All posts by F Khan

About F Khan

Tech-junkie, with a special affection for security issues as they relate to telecom and enterprise, mobile, standards, social media, and gadgets.

How to secure your start up

It can be both hectic and rewarding when starting a new venture. After being around startups since 2000, I know how you feel. While it can be overwhelming you need to know how security and privacy play a part of your success.

First of all you should not ignore security despite what many venture capitalist groups are preaching it is pure BS. By designing security and privacy into your solution you will be miles ahead of your competition.

Here is how you need to approach this complex problem (which is not complex by the way but people feel better when you tell how complex it really is).

1. Need to conduct a Risk Assessment against both your product and small company to determine the data you collect and the means of collecting, processing, storing and destroying this data.  I would recommend to use ISO 27005 as the framework for this. As you step through this process you will need to consider all aspects of your solution including but not limited too, hosting, OS, plugins, modules, binaries, daemons, services, coding languages, authentication, logging, encryption, databases, etc. You get the point. You must focus on how each of the elements is going to be integrated and test each to confirm that you actually did not introduce any vulnerabilities.

2. Threat model your solution to determine how it can be attacked……because it will be. There are several frameworks for this out there. Get one and use it and make it part of a simple but efficient SDLC.

3. Know the laws and regulations that impact your product not just today but geographic regions where you plan to do business. These will be requirements for your product.

4. Unit testing for each of risks that you identify ensure that you create unit tests that will validate that you have identified and will ensure that each one is mitigated to minimum.

Here is the secret formula for security success (Sssshhh don’t tell anyone):

TRA + Regulatory + Threat Modeling + Testing/Verfication = Security Success

Some keys to success

1. Keep it simple but create a SDLC that drive security into your solution now. This will save you money down the road. If you have completely resign your software 2 years down the road to deal with security the costs will be prohibative. Trust me you will learn this the hard way.

2. Not all risks can and need to be eliminated. You need to determine how to get them to a level that you and the other founders are willing to accept. Keep in mind some privacy laws and regulations cannot be ignored you must mitigate the risks to a bare minimum.

3. Keep documentation of all your activities. These can be used if a partner or customer send in their auditors because you know they will.

4. Once you company is about 6-12 months old consider drafting some policies and procedures to drive new employees to better understand the culture of security you are looking to create.

Good luck and realize that you can simplify the security process but do it now! It will save you time and money down the road. I will also point out the 68% of SMBs that experience a data breach are usually out of business within two years. Hopefully, that is motiviation enough.


Evaluation of an IoT Solution

After attending the latest meeting of IEC SC 41 and ITU SG20 meetings recently in Japan and China. I am still surprized that many are still unsure how to determine the risk of a IoT solution. One thing that complicates matters is this concept of System-of-Systems (SoS) for IoT. If you break it down most IoT solutions are a SoS. The device is full fledged system that includes HW/SW, OS, server, application at a minimum. Then consider there is mobile application and cloud hosting for data and application layers.

The first place to start is quantifying the risk. Risk from the aspect of if this system was compromise what impact might that have to your organization using or deploy it? This might include:

a. Can the device or service be weaponized due to weak design or lack of formal testing and design?

b. Does the system at any level  store Personally Identifiable Information (PII) that has very specific regulations in many jurisdictions?

c. Does the vendor have a Secure Development Lifecycle (SDLC)?

d. Does the vendor have company policies and procedures that include developing a secure product? This aspect can many other aspects that need to be considered including privacy by design, audit process, risk registry, etc. Security is an ongoign process so this should be easily proven by the way the organization operates and deals with security.

e. Only use products that can be validated as authentic no grey market goods.

f. Have your solution verified by a 3rd party provider who is certified in conducting formal audits on these solutions.

e. Ensure that any penetration testing that was conducted included all components not just the device.

As a footnote please keep following ISO 27030 Security and Privacy in IoT, and IEC 30149 Trustworthiness Framework as two key works that will aid industry and buyer of IoT solutions. These two projects will help to drive the requirements that should be considered by vendors and help in the assessment of solution comparisons based on security and privacy features.


