Category Archives: Business

RIoT Control – A Book Review


Coming soon to a bookstore (or Kindle) near you is… a first of a kind book on how to approach security for the Internet of Things (IoT). This book is an assessment of how to control and manage Risk and the Internet of Things – RIoT Control. It is targeted at executives, engineers and architects either responsible for considering or implementing IoT solutions within their organizations. It is also a useful read for entrepreneurs, risk managers, security practitioners, businesses line managers and anyone not interested in the operational details of IoT security but wanting to understand the problem.

I was fortunate and honoured that Tyson Macaulay, the author, asked me to be a reviewer of this book. In the process I was able to learn even more about this increasingly important topic for cyber security practitioners. Tyson and I have been working together for several years on IoT security under ISO and have represented Canada internationally for over five years to create the baseline considerations (or controls) that should be considered for IoT implementations. Over this time I have realized how broad a topic IoT is, how challenging its issues are and how complex some of the solutions are for some sectors.

Implementing cyber security controls in some of sectors is not going to be easy to say the least. Companies are going to have to shift their mindset to building an adaptive and strong “culture” of cyber security in order to be able to succeed in IoT. One of the key barriers to adoption right now is security and privacy considerations. Product and service providers are going to have to prove to customers that their products are both designed and tested to a specific security level. The daily news of products or solutions that have been compromised is proof positive of the need to secure these solutions comprehensively. Even the NSA and FBI are hiring highly skilled hackers to be able to compromise networks and data of users of IoT solutions.

RIoT Control walks the reader through the process of IoT cyber security considerations and gives many useful examples to help the reader better understand the concepts. It provides the necessary background and details that designers and implementers need to consider for new IoT products and solutions. And yes, security and privacy need to be considered at the design and concept stage.

The list of the chapters contained in the book are:

Chapter 1 – Introduction to IoT

Chapter 2 – Anatomy of IoT

Chapter 3 – Requirements and Risk Management

Chapter 4 – Business and Organizational Requirements

Chapter 5 – Operational and Process Requirements Framework

Chapter 6 – Safety Requirements in the IoT

Chapter 7 – Confidentiality and Integrity

Chapter 8 – Availability and Reliability Requirements

Chapter 9 – Identity and Access Control Requirements

Chapter 10 – Usage Context and Environmental Requirements

Chapter 11-  Interoperability, Flexibility and Industrial Design Requirements

Chapter 12 – Threats and Impacts to the IoT

Chapter 13 – RIoT Control

I hope you enjoy reading this book as much as I did. In this book Tyson has done a great job of explaining the business and security concepts of IoT to executives, architects, engineers and anyone else responsible for IoT in a comprehensive way. In doing so he provides the necessary background for building a cyber security IoT practice and ensures that customers are provided a higher level of assurance to products and services they are selecting for IoT.

If  you want to buy this  book, for your convenience, here is the link to RIoT Control on Amazon.



What’s in your tickle trunk?

As we are a small growing cyber security company servicing customers globally, we have learned a thing or two about working virtually and the tools that make this easier and safer. Here are some of the software tools we use.

  1. Basecamp. For managing projects, keeps us all on the same page. Use a browser or your mobile device allows you stay connected to project develop even when on the road. No, we do not keep any customer data on this site. If we need to provide secure content we use S/MIME or encrypt files and post them in secure containers.
  2. Kapersky AV and Anti-Malware. Just get it and use it on your laptop and mobile device even on a Mac we have seen some “interesting” things.
  3. iVPN. We don’t trust hotel and public WiFi and neither should you. Get a VPN service for these occasions. It will save your A$$.
  4. Protect your files in an encrypted files and folder with OpenPGP. Install it to protect those critical project and personal files including emails. We would also recommend this if you are using cloud storage providers such as Drop Box. Don’t trust others with your data.
  5. Alfred the ultimate app launcher.  We have started using this after it was mentioned at the local CocoaHeads meeting… did we live without it?
  6. Reflector. This app lets you share what is on your mobile with either your customers or other members of your development team. Great utility when you are giving remote demos during a webinar.

Hope you find them helpful.



VENUS CyberSecurity New Ventures Weekend

This past weekend I was fortunate enough to attend a new Canadian cyber security initiative in Ottawa at Carleton U. It was the first of its kind event held by the recently launched VENUS Cybersecurity program to make Canada a raising start in cyber security technologies. I did not sign up to pitch a product or solution but join a team and see if I could provide some help with a proposed project.

Friday night was more of a meet and greet — I meet lots of new people and learn about all the grassroots cyber security development and startup activity going on in the nations capital. There were 4 projects that were presented covering several different technology areas. I wanted to help out on all the projects but after meeting with each of the pitch candidates one in particular took my attention. It dealt with something that I have spend lots of my life focused on DPI and network analytics.

I spent most of Friday night after leaving the session learning about the market and who the players are, customer pain points, and projects in this technology stream. My experience as a PLM and technology evaluator give me the necessary background to quickly decipher the real technologies and capabilities in products. I was eager to join my chosen team Saturday morning with a goal of making the idea more focused and targeted. It was a long day but l learned not only about the technology but aspects that are required to be considered when looking to drive a startup. The knowledge provided by the experts was worth the weight in gold this weekend.

I am writing this as we have finished our pitch presentation and getting ready to pitch to the judges. I am excited for what we have developed but want to get some real feedback. I will post an update on how it turns out tomorrow.

