Category Archives: Cyber Security

IoT World 2017

I have spent the last week in Santa Clara attending the IoT World conference hoping to see what was new and exciting in the world of IoT. After tracking this sector for a while now it has been interesting to see all the new platforms (512 and counting) and startups that have popped up.

While I found the keynotes a great window on possible new products by companies I did get a sense that security and privacy did not get the air time it deserves. I attended many of the security sessions and, while interesting, they were more focused on product plugs versus real discussions on how to design and build security into a product. It was more buy my product or platform and you will be secure. That is scary proposition especially when vendor generated standards are used as guideline for self assessment. Lets be clear folks, vendors have their best interest at heart not yours when it comes to security.

I was also troubled by vendors stating that if customers just pay more they can add  security. This is the wrong view from an executive and security perspective. The right view, in my humble opinion, should be here is what we identified as the threat profile for our products and solutions and here is how we designed security and privacy into our products and services from day one. Oh and it did not significantly increase the price of the product!

I really wanted to tell some of the top brass that lawyers are attending ISO security standards meetings globally and are planning to use standards such as those in ISO/IEC SC 27 and IEC 62443 as the base line for controls that will be expected in IoT solutions. In the event of a compromise or data breach and the ensuing lawsuit, these same corporations will be held to task on how they meet these requirements and controls. So by all means keep working on your vendor association standards but realize the actual yardstick are the ISO/IEC standards.

On the more positive side of conference, I really liked that NASA is going out its way to make software freely available to community. The breadth of expertise that has gone into some of this software is quite remarkable. I was also really impressed with the Samsung Artik HW and platform and how far it has developed in a short time. It really is making its mark as a contender in IIoT, smart cities and power generation sectors. I even signed up for the developer program and plan to buy some of the dev boards so we can start evaluating this platform for some of our projects. Other notable things were the use of embedded tags and sensors on products, and how to test just about every component being designed and built. If you are in Santa Clara next year, I recommend that you attend the vendor exhibit for next year’s show to see all the development and new products. It would of been good to see Apple and other product companies show where they going in these areas but I will keep my fingers crossed for next year.

Facebooktwittergoogle_plusredditpinterestlinkedin

What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.

Facebooktwittergoogle_plusredditpinterestlinkedin

Our Future Security Practitioners 

Yesterday, I had opportunity to speak to the Electronic Technologist class at a local college on cyber security. It was great to see all the cool things they were building but also have an open discussion on how they can help to build the next generation of secure IoT products and solutions. It was also refreshing to hear how many of them recognize their privacy and were concerned about the amount of data collected on them. Recently, I was told that youth don’t care about their identities and protecting it — it is all about getting free access. I was really disturbed by this especially when I am teaching my kids to more vigilant about the services they use and information they share.

I spent 2+ hours with students from CEGEP and I have to say I don’t know who was more excited about the conversation them or me. It is always great talking to next generation of tech workers but with electronics a big part of my childhood I love being around breadboards, signal and power generators and multimeters.

Thank-you Marc for making this happen. I had a great time with the students yesterday. Also a big shout out to Madame Bijou who helped me on the presentation graphics. Not bad for a 10 year old!

Facebooktwittergoogle_plusredditpinterestlinkedin

What Makes Industrial Control Systems a Target for Attack?

There is a great article from Trend Micro on why attackers target Industrial Control Systems (ICS) and how the Industrial Internet of Things (IIoT) will affect it. This is worth knowing as ICS is used to describe dissimilar types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.  ICS are used in almost every industrial sector and critical infrastructure from manufacturing, transportation, energy, and water treatment to running the power grid, regulating energy use in a building or managing the process of brewing beer.

At a presentation I gave at Cyber Security 2017: Securing the Smart City of the Future I spoke about the anatomy of an attack but didn’t get into the details as to the motivation or technicalities. ICS have been with us for more than a few years but recent modernization has created new ways for these systems to communicate with their controller. This has improved overall productivity but not security. New security issues have arisen that can be exploited by cybercriminals including:

  • Components that were not meant to be for public access are now accessible via the Internet.
  • Security and privacy features that were not considered by solution architects and engineers at design time.
  • Threat modelling not conducted either by the component manufacture or the solution provider.
  • Products that are not required to be fully tested or assessed to provide a minimum level of assurance or security.
  • Installations that were not formally evaluated for cyber risk prior to deployment.
  • An implicit trust at the systems operational level that all components are safe.

