Category Archives: Strategy

Meeting Report – ISO/IEC SC27 Gjovik, Norway

We just wrapped up another week of ISO meetings for SC 27 this past week in Gjovik, Norway. A few updates to share:

  1. We are making progress on ISO 27030 Security and Privacy for IoT. We just completed our WD1 review that focused mainly on structure but also had some privacy inputs from experts from Singapore and India. Our Japanese experts did identify many new controls to be added including the request that we need to ensure that our control format needs needs to align to 27002.
  2. Our next stage is WD2 and we are hoping the experts continue to provide more content to build out a strong version of the document for one more WD version.
    Based on suggestions from the vendors in attendance, it seems that vendors want a checklist of a few items that would indicate that their device is secure. While this might help the vendor community it is not the right approach as cyber security consists of many moving parts that includes how a company operates and the product they product, not just a device in the IoT context.
  3. From a privacy front, it seems that GDPR caused quite the impact on the vendor community. As a result many of bigger names have grouped together to write a proposal for a standard for data privacy where the vendor would own the data not the user. This will include a clause that allows this standard to supersede any local or global regulations. While just a discussion it does represent a very concerning perspective for governments who are fighting to protect citizen data.
  4. Finally, it seems that there is a theme from large cloud service providers to want to remove any requirements in ISO standards. This started in SC38 which has no should or shalls, it is all maybe’s and could be on a good day if your lucky. If your cloud service provider claims conformance to these standards it is sham. Make sure you investigate the claims of any vendor and what they have really implemented from a security and privacy controls. As usual it is a case of buyer beware when purchasing services even from the big guys.

It was good to see so many experts from different national bodies and liaison organizations in attendance to the IoT meetings and sessions. Standards Norway did a great job of hosting and Gjovik and the surrounding region are really beautiful at this time of the year. Hope to get back and visit more of this country and their friendly citizens.


Cyber Canucks EP8 – Cyber Assurance Programs

We hope you enjoy episode 8 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode include how we TwelveDot look to help organizations implement a cyber assurance program. These aspects are key to getting your company and/or organization prepared to start thinking security in everything they do.

  • GAP Analysis– benchmark of current policies, partnerships, employees. As we focus on ISO and the 27K family of standards. We recommended that an Gap Analysis be conducted using ISO 270001. If you in industries such financial or telecom there are special supplements in 27K family that addressed specific controls for these sectors however the over arching approach is based on ISO 27001.
  • Assessment – Initial assessment identifies/validates to create risk assessment document and then action plan. Get your risk management practice jump started and running with ISO 27005 and ISO 31000. These should provide the necessary foundation for you to build your practice.
  • ISMS – Information Security Management System. This takes the previous two steps and then formally initiates the process and policies necessary to implement and continue to develop and mature as your organization grows and develops.
  • SDLC – System Development Life Cycle use be formalized for any company that produces a product/service. As part of your ISMS implementation will create the necessary checks and balances to ensure that cyber risks and privacy elements are identified, assessed, and mitigated as required. This is before you ever release your solution.
  • Evaluation – Internal and External Evaluations ( certification ) will be required on a on going basis. While many can be completed internally as part of your ISMS implementation you will need to bring in external assessment auditors for certification of your ISMS.

Keep in mind you do not have to go the certification route to start. You can begin by starting your ISMS and getting it operational. That is the toughest part! Once started, it is just a matter of making it better as you go along. No two companies are alike so your implementation considerations will be different. However, your goal is always the same creating a company culture of security.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.



Cyber Canucks EP 4: Perceived Barriers to Security for SMBs

We hope you enjoy episode 4 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Cost of implementing Security – the cost is too high but how much does it cost after you’ve been breached
Lack of skilled Personnel – difficulty in finding the right people
– Physical Security –  often overlooked when thinking about cybersecurity
– We are too small we don’t need security – all organizations need security. Cyber criminals are now targeting smaller companies because they don’t consider security a priority
– Educate Staff –  All staff need to be educated about cybersecurity, breaches commonly occur from within

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.

SoundCloud Ultimate Error: The track you specified in the shortcode does not exist in your account.


Cyber Canucks EP 3: Providing Mobile Services to Your Employees

We hope you enjoy episode 3 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Whitelist /Blacklist of Apps for company use – Which applications are user permitted to use and which ones should they avoid?
User Policy and User Guide – Provide details to users on expected behaviour while using mobile apps including reporting lost or stolen devices.
– App Evaluation –  Evaluate each app to ensure you understand data risk exposure.

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.

SoundCloud Ultimate Error: The track you specified in the shortcode does not exist in your account.


