who are The Big Players in IT Security Today?

You only need to look at the world’s largest information security consultancies to see that data security is a big business.

Deloitte, currently the biggest player in IT security, made over $2 billion in revenue from security consulting in 2014. Other leading companies are seeing similar growth, with all of the top five, including IBM and KPMG, seeing revenue growth in security consulting. All of the top five exceeded 5% growth between 2013 and 2014.

This means that not only is there a clear growing need for security consulting, but also that there will be an increased demand for IT security consultants who are experienced in the latest technologies, including cloud and IoT technologies. The demand has been partially spurred on by high profile data security breaches, especially those at government level.

Businesses and Professionals Should Prepare for a Growing Market

Not only do businesses need to assess and respond to their needs regarding BYOD, IT security, and overall risk management, but they will need to begin to seek the most qualified consultants to lead their security initiatives.

Likewise, qualified candidates who are entering the job market need to seek out the most promising opportunities. Such as those that exist with businesses where they will have the opportunity to demonstrate their expertise in new and emerging IT technologies.

Moving forward, the businesses and professionals who recognize the importance and opportunity within data security consultancy, will be the ones who benefit the most in the next five years, when both IoT and IT Security are expected to experience drastic market growth.

How are you hiring to fill the need? Let's talk and see how your BYOD security concerns can be solved with a single hire - IOT Security Officer.

Read more…

Cloud computing vulnerabilities

When contemplating to migrate to cloud computing, you have to consider the following security issues for you to enhance your data safety.

Session Riding

Session riding occurs when an online attacker steals an internet user’s cookie to use the application later as the real user. The attackers might also use the CSRF attacks for them to trick the user to send authentic requests to random websites to accomplish various missions.

Virtual Machine Escape

Within virtualized settings, the physical servers operate multiple virtual apparatuses on top of the hypervisors. An online attacker can remotely exploit a hypervisor by using a weakness present in that particular hypervisor. However, such vulnerabilities are pretty rare, but they are real. Also, a virtual machine can avoid the virtualized sandbox setting to gain access to the hypervisor. Consequently, all the virtual machines ultimately run on the virtual machine.

Unsafe Cryptography

Cryptography algorithms normally use random number generators. They use unpredictable information sources to produce actual random numbers that are needed to get a large entropy pool. When the random number generators provide only a limited entropy pool, the numbers can be forced. In a client’s computer, the major source of randomization is user mouse operations and the key presses. Servers however normally operate without user interaction. That consequently means that there will be a lower number of sources for randomization. Hence, the virtual machines usually rely on the sources that are available to them. That could lead to easily guessable numbers that do not give much uncertainty in cryptographic algorithms.

CSP Lock-in

You have to choose a provider that has guarantee cloud security will enable you to shift easily to another provider when necessary. You do not want to choose a CSP that will force you to use its services. That is because sometimes you would prefer to use a CSP in one thing and another CSP for something different.

Cloud computing threats

Before you decide to shift to the cloud computing, you have to put into consideration the platform’s security vulnerabilities. You also need to assess the possible threats to determine whether the cloud platform is worth the risk due to the numerous advantages it has to offer. The following are the major security threats experienced regarding cloud security.

Ease of Use

It is a reality that cloud computing services can easily be exploited by malicious attackers since its registration process is pretty simple. You are only required to have valid credit card to get started on this platform. In some cases, you can even pay for the cloud computing charges by through PayPal, Payza, Bitcoin, Western Union or Litecoin. By using the payment methods, you can stay completely anonymous. The cloud platform can be used maliciously for various ill purposes like malware distribution, botnet C&C servers, spamming, DDoS, hash cracking and password cracking.

Secure Data Transmission

When sending the data from clients to a cloud computing platform, the data can be transferred by using a secure, encrypted communication channel such as SSL/TLS. That prevents various attacks like the dreaded MITM. During these attacks, your online data could be stolen by an attacker intercepting your communication.

Insecure APIs

Most cloud services are exposed by their application programming interfaces. Since the APIs are easily accessible from any location on the Internet, malicious attackers can exploit them to compromise the integrity and confidentiality of the internet users. An attacker has access to a token used by a legit user to access the service through cloud computing. The API can apply the same token to interfere with the customer data. Hence, it is imperative that all cloud services provide a safe API to prevent such attacks.