For now, if are thinking of launching a startup take advantage of a startup weekend in your city. If anything you will be make contacts, get ideas to launch your idea, and possibly find a co-founder for your idea. Which I am told is a key to success.

UPDATE: My co-founder Michael and I ended up winning the competition. It was good to get the validation that our concept had merit and that all the hard work we did over the weekend was worth the effort. Now we need to start to work on creating a prototype and start some network trials. Exciting times ahead for sure. I would like to thank Michael for the opportunity to work with him and looking forward to collaborating on this solution. Also a special shout out to Tony Bailetti who runs the TiM Program at Carleton U and Marco Janeczek of VENUS New Ventures, I really love your energy and commitment to helping startups. You really need to be commended for the support provided to the community. Thanks for the great weekend!


What Apple does not state in their iOS Security White Paper

First of all I do like the fact that Apple has gone out of their way to build and make this available for the public. However, I do have some points that I would like to see more details on make sure that joe public understands what these statements “mean”.

Lets start in order shall we:

1. While the App Sandbox is great in concept we have already seen prototype attacks that use what is know as protocol handlers. These are built into web based apps that allow them to communicate to a server for example. However, they can be used as a method to collect and inject information in the data stream. I saw some PoC code in Switzerland about two years ago. If the application does not contain validation code there exists the possibility that a rogue user could gain access to the so called secured Sandbox.

2. Encryption well no new news here because with key escrow some one or a 3 letter agency with the master key can decrypt all the data protected with encryption. Look up RSA and $10 million dollars you can probably figure out the rest. Not saying that Apple took money for this but US companies where/are under LOTs of pressure to provide agencies of interest access to national security data.

3. FIPS 140-2 is not a guarantee that the crypto implementation is not vulnerable to attack as the recent SSL issue can attest to. It does show that Apple followed a documented process for design and testing against crypto libraries nothing else. So don’t read too much into this and remember vulnerability testing is not performed for this certification.

4. Supported crypto libraries see bullet 2

5. Siri – What is done with all this voice data? Your voice samples are stored, archived and now someone has a biometric sample of you. Again see bullet 2

So while I believe this WP is a great step forward it also leaves many questions unanswered and these are the questions that businesses and individuals should be asking Apple what the heck?

You can find the document here.


Mobile Security For the Small Co

Over the past few years we have helped companies to deploy mobile and BYOD implementations. While some of these company’s have lots of resources ($$$) for these projects, we have come to realized that smaller companies might not have the necessary financial resources to hire additional resources so we hope this approach will help.

Lets start with a diagram. It is a top-down model that shows how to look at this problem.

Mobile Security Approach

Data – What company data will be stored on this device? or even accessible from the device? From a worse case, if you competitor had this data what would that mean to you? This could include project plans or even a RFP bid. Stop and think about this and ask your staff what they store on their devices and the apps they use. You might be surprised. I know I have been….I though I have seen everything in this business.

Threats – This is one is more complicated but is based on your data and you business. Simply stated who can access this data, from where, and how? Do a search on mobile risk to get more details to technical details realizing you might have to call a security consultant to help. However, this should help reduce your cost and focus on what aspects of a consultants time you really need.

Mobile Device – We like all devices so we are not going to tell you which one to use. Use the one that best fits your organizations needs.

MDM – Mobile Device Management has matured as a technology significantly over the past 3 years and will for the next 3. Make sure you select one that supports not only the mobile platforms you will support today but ones you may consider in the future. Next, make sure that it reduces or eliminates the threats identified in step 2. This is typically accomplished by a policy that can be pushed to a mobile device.

Policy Violation Monitoring – This one is tough and can take a while to implement but is a must to identify when your staff might have a compromised device or a possible data breach has occurred. You need to be able to identify these and be able to react according.

Some points to consider:

1. Mobile Apps are not designed to be secure – don’t expect that developers have considered security controls when designing their solution. Many are former web developers who are bring lots of bad coding habits to mobile.

2. Cloud services and providers are not secure and could have been compromised previously. Unless they deal with financial information they are under no obligication to release this information nor advise you of the breach. Read the user agreement and security details if they are provided. If the details are thin so are the security controls deployed.

3. Talk to other small companies in your space to see what they are doing to protect mobile devices and their company data.

4. Finally, if the idea of deploying security for mobile is a bit too much reach out to a local security consultant who had worked in this field. They should be able to provide the necessary support and guidance for your deployment.

For your homework assignment please read Defending Data in iOS to get a better understanding of data risks of mobile and better understand some of the technical terminology used in this space. While it is iOS centric it does contain many considerations for mobile deployment. Don’t let it install fear but educate you on what is required to secure your data in mobile.


Year 4 and counting…..

I can’t believe we are into our 4th year of business and it is going to be a very exciting one. On top of our growing client list and formalizing of our business practices. Last year at this time we were a team of two. Now, we are seven.

We also launched TwelveDot Labs last year and will be releasing our first product later this year. While we did lots of R&D last year and got our product prototype completed it has been a challenge to get our board designed and having an initial board run. It is all the little stuff you don’t think about that can really hurt you.

While we have had many challenges of a start up and a young staff. I am very proud of all we have accomplished with our team. Our staff is always rising to the challenge and taking on more every day. It has been a pleasure to be working with our team and we have been fortunate to develop a team that enjoys working together.

I look forward to having time this year to provide more updates to our progress and several product and service announcements that we have scheduled. It will be an exciting year for both of our companies and I hope you follow us as we grow even more.

Stay tuned for more………..