Our Approach to Security is All Wrong

When I look at the time, money and resources used to protect digital assets I start to wonder as many executives do when are we going to see a turning point or a ROI?

While the problem is complex, I believe the lowest common denominator is software and more specifically the lack of time we spend testing and analyzing it prior to shipment. With many companies in a race to get to market; security and privacy is always the last thing that is considered. Many believe it gets in the way of productivity. If you want to see a disaster happening look at all the IoT solutions with little consideration to security and privacy. Then  consider all the data breaches that have happened recently. Many of these data breaches were the result to someone taking advantage of bad code to get access using an insider.

As we continue to develop substandard code, we then spend billions on security technologies in an attempt to protect it. It seems crazy when you thing about it this way. You cannot protect flawed software, it is near to impossible because without user training and detection systems there is no one to deal with signs that a system has been compromised.

I also look at how over 20+ years the expectations of software developers has changed considerably. When I first started my career I did LOTs of programming. We did not have the Internet to provide us code samples, we had to learn the language and its nuances. We also had constraints on HW given the cost of memory and systems back in the day. You had to write good clean code.

Today, many developers when they hit a snag they will search Google and perform a CTLR-C + CTRL-P…..problem fixed. In the old days we used to have structured walk-throughs and spend more time in design to figure out the code logic. Today, programmers will use 3rd party libraries and SDKs without any consideration to security implications. Specifically, where did it come from and who has touched it.

So how do we fix this mess. Well with small steps and change our mindset to how we consider software in our society. Namely, we have to do the following:

  1. Make security part of our companies and organizations. Using an ISMS provides the basis for this regardless of the widget you build. Every company is different and will have to cater their ISMS to their specific risk profile.
  2. Once done you need to determine how you build your widget. This requires the use of a SDLC to identify the threats to the widget and how you plan to dispose of all the data that this widget might collect over its usable life. These need to be fully understood prior to every writing a line of code and document, document and document. These become audit-able elements later in the life of the widget. They also serve as education material for new team members as the team grows and changes.
  3. As the first versions of the widget are created they need to be evaluated to ensure the identified threats are sufficiently addressed. Spending this time now will save you costs down the road… me.
  4. Prior, to production release, ensure the widget gets a final assessment to ensure all risks are known including residual risk(s).
  5. When the widgets are in-field they need to be monitored for signs that they have been targeted for compromise. The process for this would be been created under your ISMS and will drive how your organization will handle these reports.
  6. If these are reported it is important to evaluate them and if deemed relevant then address them as possible. If you designed your widget correctly it will have a method to perform in-field updating. This includes notify users of the update.
  7. At this point, you just need to repeat this process for every revision of the widget. As the company changes you will have to ensure the ISMS is updated to deal with growing nature of your business operations.

Only by addressing the current approach to software development can we reduce the current risk landscape to all businesses, consumers and government who use this vulnerable software. With vulns being found and not disclosed they are the nuggets that are used by the digital underground to prosper. Fixing software will help reduce the targets so your widget is not targeted but your competitors is. Let a secure cost effective widget be your competitive advantage.


IoT613 – Talking all things IoT 

Last week we attended the IoT613 conference in Ottawa, ON, Canada with our partner and good friends over at bv02. We setup a demo of a solution that we joint built last year on the use of iBeacons to engage customers. The interest in IoT and security were really great and it was refreshing to see how many people are thinking about security in this space. 
The next generation of companies have to think security and privacy day one. Using techniques such as threat modelling and TRAs to understand the risks then evaluating the features that can be added day one verses those that can wait for future revisions. You can always quantify these risks and make better decisions that balance both usability and security. 
Here are some quick points to get you started:
  1. Before you complete your initial product design determine all the cyber and physical aspects that be used to compromise all elements of your solution. This includes the people and suppliers who will come into contact with your product prior to service delivery. This is known a TRA or Technical Risk Assessment these need to into the bits & bites of the solution not just an overview. 
  2. Ensure you have a System Development Lifecycle (SDLC) that includes security. Reference ISO 27034 Application Security as your guide…yes it works with Agile. Get your developers trained and setup to run a formal development and secure testing process. If necessary, use a 3rd party to test the final revision.  
  3. Test for a specific level of assurance you can provide users and customers. Your testers need to be trained on how to locate security bugs in your software as well as dealing with those that are reported to your organization. 
  4. Evaluate all 3rd party libraries for vulnerabilities
  5. Make security part of your company culture
This is just the start of setting up a stringent cyber security program. However, it will make huge strides in getting you on the road to a Secure By Design model. Thanks to everyone who dropped by to say “Hi” and learn about our service and solutions. See you next year. 

