All posts by Cid Parato

IoT Security @ Ottawa Meetup

Wow! A verMeetupy informative evening in front of a full house at the Ottawa Meetup IoT Security Meetup (standing room only actually)! Big thanks to Pascal and Jacques!

Our very own Faud Khan delivered, according those present, ” a very informative and entertaining presentation” on IoT Security.

IMG_0830-1024x730

“Absolutely super informative presentation and a great showcase of the depth of TwelveDot’s knowledge and experience in the security field.”

The presentation explored how to make security and privacy part of  the daily business ritual so as to significantly reduce the cyber exposure of products, solutions and the business itself.  As such it provided a look at:

• ISO standardization of IoT

• Security considerations for your organization

• Security considerations at design and development

• Testing and evaluation of IoT solutions

• Privacy considerations and practices

 

FYI – Elements of the presentation are:

IoT Technologies Mind Map – SWG_5_IoT_Technologies_MindMap

IoT Threats and Risks Poster – IoT Threats and Risks

Presentation Slide Deck IoT Security – IoT Meetup Ottawa Presentation Slide Deck – June 28_2016

Q&A: 

  1. When can we get access to ISO/IEC 30141 Reference Architecture? The information will be available Fall/Winter of 2016. You can keep track of development at the ISO site.
  2. What is scope of IoT Reference Architecture? The scope according to ISO 30141 is “This International Standard specifies IoT Conceptual Model, Reference Model, and Reference Architecture from different architectural views, common entities, and high-level interfaces connecting the entities.”
  3. What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. More details are can be found here.
  4. Why do we have to pay to meet these standards? Doesn’t it harm the whole process? ISO needs a means to pay for the system even after Canada pays it’s membership into ISO. The base 27000 is free but others like 27001 etc. do cost a little -$35.
  5. Who do you call first if you get breached? Do not call your security guy! You should contact your lawyer and have your lawyer contact your security people. This ensures client confidentiality and attorney client privilege.
  6. Have you looked at Intel IoT development kits with security infrastructure built into target software? Intel libraries maybe investigated more than open source libraries but they are still vulnerable — always do your due diligence on any solution.
  7. For 3rd party libraries we use well known libraries and black duck to test etc…beyond that are there other practices that you recommend? Take advantage of the hashes publishers use ( one way hashes ), ensure they are validated prior to use. Likewise ensure ensure you monitoring them via CERT and other vulnerability disclosure services to ensure that you are notified to new vulnerabilities.
  8. What is your minimum recommendation when trying to implement a security plan? Encourage Threat Modelling at the design stage, identify your data at risk, have in-depth knowledge to how you are processing data, storing and transporting it. Conduct a PIA using ISO 29134 you can find lots of details on this at the PCO site. Privacy Commissioner of Canada PIA
  9. Can security be a marketable aspect of a product? Absolutely. Security is a very important part of any product and can be a huge selling point for any product provided it is implemented properly. With breach laws in the world changing as an executive you need to show due diligence using the process outlined which provides the outputs necessary.
  10. Is there any industry forum etc assisting ISO standard development? Prior to beginning new project ISO implements a study period to reach out to the community and create liaison relationships. Specific, to IoT WG10, what liaison relationships with ITU-T, IIC, IEEE, and many more. This ensures these standards are not created in a bubble.
  11. What do you think about open source standards ( block chains in particular ). Block chains can be used in applications, tracking ownership or documentation, physical and digital assets. It holds lots of promise however, many countries look to ISO to provide the necessary guidance on standards. In the case of block chains the current open standard is being proposed as the base standard for ISO. As this project is just starting we are a long way from determining if it will be adopted as the benchmark.
  12. Are any big security companies involved with ISO standards? Many large security companies and non-security companies are involved with ISO standards. The list is much too long for this blog but most large technology companies are current members of national committees.

We hope this information helps. If you need more guidance on securing your products and solutions please reach out to us.

 

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP8 – Cyber Assurance Programs

We hope you enjoy episode 8 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode include how we TwelveDot look to help organizations implement a cyber assurance program. These aspects are key to getting your company and/or organization prepared to start thinking security in everything they do.

  • GAP Analysis– benchmark of current policies, partnerships, employees. As we focus on ISO and the 27K family of standards. We recommended that an Gap Analysis be conducted using ISO 270001. If you in industries such financial or telecom there are special supplements in 27K family that addressed specific controls for these sectors however the over arching approach is based on ISO 27001.
  • Assessment – Initial assessment identifies/validates to create risk assessment document and then action plan. Get your risk management practice jump started and running with ISO 27005 and ISO 31000. These should provide the necessary foundation for you to build your practice.
  • ISMS – Information Security Management System. This takes the previous two steps and then formally initiates the process and policies necessary to implement and continue to develop and mature as your organization grows and develops.
  • SDLC – System Development Life Cycle use be formalized for any company that produces a product/service. As part of your ISMS implementation will create the necessary checks and balances to ensure that cyber risks and privacy elements are identified, assessed, and mitigated as required. This is before you ever release your solution.
  • Evaluation – Internal and External Evaluations ( certification ) will be required on a on going basis. While many can be completed internally as part of your ISMS implementation you will need to bring in external assessment auditors for certification of your ISMS.