Meeting Report – ISO/IEC SC27 Gjovik, Norway

We just wrapped up another week of ISO meetings for SC 27 this past week in Gjovik, Norway. A few updates to share:

  1. We are making progress on ISO 27030 Security and Privacy for IoT. We just completed our WD1 review that focused mainly on structure but also had some privacy inputs from experts from Singapore and India. Our Japanese experts did identify many new controls to be added including the request that we need to ensure that our control format needs needs to align to 27002.
  2. Our next stage is WD2 and we are hoping the experts continue to provide more content to build out a strong version of the document for one more WD version.
    Based on suggestions from the vendors in attendance, it seems that vendors want a checklist of a few items that would indicate that their device is secure. While this might help the vendor community it is not the right approach as cyber security consists of many moving parts that includes how a company operates and the product they product, not just a device in the IoT context.
  3. From a privacy front, it seems that GDPR caused quite the impact on the vendor community. As a result many of bigger names have grouped together to write a proposal for a standard for data privacy where the vendor would own the data not the user. This will include a clause that allows this standard to supersede any local or global regulations. While just a discussion it does represent a very concerning perspective for governments who are fighting to protect citizen data.
  4. Finally, it seems that there is a theme from large cloud service providers to want to remove any requirements in ISO standards. This started in SC38 which has no should or shalls, it is all maybe’s and could be on a good day if your lucky. If your cloud service provider claims conformance to these standards it is sham. Make sure you investigate the claims of any vendor and what they have really implemented from a security and privacy controls. As usual it is a case of buyer beware when purchasing services even from the big guys.

It was good to see so many experts from different national bodies and liaison organizations in attendance to the IoT meetings and sessions. Standards Norway did a great job of hosting and Gjovik and the surrounding region are really beautiful at this time of the year. Hope to get back and visit more of this country and their friendly citizens.


Facebooks fall from grace…..its just the beginning

This week I finally felt jubilation due to the Facebook story. Not that I want to celebrate in anyones down fall that is not it all but for years I have been telling people the dangers of using this service. Many laughed and poked fun at me and even told me I watched too many James Bond movies.

Well, I think what is really scary is that this incident only skims the surface to the true problem. What are all these social media and cloud services companies doing with our data? Even all telecom providers collect all your internet access traffic and sell this for money. Yes my friends we are fully monitored welcome to 1984.

I hope this serves as a wake up call to users globally you really need to think about what a “free” service is really about. The “free” aspect is your data, companies have to make money and you better determine what you are giving up before you jump in. Start with their privacy policy and then look at the data they are collecting or possibly collection. For example, pictures, conversations, even your mood that day, everything is up for grabs. If this information was leaked would it cause any damage to you or those close to you.

It is also refreshing to see so many people wake up to the fact that their privacy matters. And it does! In many ISO meetings, we constantly have members saying individuals don’t care about their privacy anymore. I have been arguing the opposite position. Many users just don’t understand the implications of the data being captured, analyzed and sold. Now they do…..or at least they are waking up to it.

Now the next issue that is bound to be exposed is Google and all the data they collect on school kids. As many school boards use Google due to operational cost and most kids use this platform for email and all documents, who is buying this access and usage data? These are the questions we need to be asking as parents, educators and regulators. This will be next data breach we find ourselves involved in.


Getting Reading for an ISMS Implementation

So you decided to take the leap and secure your organization and data. Where do you start? I would highly recommend you get a copy of ISO/IEC 27001 to get familiar with the terminology and concepts. You can get a copy here from our friends at the CSA Group. Once you get it, read it at least once to get an idea to the concepts and process. It will be dry reading, just a heads up.

So what do you do next?

It typically starts with a Gap Analysis that attempts to document your current security controls compared to the mandatory requirements for an ISMS. This will include aspects of your current policies and procedures, are they current and reflect both business operations and identified risks, are they using best practices, etc. Now, it is important to point out that an ISMS is more than just polices and procedures but they do play a large part of it.

Next, a company wide Threat and Risk Assessment (TRA) is conducted to determine the assets at risk and the controls that are used to protect them. A “control” in this context is a person, process, or technology that will mitigate a risk. The assessor will evaluate the current controls used, the current risks based on technology, processes and even consider contracts with 3rd parties, these Findings will be put into a Risk Report that quantifies all of these risks with recommendations.

Up next, we put it all together in a report and presentation that outlines the cyber risks to the business, recommendations for corrective actions, and possibly a Statement of Applicability (SoA) if your organization is going to seek certification. Realize you can deploy a ISMS without certification and increasingly more companies are asking partners and suppliers to prove how secure organizations are prior to signing contracts; an ISMS makes this easy. I would also point out that the ISMS will improve your risk posture and level of maturity over time. It is also a great tool for improving your security posture. We realize that your security maturity might be low to start but over time, it should improve and the ISMS helps build the necessary plans and identifies the risks to get you there. It is also generates the necessary documentation that will prove your attention given to cyber risks and mitigate any negligence in the organization.