Increased aggressive targeting of these will impact many areas including smart cities, smart manufacturing, smart infrastructure projects and even our soon to be smart homes and cars unless we can get control of these issues. In many cases of these attacks data risk is the least of our worries as they could potentially result in injury or death. To deal with this comprehensively everyone in the product and service chain must play their part:

  1. Manufacturers need to ensure that their products are designed with security, privacy and safety in mind. This includes a multitude of aspects depending on the product being developed. Only through comprehensive threat modelling at design time will they fully understand how attacks can happen in the field and the necessary controls that will be required.
  1. Implementers need to conduct security testing and evaluation at all stages of the project to ensure that systems are not misconfigured or prone to attack once in the field.
  1. Customers whether they are a city manager, a building manager or an information security manager need to better understand the risks to their specific deployments including how to perform Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs).

Always remember that security is more than a technology you can just implement. Attempting to protect bad coding and engineering practices with a badly configured firewall will just end up in an attack succeeding.

Lastly, the authors of the article reference the NIST Security Guide for ICS, I would recommend that you also look at IEC 62443. Why? It was written so that an ICS company (vendor, implementer or purchaser) could be evaluated and tested against stringent controls for risk. This wide series of standards covers the breath of deployment and in-field issues that need to be considered and assessed against. It forces all parties involved to get their act together and ensure they have important aspects such as integrating activities across the Software Development Life Cycle (to help discover and reduce vulnerabilities early and build security in) and operational security policies and procedures. You might be surprised how many don’t.

Facebooktwittergoogle_plusredditpinterestlinkedin

RIoT Control – A Book Review

riot-control

Coming soon to a bookstore (or Kindle) near you is… a first of a kind book on how to approach security for the Internet of Things (IoT). This book is an assessment of how to control and manage Risk and the Internet of Things – RIoT Control. It is targeted at executives, engineers and architects either responsible for considering or implementing IoT solutions within their organizations. It is also a useful read for entrepreneurs, risk managers, security practitioners, businesses line managers and anyone not interested in the operational details of IoT security but wanting to understand the problem.

I was fortunate and honoured that Tyson Macaulay, the author, asked me to be a reviewer of this book. In the process I was able to learn even more about this increasingly important topic for cyber security practitioners. Tyson and I have been working together for several years on IoT security under ISO and have represented Canada internationally for over five years to create the baseline considerations (or controls) that should be considered for IoT implementations. Over this time I have realized how broad a topic IoT is, how challenging its issues are and how complex some of the solutions are for some sectors.

Implementing cyber security controls in some of sectors is not going to be easy to say the least. Companies are going to have to shift their mindset to building an adaptive and strong “culture” of cyber security in order to be able to succeed in IoT. One of the key barriers to adoption right now is security and privacy considerations. Product and service providers are going to have to prove to customers that their products are both designed and tested to a specific security level. The daily news of products or solutions that have been compromised is proof positive of the need to secure these solutions comprehensively. Even the NSA and FBI are hiring highly skilled hackers to be able to compromise networks and data of users of IoT solutions.

RIoT Control walks the reader through the process of IoT cyber security considerations and gives many useful examples to help the reader better understand the concepts. It provides the necessary background and details that designers and implementers need to consider for new IoT products and solutions. And yes, security and privacy need to be considered at the design and concept stage.