Keep in mind you do not have to go the certification route to start. You can begin by starting your ISMS and getting it operational. That is the toughest part! Once started, it is just a matter of making it better as you go along. No two companies are alike so your implementation considerations will be different. However, your goal is always the same creating a company culture of security.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 7: Selecting Cloud Service Providers

We hope you enjoy episode 7 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

  • What is the data that you are protecting or storing in the cloud?
  • Benchmarks to compare cloud service providers
  • Policies and Procedures – Implement an ISMS to ensure policies and procedures align to corporate objectives
  • Data Centre Evaluation ( location, service platform, what are their rules for data )
  • Access to Data ( who has access from provider side and your side, authentication )

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Mobile Gaming App Security 101

Mobile Game App SecurityMobile gaming app hacks are on the rise and will only continue to grow unless developers become enlightened. Developers need to understand long term impact of mobile gaming app security. Having your gaming app hacked can have a large impact on revenue, branding and even the survival of your company.

The cost of securing a mobile gaming app is minimal in comparison the potential loss. Developers fail to understand the consequences are always focused on their time to market, 99% of the time neglecting security.

Common vulnerabilities include:

  • in-app purchases being hacked
  • reverse engineering of code
  • repackaging of application ( cloning )
  • malware
  • game assets like artwork being reverse engineered
  • piracy ( very high rates )
  • personal data theft

This all translates to lost revenue. So would it not be better to invest a few dollars now and look to securing your app and the reap the rewards of your work for the long term or generate limited revenue short term?

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 6: Protecting your Kids Online

We hope you enjoy episode 6 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Evaluating Apps for your Kids – Discuss with your kids how they are going to use their devices and what kinds of apps they can install
– Watching what your kids are doing online –   How can you track what your kids are doing…there are apps out there and parental controls
–  Privacy for your kids –  How much privacy do you want to give your kids
–  Cyber Bullying – Discuss Cyber Bullying with your kids and educate them

 

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP5: Considerations for IoT

We hope you enjoy episode 5 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Threat Modelling – How is your device going to be attacked
– Code Assessment and Third Party Libraries    Risk and security aspects around application code and checking third party libraries against known common vulnerabilities
–  Infield Patching and Support-  often overlooked when thinking about cybersecurity
–  Manufacturers and SDLC – all organizations need to consider security and implementing an SDLC and formal evaluation process around device
–  Field Monitoring –  Guidelines and standards need to be addressed but also monitoring for suspicious activity in the field.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 4: Perceived Barriers to Security for SMBs

We hope you enjoy episode 4 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Cost of implementing Security – the cost is too high but how much does it cost after you’ve been breached
Lack of skilled Personnel – difficulty in finding the right people
– Physical Security –  often overlooked when thinking about cybersecurity
– We are too small we don’t need security – all organizations need security. Cyber criminals are now targeting smaller companies because they don’t consider security a priority
– Educate Staff –  All staff need to be educated about cybersecurity, breaches commonly occur from within

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 3: Providing Mobile Services to Your Employees

We hope you enjoy episode 3 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Whitelist /Blacklist of Apps for company use – Which applications are user permitted to use and which ones should they avoid?
User Policy and User Guide – Provide details to users on expected behaviour while using mobile apps including reporting lost or stolen devices.
– App Evaluation –  Evaluate each app to ensure you understand data risk exposure.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 2: Selecting Mobile Apps for Your Company

We hope you enjoy episode 2 in our series of podcasts on cybersecurity.

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Where did the App come from – apps can be downloaded from the Apple app store, Google play or third party web sites.
– Who developed the App – Large to medium organizations tend to be safe but do some research on the app, history of the app and the developer
What personal data does the App use –  does it use company data? does it use a cloud service?
– Where is the App connecting to – most apps connect to various endpoints but who is on the other end? Is it safe?
– Is the App patched or up to date –  around security

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

My personal data is where?

Piggybacking on my last post ( https://www.linkedin.com/pulse/silver-lining-app-data-cid-parato?trk=prof-post )  we were concerned with the security of your data in the cloud…well now you need to be even more concerned.

Your child wants to be just like mom or dad and you buy them a toy tablet that even has an app that allows them to share their photos with their friends…they love it. Yes! So do the hackers that just found all your child’s photos and information ( the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids ) Excuse me? Yes! that is correct.

News Story

Better yet all of  your child’s information is being stored in some far off country that has different laws than you are accustomed to or expect. In a recent vulnerability assessment that TwelveDot completed we found that a large well known provider of information services hosts their data centres in Asia. Most people incorrectly assume their social networking information is stored close by safe and secure within the confines of their country.

Parents need to be more vigilant when sharing information with others. Who are you sharing it with? What information are you sharing? I am sure that most of you have seen the family stickers or stick figure characters on the back window of minivans and other vehicles. I recently received a customized gift in the form of a coloured family sticker for my minivan. Each figure clearly demonstrates the specific trait associated with each family member. I accepted the gift but informed the person that I would not be putting it on my minivan…huh?

I see your stick figure family…I know that dad works in construction or enjoys building. I know that mom works in an office. I know that little Jimmy has dark hair and likes to play hockey and little Cindy has blond hair and likes dance and that you have a cat not a dog and that was simply because I was behind you at the stoplight.

Start thinking about how much you want to expose yourself and your family when using products that collect data. Start to question the product company and get to know what their security and privacy policies including where your data is physically located. You may also ask who do they provide their data too as many cloud service providers sell their data as source of revenue.

Facebooktwittergoogle_plusredditpinterestlinkedin