Malicious Insiders

It is possible for a staff member at a cloud service provider to have complete access to your confidential resources. Therefore, cloud service providers should set proper security measures to track their employee actions. Normally, cloud service providers never follow the best security procedures and fail to implement security policies. Hence, their employees can collect confidential information from customers without getting detected.


Originally posted on Data Science Central

Read more…

With the cloud changing the way modernizations of big data is done, service providers and security organizations have to work harder to ensure security of Big Data to their consumers. The reason for increased security breaches is because the traditional security technologies have no capacity required to detect and protect against such attacks. In view of this rising issue, let's look at what companies in Silicon Valley are doing to make big data more secure.


IBM and security of Big Data


IBM has launched a security intelligence with Big Data platform to ensure threats and risk are detected. IBM's platform can help business address the ATPs, fraud and insider threats. IBM is helping its clients to answer questions that could never have been answered before. For instance, the new security intelligence with Big Data platform helps clients analyze emails, transactions, social media data, documents and full packet data over years of activity. With these kind of analytic capabilities, organizations can find malicious activities hidden in the big masses of data.


HP's Big Data Security strategy


HP makes use of Knowledge management apps and Autonomy enterprise search and integrate them with Security-event and information management (SIEM) to analyze the massive data. According to Varun Kohli, the director of product market and enterprise security products, it is possible to reveal rogue employee's behavior related to the data leaks of information, and learn in advance plots against the organization by cyber criminals. HP believes autonomy gives meaning to the data to ensure analyst are able to find out what people are saying, both negative and positive.


Platform services


The Blue Coat (bluecoat.com) security platform is uniquely positioned to ensure secure data for its clients on five advanced solutions areas. They include Advanced Threat Protection, Advanced web and cloud security, Encrypted Traffic management, Incidence Response & Network Forensics and Network Performance & Optimization. The platform aims to deliver cohesive visibility, protection and integration including:


- Providing a management environment to ensure operational teams can manage, enforce policies using a single platform whether in the cloud, on premise or across the platform. The plat


- Intelligence – protection of data is real-time, an effort that requires integrated intelligence to ensure an organization is able to adapt to rapid advancing threats.


Microsoft Big Data Security


To help all its clients move to the cloud and feel more secure, Microsoft launched its new security features of its well-known Azure SQL Database. New security steps include:


- Encryption – referred as "always encrypted", it helps businesses protect sensitive data without "having to relinquish the encryption keys to Azure SQL Database". This means that data remains encrypted on disks, in memory, on transit and during processing.


- Transparent data encryption – helps business comply with requirements using associated backups, encrypting the databases, transaction log files without making changes in the applications.


- Azure SQL database – to support authentication.


- Threat detection – alerts the users on suspicious database activities on logical server or the database itself.


The reasons why companies may not have their Big Data secure is because:


- They fail to view data security in all dimensions.


- Failure to have a cutting-edge comprehensive information security plan.


- Failure for many businesses to see data security as a business problem but instead as an "IT Problem".


- Failure to classify data and trade secrets.


The importance of securing Big Data for the business includes:


- Ensure accuracy – when data in the cloud is secure, every employee has confidence in the values and information.


- Security of confidential information – an organization has to ensure trade secrets and employee personal information are protected among other information to ensure the business does not run in to a crisis.


- Availability – when data is secure, it is accessible as long as internet connection is available. Security of Big Data means information can be accessed at any time regardless of location.


- Prevent opportunistic hacking – when Big Data is not secure, hackers may try to breach the low security level with the aim of destruction and stealing confidential information.

Originally posted on Data Science Central

Follow us @IoTCtrl | Join our Community

Read more…

2016 Trends in Big Data & Network Security

Guest blog post by Srividya Kannan Ramachandran

I attended the Carrier Network Security Strategies conference ( #CNSS2015)held by Light Reading in NYC on Dec 2. I also attended the New Jersey Tech Council’s Data Summit (#NJTechCouncil) on Dec 9. The main topics of discussion in the conference were around securing the perimeter of networks and protecting customer, carrier and network data. Here is brief summary of what I learned in these two conferences about managing and operating networks securely and protecting data.