If you do implement your ISMS, first you need to create a risk management framework. I will provide more details to this a second blog posting – stay tuned. A Risk Registry will be created and a project plan for implementing the necessary controls to protect your current risks and to highlight those risks that are being accepted by the organization, as this is an approach as well. At this point, an implementation plan is created to help deploy the necessary controls such a processes, procedures and technologies to mitigate risks. The resources to do this both financial and staff time will depend on the risks, budget and corporate drivers such as compliance and regulatory requirements.

Once the controls are implemented, it is a matter of ensuring a few cycles of the ISMS in action. This is basically, the PLAN-DO-CHECK-ACT for your security risks.

Plan (Establish the ISMS) – Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.

Do (Implement and Operate the ISMS) – Implement and operate the ISMS policy, controls, processes and procedures.

Check (Monitor and Review the ISMS) – Assess and where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review.

Act (Maintain and Improve the ISMS) – Take corrective and preventive actions based on the results of the internal ISMS audit and management review or other relevant information to achieve continual improvement of the ISMS.

This is typically handled by the risk framework that will be implemented to ensure that all cyber risks are identified, quantified and mitigated on a on going basis. Once, that has been completed a few times such as 6 to 12 months. You should be ready for an internal audit and certification if you decide to go that route.

That’s it in a nutshell folks. Keep in mind an ISMS can be used for companies of all sizes not just large ones. Companies are increasingly being asked to prove their cyber security stance in order to win contracts and provide services to larger organizations and regulators. An ISMS is a great approach to meet and/or exceed this requirement.


The Security Poverty Line

What is the security poverty line? It is a baseline of a company not implementing the correct security controls to mitigate their risks. Simply put, most companies do not invest enough effort in determining what their ‘real’ risk is and instead buy into vendor ideas and concepts.

For example, about 20 years ago many companies used to have significant capital budgets to purchase equipment for their businesses. Since then, many companies have started to use leasing vehicles to gain control of costs to capital expenditure. As with all business, it is about making a profit and, as such, security has always seen a barrier to increasing that bottom line.

Security is equated to sizeable expense the organization cannot possibly take on. It is better to be compromised and pay the ransom and loose customer confidence. It might be a small impact if we just spend more money on marketing to cover it up. These are the cost trade offs that are being made in business globally. Some are waking up to it, but many are not.

I believe we have been asking the wrong questions of our companies and executives. Many executives get freaked out when the topic of cyber security is raised. Many are scared of this elephant in the room and they chose not to make a decision — which in itself is a decision. The question should become: What can I do to ensure the company I run will remain operational and relevant after a cyber incident?

What many executives and managers fail to realize is they are responsible for protecting their client and employee information. As such, they are putting their organization below the poverty line.

The poverty line characteristics that companies should have as a minimum to protect their organization:

a. Quantifying the cyber risks for the organization.
b. A policy and procedure base that reflects the quantified cyber risks.
c. A risk management process that deals with ongoing risks.
d. A review process to ensure the controls deployed are adequate to protect against the current risks as they do change over time.
e. Management’s belief that security is important to protecting the overall health of the organization.

If you look at that list, firewall or other technologies were listed for good reason. They are a control. You must determine why the firewall is there and what it is protecting you against. Once deployed you must make sure it is configured correctly or it provides no protection against threats and provides a false sense of security. This happens way too often. This can be said about many of the security solutions sold, many are misconfigured to not protect against the risk that was presumed.

When you look at the corporate landscape, most companies live below the poverty line when it comes to cyber security . Many do not even do the bare minimum as they believe it is too difficult to overcome and scoff at their chances of being targeted. We have already seen the number of executives who had this same mind set and now are unemployed. Living below the poverty line puts your organization, your staff and your customers at significant risk and we need to start doing something about it.

I believe the only way this is going to change is if the our governments start to regulate mandatory security controls in all organizations regardless of size or sector. We had to change our mindset regarding seat belts in the 70’s to protect vehicle occupants, now we have to change our mindset for cyber security and unfortunately it is only path forward.


Three ‘Mission Critical’ Practices for any Development Team

Your company could (and should) be coding like NASA. That’s right – space-surfing, rocket-propelling, humanity-advancing, NASA. Whether you’re developing software to go to Mars or to order pizza with your sneakers, coding should follow a standard that ensures safety and security.