Our New VPN Provider: iVPN

We recently changed our VPN provider from HideMyAss to iVPN why……more privacy! It seems the HMA was not good at keeping its promise to protecting the identity of its users when this was discovered and given it was renewal time it was time for a change.

Why iVPN?

1. No logging of access

2. Multi-hop technology to stump with trackers and monitors

3. Setup instructions on iOS devices that provide better protection for MITM attacks they also support Windoze and Android

4. Ability to use three devices concurrently on the service

5. Good range of sites around the globe when I travel

6. Oh did I mention no logging 😉

7. They are big supporters of the Electronic Frontier Foundation (EFF) this is a great cause for privacy and openness of the Internet as it was intended to be

The speed and performance of the service is good and I have no complains about the service one month in. I use it everyday for all my devices and each one is pointed to a different access point. I love the randomness this give me and not to mention the lack of tracking. For those of you new to VPN the guides are easy to follow and they also provide tech support if you need it.

If your a regular to public WiFi you need to be on a VPN service just to prevent the high potential for a MITM attack and providing someone with your login creds for your email and social media accounts. The cost and piece of mind is well worth it.

Signing up is as easy as clicking on this link – Get iVPN


Minimizing Your Digital Footprint

So I am not a hermit or loaner but I do like to keep my digital footprint small. I don’t feel a need to be “Liked” nor one to be “Followed”. However, I do like to share my security knowledge and expertise with companies and I am always torn between posting something on social media verses not.

I do fundamentally believe that we have a right to privacy on the web so long as your intent is not to harm another human being. If you use it as a means for entertainment, education or just communications with family and friends then you have the right to do so. I don’t like all the cataloguing of my web traffic and governments who insist our country will be safer by collecting all our web traffic — this is just irresponsible leadership.

So how does one balance between sharing and knowing when to say enough is enough. Lets put it this way, if you cross a street and did not realize you walked against traffic and were almost run over twice then maybe it is time to give social media a break. There is not a single “Like” that is worth you life.

Keys to balance:

1. Your friends will be your friends even if your not online all day and night. Reducing time on your devices will give you a chance to experience “real” life.

2. Your personal posting(s) can and will be used against you. This includes finding a new job and possibly loosing your current one. Once posted, it is not your content anymore it belongs to the site owners. Read the fine print.

3. If your mad about something it might be best to stay away from your devices for a few hours. Having a rant online is not a good outlet. See bullet 2.

4. You never know who is watching you. Strangers lurk in ever corner of the web.

5. Use technology that allows you to auto post material around the clock. It frees up your time to spend with friends and colleagues.

6. What is the message you want to send to the world? Think about this for a while as it should help you gauge what you post or consider posting.

7. Reducing your time with device gives your body a break from low level radiation. Remember grade 9 physics and waves? What do you think your exposing yourself too all day?

As always, I recommend staying secure while connected to the Internet. Using a VPN just makes sense today especially if your a hard core coffee shop hopper. And make sure your HD is encrypted in the event your laptop is lost or stolen.


bv02 + TwelveDot Labs = Evolutions

Last fall we started a project with our partner bv02 and The Canadian Museum of Nature to explore using iBeacons in a museum environment. This pilot project called “Evolutions” was located in the Mammal Gallery and was launched Dec. 23. TwelvedDot worked with the design team at bv02 to create a mobile application that would demonstrate the value that iBeacons can bring to a museum environment.

“Evolutions” tracked user’s journey through an exhibit by interacting with the iBeacons to take blobs and evolving them into creatures. Users had to discover the full exhibit or risk their creature dying. At the end of the game users were rewarded with fully developed creatures if they find all the iBeacons.

The pilot spanned a three-week period and demonstrated that users were willing to download the app and use it immediately. Users were able to find the beacons easily and fun interacting with their creatures too.

If you are planning an iBeacon deployment of your own here are some tips to make it a smooth project:
1. Setting the scope early and understand what data is “required” and “needed” to be collected on users.
2. Design an app that users can identify with and that leverages your organizations brand. Find a digital creative agency that can create a UX and graphics that give the app personality! This is key to the overall success of your iBeacon based app.
3. Do a physical site visit as soon as possible and determine possible locations for beacons. Consider possible EMI that might be caused by other electrical devices including WiFi APs. If you have a complicated setup, you may need to conduct a spectrum analysis on your site. This can be costly but might not be required.
4. Initial testing should include tuning beacon signal strength and analytics engine is properly collecting data.
5. Collect application data to get a sense how users are using the app.

As a final point, respect your users privacy and only collect data that is required to monitor your app. Once collected it is best to just keep the trend data and securely delete the rest. Always make users aware of your data collection practices and privacy policy.

More details on this project are located on the bv02 site.

For this project we chose Estimote iBeacons.