1. The perimeter of a network as we know it does not exist anymore.

The traditional network security paradigm of securing the perimeter of the network so as to not allow malicious users to enter the network has changed now. The explosion of the devices that connect to networks and the mobility aspect they come with makes this securing extremely challenging.

2. Sharing threat intelligence allows for collaboration in developing strategies to identify and combat threats that occur on the internet.

There are many consortiums of companies today that pledge to share threat intelligence so as to make the information world safer.  The Cybersecurity Working Group of the CTIA - The Wireless Association in the US, and the European Telecommunications Standards Institute’s Network Function ... are doing a lot of advocacy and development work in the security area.

Christer Swartz from Palo Alto Networks gave a keynote address at CNSS where he talked about a futuristic model where we have the next generation firewall and advanced endpoint protection software talking with not only each other but also with a cloud based service that hosts threat intelligence – call it the threat intelligence cloud.

Chris Richter from Level 3 Communications also delivered a keynote highlighting the benefits of collaboration amongst carriers in a landscape where cyberattacks are increasing in number. He also mentioned a Wall Street Journal news article that describes how Level 3 thwarted a serious global hacking attack.

Chris Bream from Facebook reinforced the same idea of how Openness is key to increased Security. Lack of collaboration hurts companies that try to protect themselves and protect their customers. He talked about Facebook’s Threat Exchange – an API based platform where companies can share threat data. Companies like Netflix and AT&T have been using this platform already. This type of information exchange platform really helps smaller business to thrive because it helps them gain access to knowledge that was otherwise unavailable and very hard to acquire.

3. The players that are thinking about security are:

  • Telcos & internet service provider
  • IoT Device manufacturers
  • OEMs for networking gear
  • Enterprise customers
  • End user customer

Merely having antiviruses running on equipment connected to your network isn’t going to solve security needs. The Internet of Things is going to bring 8 billion connected devices online by the end of this decade. Experts from around the industry unequivocally agree that about 70% of these IoT devices are not being secured correctly. And if the perimeter of a network is now the perimeter of the internet, then all the players listed above have to think about security.

4. Big Data : Monetize and Protect

There are primarily two things to do with big data: monetize and protect. And both are equally important. No matter what else we do with big data, security and monetization almost always are also in the mix. Even if we are talking about platforms, and algorithms that we use to analyze big data, we are still talking about security when using cloud computing applications or monetization when describing the purpose of the analysis. Even if we talk about storing the data on the cloud, we are actually talking about being able to store and retrieve that data securely, and being able to perform access control and audits on it.

In the Data Summit at NJTC, there was a panel called Monetizing While Securing Big Data and in CNSS, there was a panel called Security: The Future of Monetization Opportunities for Service Providers.

In the former panel, Paul Zikopoulos from IBM shared an interesting quote – “If you are not paying for it, you are the product being sold.” There was a discussion on the massive governance challenges around the ownership of Meta-data in the big data revolution. Tom Mullen from Level 3 elaborated on how owing to, or actually, despite the inflection point in computing, the world is quickly moving from data collection to the data analysis mode. 

In the latter panel, the discussion was pivoted around monetizing security as a service (SecAAS). The panelists helped identify that small and medium businesses will require a lot more handholding when implementing SecAAS products on their network, while large enterprises would either have some form of their own security infrastructure and hence could work with a less customized version secAAS product.

I hope this provides you with a summary of all the current and important topics of discussion amongst practitioners in the field.

Follow us @IoTCtrl | Join our Community

Read more…

Guest blog post by Bhavin Shah

From the moment you walk out of the front door, it gets locked behind you even if you just missed out on locking it personally. From that moment, robotic intelligence takes charge and keeps you informed about whatever is going on in your home when you are away – Is your pooch scratching at the newly bought sofa? Is your kid doing his homework or whiling away the evening with his favourite cartoon? Did you forget to switch off the TV before you left for work? Has your garden been sprinkled adequately?

Such....and lot of other things.

Magical! Isn’t it?

The common notion about smart homes

The smart appliance market would witness a global investment of 15.2 billion USD by the end of 2015.

This figure, in itself, sums up the nature of popularity that smart homes are enjoying. Experts and analysts are of the opinion that this figure would radically grow in the next few years and the next generation would be living in a smart wireless era.