Nowadays, you’re likely developing a product or service that contains Personally Identifying Information (PII) or credit card information. Either that or it controls an IoT device. The fact is, these are all sensitive materials that could harm another person or location and there are three practices to consider to make sure they remain protected.

Keep humanity in mind.

If Michael Bay’s 1998 blockbuster Armageddon gave us any indication, apocalyptic asteroids are NASA’s greatest concern. This is not true as NASA spends more time protecting astronauts from its own technology than it does training boisterous oil rig workers to save the world.

Specific to coding, NASA has 10 base principles that should be considered for every product or service your organization is developing. These principles were established by Jet Propulsion Laboratory (JPL) lead scientist Gerard J. Holzmann and written with the C language in mind. Holzmann recommends C because of its long history and extensive tool support, although the rules can be generalized for coding in any programming language.

NASA’s rules are strict and add time to development if adhered to properly. That being said, NASA can’t afford to botch a project and these days, neither can tech companies. It’s this ‘measure twice, cut once’ mentality that gives Houston a sigh of relief and will prevent your company any future hiccups.

Highlight secure design.

Secure products are created when placing importance on secure design. Secure design is one step in a larger context which includes:

  1. Threat modelling.
  2. A Software Development Lifecycle (SDLC) including:
    1. Secure design.
    2. Secure coding.
    3. Secure testing and evaluation.
  3. Third party assessment of your product or service.
  4. Creation and implementation of a vulnerability disclosure and management process.
  5. Creation and implementation of an incident management process.
  6. Creation and implementation of a data breach process.

There are organizations out there that can support your company’s efforts in secure design. The International Organization of Standardization (ISO) provides world-class specifications for products, services and systems, to ensure quality, safety and efficiency. With over twenty thousand international standards and related documents published, ISO spans across almost every industry, including technology.

Another example is the Open Web Application Security Project (OWASP) – a not-for-profit organization dedicated to helping organizations conceive, develop, acquire, operate and maintain trusted applications.

OWASP has developed a number of tools to aid in secure design such as, the dependency check tool and ZAP proxy tool. Both tools help identify project dependencies and check if there are any known, publicly disclosed, vulnerabilities in both software and web applications.

Keep in mind that adding security at the front end of the product life cycle saves money on the back end for delivery when you’re calling your lawyer to deal with a lawsuit.

Teach safe ‘sets’.

Teaching an old developer new protocols is kind of like teaching an old dog new tricks – difficult. Many senior developers are set in their ways and find it hard to code with strict (but secure) guidelines. The same could be said for junior developers that graduate with great coding skills but poor security knowledge. Whether your development team is made up of seniors, juniors or both, training them to code securely is necessary to produce secure products and services.

Secure coding training is effective if implemented as part of the onboarding process. Your training should establish guiding principles and follow a secure design process. Providing a baseline for your developers and training grounds for testing is a surefire way to teach them how to code securely.

OWASP has developed another resource called WebGoat – a deliberately insecure web application maintained by OWASP to teach web application security lessons. It’s through these war games and hands-on security lessons where your developers will truly grasp the concept of secure coding.

Coding for the benefit of all.

When developing software for a product or service, think big and small. As you prepare your team for launch, make sure they’re equipped with the proper tools and protocols before all systems are go. Establish a proper baseline, training program and development plan before your developers start coding. Time, money and sensitive information will be saved. From here, highlight secure coding as ‘mission critical’ once a project is in flight.

This is easier said than done as the pace at which tech companies are expected to operate continues to accelerate. Set timelines with the rationale that when your organization does something, they do it right. Inform your clients there is more on the line than an unsuccessful project – human lives are often at stake.

Remember: whether it’s a rupture in a shuttle’s oxygen tank or a security breach in a piece of software, failure is not an option.

Written by: DarkKnight


Connecting the Dots for SMBs & Cybersecurity

Does your company’s private network speed ever feel like a VPN? Did someone (other than your IT director) reset your password? Have you been reading emails from the Nigerian Prince? If you’ve answered yes, it’s possible your company has fallen victim to a cyber attack.

If you’re a multinational tech giant, you’re probably fine (probably). But if you’re a SMB, cyber attacks can destroy priceless data and ravage your bottom line.

Let’s take a look at some stats: it takes most businesses somewhere between 100 and 200 days to detect an attack and to make matters worse, most SMBs find out from a third party. That means stolen data (that’s likely long gone forever) and damaged customer relationships. In addition, SMBs only have a 40 percent probability of staying in business after a security breach which are odds Han Solo wouldn’t even take.