The list of the chapters contained in the book are:

Chapter 1 – Introduction to IoT

Chapter 2 – Anatomy of IoT

Chapter 3 – Requirements and Risk Management

Chapter 4 – Business and Organizational Requirements

Chapter 5 – Operational and Process Requirements Framework

Chapter 6 – Safety Requirements in the IoT

Chapter 7 – Confidentiality and Integrity

Chapter 8 – Availability and Reliability Requirements

Chapter 9 – Identity and Access Control Requirements

Chapter 10 – Usage Context and Environmental Requirements

Chapter 11-  Interoperability, Flexibility and Industrial Design Requirements

Chapter 12 – Threats and Impacts to the IoT

Chapter 13 – RIoT Control

I hope you enjoy reading this book as much as I did. In this book Tyson has done a great job of explaining the business and security concepts of IoT to executives, architects, engineers and anyone else responsible for IoT in a comprehensive way. In doing so he provides the necessary background for building a cyber security IoT practice and ensures that customers are provided a higher level of assurance to products and services they are selecting for IoT.

If  you want to buy this  book, for your convenience, here is the link to RIoT Control on Amazon.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP8 – Cyber Assurance Programs

We hope you enjoy episode 8 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode include how we TwelveDot look to help organizations implement a cyber assurance program. These aspects are key to getting your company and/or organization prepared to start thinking security in everything they do.

  • GAP Analysis– benchmark of current policies, partnerships, employees. As we focus on ISO and the 27K family of standards. We recommended that an Gap Analysis be conducted using ISO 270001. If you in industries such financial or telecom there are special supplements in 27K family that addressed specific controls for these sectors however the over arching approach is based on ISO 27001.
  • Assessment – Initial assessment identifies/validates to create risk assessment document and then action plan. Get your risk management practice jump started and running with ISO 27005 and ISO 31000. These should provide the necessary foundation for you to build your practice.
  • ISMS – Information Security Management System. This takes the previous two steps and then formally initiates the process and policies necessary to implement and continue to develop and mature as your organization grows and develops.
  • SDLC – System Development Life Cycle use be formalized for any company that produces a product/service. As part of your ISMS implementation will create the necessary checks and balances to ensure that cyber risks and privacy elements are identified, assessed, and mitigated as required. This is before you ever release your solution.
  • Evaluation – Internal and External Evaluations ( certification ) will be required on a on going basis. While many can be completed internally as part of your ISMS implementation you will need to bring in external assessment auditors for certification of your ISMS.

Keep in mind you do not have to go the certification route to start. You can begin by starting your ISMS and getting it operational. That is the toughest part! Once started, it is just a matter of making it better as you go along. No two companies are alike so your implementation considerations will be different. However, your goal is always the same creating a company culture of security.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 7: Selecting Cloud Service Providers

We hope you enjoy episode 7 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

  • What is the data that you are protecting or storing in the cloud?
  • Benchmarks to compare cloud service providers
  • Policies and Procedures – Implement an ISMS to ensure policies and procedures align to corporate objectives
  • Data Centre Evaluation ( location, service platform, what are their rules for data )
  • Access to Data ( who has access from provider side and your side, authentication )

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Mobile Gaming App Security 101

Mobile Game App SecurityMobile gaming app hacks are on the rise and will only continue to grow unless developers become enlightened. Developers need to understand long term impact of mobile gaming app security. Having your gaming app hacked can have a large impact on revenue, branding and even the survival of your company.

The cost of securing a mobile gaming app is minimal in comparison the potential loss. Developers fail to understand the consequences are always focused on their time to market, 99% of the time neglecting security.

Common vulnerabilities include:

  • in-app purchases being hacked
  • reverse engineering of code
  • repackaging of application ( cloning )
  • malware
  • game assets like artwork being reverse engineered
  • piracy ( very high rates )
  • personal data theft

This all translates to lost revenue. So would it not be better to invest a few dollars now and look to securing your app and the reap the rewards of your work for the long term or generate limited revenue short term?

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 6: Protecting your Kids Online

We hope you enjoy episode 6 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Evaluating Apps for your Kids – Discuss with your kids how they are going to use their devices and what kinds of apps they can install
– Watching what your kids are doing online –   How can you track what your kids are doing…there are apps out there and parental controls
–  Privacy for your kids –  How much privacy do you want to give your kids
–  Cyber Bullying – Discuss Cyber Bullying with your kids and educate them

 

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

 

Facebooktwittergoogle_plusredditpinterestlinkedin