Who would not be intrigued by the idea of having everything done at the tapping of a button on one’s mobile phone?

The celebrated hits

When we talk about smart home, the first thought that comes to our mind is ‘relief from the constant noisy thought that says – What’s happening back at home?’ Remote automation facility also serves the purpose of having your house chores done, when you are not personally present to do them!

A smart home, laden with smart appliance would typically serve 3 purposes of the owner:

-          Keeping the owner informed about stuff when he is not home.

-          Performing tasks that have been remotely ordered to be done.

-          Performing tasks on the basis of voice commands when the owner is home

Switching the washing machine on or off, switching off lights, pulling down shades during the day, switching on the dishwasher, setting the television to a ‘kids’ channel’ when your 4-year old kid is coming back home, warming up food....the list is seemingly endless!

This whole idea is fascinating, convenient and off late, has become an affordable reality too!

But hold on.

Does this coin not have the other side or we are staying blind to the other side of the coin?

 

Are they really hits?

While with a smart home, you may stay assured that your house does not need your personal presence anymore to function at least till the extent of basic chores, it actually exposes you to another daunting question – If you are able to control your home remotely, would someone else not be able to do the same?

You would say, ‘We have automated security solutions, integrated with surveillance cameras and all! Moreover, I control my home, because I have access to control it. How can someone else?’

Ever heard about your emails and accounts being hacked? It was just you who had access to them as well, isn’t it?

The world of hackers is eying an elaborately fantastic time in the near future. With smart homes being implemented in every modern city with an affluent lifestyle, the possibility of breaking into houses and manipulating owners become al the simpler! More frighteningly, a remote crime with no physical trace!

An example

I found an example, worth sharing in an article at Forbes. Click here for the complete article.

When we talk about smart homes, we conveniently forget that we are exposing our home and every deliberate detail in it to the internet. That would mean, my home along with every inanimate object and every breathing being, is subject to the knowledge of millions of people.

When I know where the safe is, and what the code to open it is, there would be thousands of hackers who are constantly on the pry to possess as much knowledge about it as myself!

With smart security systems in place, no one would have to take the pains to break into my house! They can just decode the lock code and enter my home without the slightest difficulty.

While the dirt of burglary would be minimised to a huge extent, thanks to the complicated and robust interconnectivity within a smart home, any equipped hacker would now be able to put every alert to silence, remotely switch off every surveillance camera, turn off lights remotely to make visibility difficult, track down my valuables and leave house without the slightest doubt occurring to my neighbours!

Worse scenario:

Considering the fact that smart homes would witness the affluent class at its first buyer segment, security of life would be a graver problem than material security.

If I have an 8 year old returning to an empty home at 4 in the afternoon, he is still coming back to a human-less house, susceptible to the clutches of hackers, immaterial of how tight-looped the implemented security solution is.

Any ambitious hacker could easily bucket in every singular detail about my son’s commute to the house and from it. This leaves me ridiculously open to an easy kidnapping pursuit.

Security is the foremost concern about smart homes, even amongst its creators. Although the market is flooding with robust security solutions, we must not forget that every security system has some loop or the other.

As such, the idea of exposing one’s home to cloud servers and machines talking to each other seems to be a gamble with privacy and security.

The most applauded solutions

Just like in case of every other virtual ownership, the best hack, not to have a smart home hacked, is a unique password – as unique and as difficult as can be.

Lock your router down, use quality devices and remember to update them. Go with a cloud-service provider who swears by their cloud security facilities. ThingWorx and Freescale are awesome examples. 

Are they fool-proof?

No! Absolutely not! Yet, these small step help you stay away from harm in your best limits.

Let’s understand one thing –

The more powerful technology grows, the nastier would be the hacks to compromise it. Simultaneously, the more robust would be the security solutions in place.

It is definitely not in our power to contain hacking completely. Not using a technology, when uber is being defined by it, is also nothing less than plain folly. But staying a step ahead in safety is completely in our power.

Visit Volansys Technologies

Follow us @IoTCtrl | Join our Community

Read more…

Data Security Trends for 2016

Data Security Professionals: What You Need to Know NOW: Trends for 2016

There are some scary things happening in data security. Along with the rise of the Internet of Things there has been a corresponding push by hackers to wrest the cloud from us law-abiding folks.