These days, whether you sell Apple phones or apple pies your company has an attack surface. An attack surface can be anything from the Internet, to technology, to an employee and no matter how big your company may be, you need to be prepared.

You have been compromised. Now what?

In the event that your network has been attacked, react urgently but do not panic. Instead, have a plan in place. Ideally you have developed your plan before the attack, but often that is not the case.

In 2016, more than 375 million new unique malware variants were discovered globally. Cyber criminals are continuously finding new ways to breach security systems, so make sure your plan is malleable. After a cyber attack, here is the recommended plan of action:

  1. Identify the target systems and determine the data that was compromised, hopefully you had a backup of your data to be able to restore. Now perform a full system backup at the bit level to capture all files and current system state. If possible, disconnect from your network but leave the power on to preserve the system state.
  2. Take your cloned systems disks and use them for forensics in a protected environment or hand them over to your cyber security partner for analysis.
  3. Have your operating system rebuilt from scratch. At this point, you have no idea whether or not a back door has been installed. Assume that it has.

In a cyber attack, there is both a technical and human component to its path of destruction. While you work to get the technical side under control, contact your legal team and make them aware of the situation.

Start dusting off that PR handbook.

Public relations is something often neglected by SMBs. It’s important to notify your PR team as soon as possible after an attack. If you don’t have one, get one. Whether that means hiring one full time or on contract is entirely up to you.

In any business, do not try to downplay the situation. Equifax learned this the hard way when they chalked up their massive breach to “Criminals exploited a U.S. website application vulnerability to gain access to certain files.” In a blizzard of negative publicity, the story snowballed with the breach ultimately costing them close to $70 million in fourth quarter profits. Given time, the company’s hit to brand credibility will indicate its true losses.

Another PR mistake is deflecting liability. Many company executives have taken a stroll down ‘Blame Game Lane’, which almost always leaves them on the wrong side of the tracks. In 2016, Wells Fargo was fined $185 million for creating two million fake customer accounts and their CEO immediately took to blaming his 5,300 employees. By not admitting fault, one of the largest banks in the world put its internal and external reputation in serious jeopardy.

“The greatest victory is the one that requires no battle.” – Sun Tzu, The Art of War

While larger companies typically survive, it’s no wonder SMBs go out of business so fast. Cyber attacks cost time and money, both of which SMBs can’t afford to lose. Many still fail to evaluate their cyber security risks, however, boardrooms are smartening up. It’s even been a topic in NAFTA discussions. Develop a security protocol and be proactive in testing and quantifying your risks. Businesses of all sizes should test their systems and perform ‘war games’ to prepare for an attempted breach.

Put simply, two words can save your business from a cyber attack: be proactive. The most common means of cyber incursion is social engineering – using people to voluntarily but unknowingly allow a cyber attack to occur such as providing physical access or handing over system passwords. Train your employees, learn to recognize the signs of a breach and avoid opening emails from unknown sources.

Cybersecurity is unfamiliar territory for most companies these days, but one worth exploring. As you continue to evaluate your company’s security controls, just know we can help you connect the dots.

Written by: DarkKnight


NAFTA Cyber Security Framework

As part of the NAFTA discussions it looks like the US is looking to add a cyber security component in the mix. Finally a great idea in a trade agreement! The basis for this is quite clear given the interconnected world we live in and the fact that all Canadian Internet traffic is routed to the US. We have to ensure that one country is not in a position to bring the downfall of another due to weak security practices.

Given the current state of cyber security practices in Canada by most SMB’s this will serve as a good wake up call to get your security house in order if you want to sell to the US. Based on the current wording companies would have to demonstrate the implementation of an accepted cyber security framework within the organization.

What does these mean? From the top down, executives are responsible enough to have implemented the necessary security management system to measure and mitigate cyber risk within their respective organizations. I am not going to provide all the nuts and bolts to how to do this but would “highly” recommend you get a copy of ISO/IEC 27001/27002 and build your plan to implement a Information Security Management System (ISMS). Don’t let the information part of the name fool you, this standard has been written to fully consider the cyber elements of any organization regardless of sector.

The best place to buy this is from our friends at CSA Group in Canada. They actually offer a Security bundle that contains all the base standards to get you started at a very reason price.

When you initiate your cyber program focus on conducting your risk assessments, your action/mitigation plan and getting those policies and processes nailed down, and most of all education and awareness will be a key element of your success.

Keep in mind that this will not be easy but the benefits will help you sell your solutions to the US and will help protect your digital assets. What else could you ask for?