“Gartner is predicting that 6.4 billion connected “things" will be in use globally by the end of 2016 - up 30 percent from 2015 - and that number is expected to reach 20.8 billion by the year 2020. As more Internet connected devices hit the market, so too do the vulnerabilities that come with them, as evidenced by highly-publicized incidents of 2015 where researchers exploited vulnerabilities in planes, guns, medical devices and automobiles.

As the Internet of Things market expands and innovates, researchers will continue to find and uncover exploitable vulnerabilities in these newly connected “things,” which will in turn continue to fan the flames of responsible disclosure.”- Information Management

Companies are having a difficult time finding data security pros who know how to conquer this new frontier of data security in this “every business is an IT business age.”

Information Management Magazine had some cool ideas on this front:

Consolidation of IT Security

Big companies are buying out medium companies and then these really big companies are eating all of the “little fish” in sight. Dell buys EMC. Cisco buys Lancope. They all begin to buy companies like Adallom, Aorato and Secure Islands. It’s not going to stop next year, in fact, it will accelerate.

“It’s worth noting that offering up a “one stop shop” experience is completely different than being able to integrate technologies together to offer a seamless user experience.” Will that seamless user experience include seamless security?

Responsible Disclosure

You’ve got a Certified Hacker on staff who has uncovered some issues that overlap into the public domain. How much are you legally (never mind morally) required to divulge to regulators and/or competitors? According to IM, this issue will only get thornier as 2016 progresses: 

“White hat” hackers, hired to scope out flaws in systems, are already facilitating company / researcher relationships within the technology industry via bug bounty programs. However, it seems that many segments of the manufacturing industry would rather utilize lawyers to block research altogether than address the vulnerabilities that are uncovered. Another option for security researchers to consider is self-regulation, where they accept the risks and responsibilities associated with their findings.”

Smaller Businesses Up Security Spending

Remember the famous hacks of 2015? They were publicized more than ever before.  Companies like "LastPass, Securus Technologies, VTech and TalkTalk (are being targeted by) cybercriminals because they’re seen as less secure, while oftentimes owning valuable customer data.” These cyberattacks will grow in 2016.

People in the Cloud Share Responsibility

If you deploy in the cloud you share security responsibilities. Small to medium companies are hiring internally or taking advantage of Cloud Services’ security add-ons in contracts. To get a quick primer, check out Amazon’s shared responsibility model.

The other items in Information Management’s list include improved incident response protocols including communications and crisis management to calm investors and consumers; and enhanced collaboration among our communities as “security professionals are utilizing tools and platforms in order to better share and collaborate on security research and uncovering and responding to threats.” The folks at IM “expect this to increase and become more formalized amongst organizations, industry verticals and individual practitioners over the next year.”

What trends would you like us to keep an eye on for you as a cutting-edge data security specialist or leader? Let us know! We’d love to include your favorite topics right here.Email me. Until then, stay safe!

Read more…

How Secure are Home IOT Devices, Actually?

The Internet of Things (IoT) is a phenomenon that is currently experiencing huge year on year growth. One of the fastest growing areas within the industry is in the market of home IoT devices. These are devices designed to make life easier, such as connected garage door openers, smart switches, smoke alarms, and even IP surveillance cameras. There are almost 5 billion connected devices being used today, and according to Gartner Research, that number is expected to grow by 500% in the next 5 years.All of this shows a promising industry, but unfortunately the risks are never covered as much as the growth figures. IoT devices are often designed without a necessary focus on security or user privacy, and this is something that the industry needs to address.

Security Risks for IoT in the Consumer Space

Although IoT can be found in industries as diverse as medical and even manufacturing, it is the home markets that garner the headlines and consumer mindshare. People have come to expect that their security cannot always be maintained online. But the difference with IoT is that we’re not simply talking about passwords, emails, and social media accounts. Instead, we’re talking about access to the garage door, the front door, or even knowing whether or not somebody is home.

There are plenty of examples where common IoT devices have been found to be unsecure, or at least at risk of being compromised with relatively little effort.

The Fortify Security Software Unit at HP released case studies last year where they compared ten of the most popular devices used in home IoT. They found that seven out of ten devices had significant security issues. An average revealed 25 security risks in each individual product. The most prevalent problem was that IoT data was unencrypted as it was transferred through wireless networks. Worryingly, six of the devices didn’t even download firmware from encrypted sources. This leaves a possible risk where malicious firmware could be directed to home devices, providing external access for malicious parties.

HP isn’t the only company to have taken an interest in IoT security. Veracode recently published a report that was based on a similar survey of consumer devices. While the HP survey focused on devices like thermostats and lawn sprinklers, the Veracode study included critical devices, such as the Chamberlain MyQ Garage door opener, and the Wink Relay wall control unit. Veracode’s study looked more at risk than actual vulnerabilities, but the results were still significant.

The Wink Relay, if compromised, could allow external audio surveillance inside a user’s home. Information could be used for blackmail, to aid identity theft, or even for industrial espionage in relation to the resident’s employer. The Chamberlain garage door opener, if compromised, could mean that a third party could tell whether a garage door was open or not, allowing opportunities for easy, unauthorized entry.

Even if these devices connect to a relatively secure cloud platform, there’s always a risk that a home network could be compromised, and the fact is, few consumers are even aware of the dangers.

As we move forward, it is clear that security needs to be a top priority within the Internet of Things marketplace. Which means that stakeholders need to:

  • Understand the security risks involved with connecting home control devices to the cloud
  • Provide necessary security on their platforms
  • Educate consumers about security risks, and how they can protect themselves
  • Focus on building a talent pool of network security professionals to complement their core IoT development teams

Internet of Things represents an exciting time in the evolution of consumer, corporate, service based, and industrial technologies. It is important that key developers and manufacturers don’t lose sight of security during times of rapid innovation. With the right talent, and the right approach, the industry can build highly secure infrastructure and devices. This will ensure trust and desirability remains high, with the potential to drive adoption and overall market growth.

 

How does your team ensure practical security with its connected products?

Read more…

What's Hot in Hiring: Data Security Consulting!

Big Growth in Data Security Provides Opportunities for Consultants

By 2016, the worldwide data security market is expected to approach almost $90 billion in total value. This means that security is big business, and it should be. Data security has become increasingly critical as businesses utilize increasingly complex technology. Likewise, businesses that are directly involved in technology, such as Internet of Things and connected devices startups, cloud service providers, and even internet service providers, all have a vested interest in maintaining the security of their data.

Three Core Influencers on the Security Market

There are three core areas of influence that are driving the key players in data security consulting. Market influencers, according to Gartner Research, include BYOD (Bring Your Own Device), big data, and the security threats themselves.

BYOD is changing the way that SMBs and enterprise clients think about security. In the past, security solutions could be rolled out and controlled across a limited number of devices that were usually owned and maintained by employers. Today, it is more common for executives and staff at all levels to bring their own devices, which can then connect to company applications and networks. This creates the challenge of implementing robust security policies and technologies that can cover a range of devices and access methods.

Increased connectivity has led to increasing levels of "big data" in business. Considering all of the channels where data is collected, whether it be through software, customer interactions, or even data that comes from IoT connected devices, it is becoming critical that big data is not only collected, identified, and categorized, but that it is kept secure. Security in the future will be essential for protecting IP, trade sensitive information, and maintaining privacy.

Finally, the increasing number of security threats that are present, are reshaping the market, and will continue to do so in the future. In addition to the attacks and exploits that have been common in the past, data security consulting professionals now have new technologies where compromises must be patched and anticipated. IoT devices, SaaS solutions, and an increasingly widespread cloud adoption will be major factors that shape the needs of future data security.

 

Data Security Consulting: What is Hot?

Recent graduates, professionals looking for new opportunities, and even CIOs within existing organizations can anticipate the opportunities and needs, by identifying current roles and niches in the data security consulting market.

A data security role may be completely specialized, or in some cases, generalized and more leadership based, depending on the size of an organization.

Information security can be broken down into two main areas. These areas are hardware, and software. A data security consultant may be expected to have a wider understanding of their industry, but in reality they will only specialize in some key areas. This means that employers need to be specific about who they’re looking for and the technologies that they use. It also means that jobseekers need to be upfront about their expertise, or they may risk finding themselves in a position that is beyond their current skillset, which could lead to career impacting underperformance.

As a consultant, the role is to advise, develop, and implement change. This change is usually to address a problem that already exists. In the case of data security, this could mean that a security threat has already been identified, or it could be to mitigate possible threats with new technologies.

  • Consultants need superior application and network penetration skills. This means that they should be able to break down, and analyze the way that software works within any environment. This includes input and output channels. Networks need to be understood in the same way. The purpose of this knowledge, is to identify where risks exist, or where existing security breaches are occurring.

  • Software algorithms are known to provide false positives, so a consultant needs to be able to identify these, and should have skill in determining viable threats. This will help the consultant to allocate resources where they are most necessary, which can benefit their employer, financially.

  • Consultants should build an understanding of the technologies used by their employer. Whenever working on a contract, a consultant will deal with systems that they are unfamiliar with. Understanding the underlying technologies will be critical to implementing successful security solutions. This may require knowledge of cloud computing and infrastructure, IoT protocols and industry practices, or even specifics of networking or programming languages.

  • Successful consultants will be experts in risk management. This should not just include software and hardware, but also their employer’s strategy when it comes to risk management. Some companies are willing to accept higher levels of risk, while some have more stringent expectations. Understanding the culture of any particular company will be critical.

 

As Data Becomes More Important, Security Consulting Becomes a Necessity

It does not matter whether a business processes EPS payments, collects consumer information for a large retail operation, or even deals exclusively in cloud technology and the Internet of Things. The reality is that, as long as they are collecting and storing data, they will need dedicated security professionals.

Protecting that data for commercial and privacy reasons, will best be achieved with the right candidates, who have the skills and experience to deal with security threats in the modern business landscape.

I found a great resource for planning for and making decisions about information security at the Gartner Research Security and Risk Management page.

Read more…

Security challenges for IoT

Guest blog post by vozag
 

Emergence of IoT presents security challenges more challenging than any industrial systems have seen.

Open Web Application Security Project (OWASP) is a reputed international organization which focuses on improving the security of the software. It sponsors the hugely  popular Top ten project which publishes the top ten security risks for web applications all over the world.

 

The “OWASP Internet of Things (IoT) Top 10” project defines the top ten security surface areas presented by IoT systems. The project aims to provide practical security recommendations for builders, breakers, and users of IoT systems.

 

Last year HP which started this project used it as a baseline to evaluate top ten IoT devices which are were widely used and released a report. The study concluded that on an average each device studied had 25 vulnerabilities listed as a part of project.

 

The top 10 vulnerabilities impact of each vulnerability and the link in the order listed in project are given below:

 

Insecure Web Interface

Insecure web interfaces can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete device takeover.

 

Insufficient Authentication/Authorization

Insufficient authentication/authorization can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete compromise of the device and/or user accounts.

 

Insecure Network Services

Insecure network services can result in data loss or corruption, denial of service or facilitation of attacks on other devices.

 

Lack of Transport Encryption

Lack of transport encryption can result in data loss and depending on the data exposed, could lead to complete compromise of the device or user accounts.

 

Privacy concerns

Collection of personal data along with a lack of protection of that data can lead to compromise of a user's personal data.

 

Insecure Cloud Interface

An insecure cloud interface could lead to compromise of user data and control over the device.

 

Insecure Mobile Interface

An insecure mobile interface could lead to compromise of user data and control over the device.

 

Insufficient Security Configurability

Insufficient security configurability could lead to compromise of the device whether intentional or accidental and/or data loss.

 

Insecure_Software/Firmware

Insecure software/firmware could lead to compromise of user data, control over the device and attacks against other devices.

 

Poor Physical Security

Insufficient physical security could lead to compromise of the device itself and any data stored on that device.


Read more…
RSS
Email me when there are new items in this category –

Upcoming IoT Events

More IoT News

How wireless charging works

Wireless charging technology has been around for over 100 years, but it has only recently found mainstream practical use for powering electronic devices like smartphones. Learn how this technology works and what advancements we may see in the future.

How wearables can improve healthcare | TECH(talk)

Wearable tech can help users track their fitness goals, but these devices can also give wearers ownership of their electronic health records. TECH(talk)'s Juliet Beauchamp and Computerworld's Lucas Mearian take a look at how wearable health tech can… Continue

IoT Career Opportunities