Category Archives: Awareness

NAFTA Cyber Security Framework

As part of the NAFTA discussions it looks like the US is looking to add a cyber security component in the mix. Finally a great idea in a trade agreement! The basis for this is quite clear given the interconnected world we live in and the fact that all Canadian Internet traffic is routed to the US. We have to ensure that one country is not in a position to bring the downfall of another due to weak security practices.

Given the current state of cyber security practices in Canada by most SMB’s this will serve as a good wake up call to get your security house in order if you want to sell to the US. Based on the current wording companies would have to demonstrate the implementation of an accepted cyber security framework within the organization.

What does these mean? From the top down, executives are responsible enough to have implemented the necessary security management system to measure and mitigate cyber risk within their respective organizations. I am not going to provide all the nuts and bolts to how to do this but would “highly” recommend you get a copy of ISO/IEC 27001/27002 and build your plan to implement a Information Security Management System (ISMS). Don’t let the information part of the name fool you, this standard has been written to fully consider the cyber elements of any organization regardless of sector.

The best place to buy this is from our friends at CSA Group in Canada. They actually offer a Security bundle that contains all the base standards to get you started at a very reason price.

When you initiate your cyber program focus on conducting your risk assessments, your action/mitigation plan and getting those policies and processes nailed down, and most of all education and awareness will be a key element of your success.

Keep in mind that this will not be easy but the benefits will help you sell your solutions to the US and will help protect your digital assets. What else could you ask for?

Facebooktwittergoogle_plusredditpinterestlinkedin

What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.

Facebooktwittergoogle_plusredditpinterestlinkedin

The Smart City Under Attack – CBoC Presentation

I recently got an opportunity to speak at the Conference Board of Canada’s Securing the Smart City of the Future. It was great to be able to speak to those dealing with the daunting challenge of managing the issues related to security, privacy and safety risks while still providing smart city services.

It is clear that the potential benefits of fully-connected smart cities fed by sensors and data are significant especially when seen in the advance of the Internet of Things (IoT). These benefits could tackle some of the greatest problems with urbanization such as traffic congestion, inefficient use of energy, and pollution. As great as these potential benefits are so are the risks and unanswered questions that the integration of new technology brings. Countries looking to implement smart city initiatives need to have a national policy that mandates aspects of security, privacy and safety. This policy should include the following as a minimum:

  • Requirements for an Information Security Management System (ISMS).
  • City breach plans for emergency services, vendors, citizens, etc.
  • Security tested components and solutions that are validated prior to release.
  • “Assurance” from solution providers and vendors for their products/services.
  • Buyers requesting that products and solutions be evaluated.
  • Demand Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs) for all solutions prior to deployment by City Managers.
  • Respect for the privacy of citizens.

The security breaches in the recent past and the ongoing increase in cyber attacks and crime have made one thing very clear: In building the smart cities of tomorrow we need to be smart! Bearing this in mind, what is the biggest barrier to smart city entry?

The biggest barrier seems to be security and privacy of the sensors and data – the very things that make a city smart. The concern seems to be around data breach and how to minimize the exposure of the sensors in-field. However, in the past year or so there seems to have been a shift in the mind set of what is more important: a $5 sensor or the data we collect on people and objects. Clearly the data protection is more important. An example would be smart city projects in Canada that want to provide more real-time information to citizens about services and conditions. It requires them to track citizens to offer this service which means that there are substantial privacy concerns. The client can share lots of data but if it becomes compromised the city collecting it is liable under new legislation in Canada. Cities are taking the time to understand the risks and prepare for the eventuality of data breach and invasion of privacy.

You can see presentation that I gave below. As always if you have any questions about the presentation, please do not hesitate to contact us for clarification.

 

CB0C A Smart City Under Attack – TwelveDot

Facebooktwittergoogle_plusredditpinterestlinkedin

RIoT Control – A Book Review

riot-control

Coming soon to a bookstore (or Kindle) near you is… a first of a kind book on how to approach security for the Internet of Things (IoT). This book is an assessment of how to control and manage Risk and the Internet of Things – RIoT Control. It is targeted at executives, engineers and architects either responsible for considering or implementing IoT solutions within their organizations. It is also a useful read for entrepreneurs, risk managers, security practitioners, businesses line managers and anyone not interested in the operational details of IoT security but wanting to understand the problem.

I was fortunate and honoured that Tyson Macaulay, the author, asked me to be a reviewer of this book. In the process I was able to learn even more about this increasingly important topic for cyber security practitioners. Tyson and I have been working together for several years on IoT security under ISO and have represented Canada internationally for over five years to create the baseline considerations (or controls) that should be considered for IoT implementations. Over this time I have realized how broad a topic IoT is, how challenging its issues are and how complex some of the solutions are for some sectors.

Implementing cyber security controls in some of sectors is not going to be easy to say the least. Companies are going to have to shift their mindset to building an adaptive and strong “culture” of cyber security in order to be able to succeed in IoT. One of the key barriers to adoption right now is security and privacy considerations. Product and service providers are going to have to prove to customers that their products are both designed and tested to a specific security level. The daily news of products or solutions that have been compromised is proof positive of the need to secure these solutions comprehensively. Even the NSA and FBI are hiring highly skilled hackers to be able to compromise networks and data of users of IoT solutions.

RIoT Control walks the reader through the process of IoT cyber security considerations and gives many useful examples to help the reader better understand the concepts. It provides the necessary background and details that designers and implementers need to consider for new IoT products and solutions. And yes, security and privacy need to be considered at the design and concept stage.

The list of the chapters contained in the book are:

Chapter 1 – Introduction to IoT

Chapter 2 – Anatomy of IoT

Chapter 3 – Requirements and Risk Management

Chapter 4 – Business and Organizational Requirements

Chapter 5 – Operational and Process Requirements Framework

Chapter 6 – Safety Requirements in the IoT

Chapter 7 – Confidentiality and Integrity

Chapter 8 – Availability and Reliability Requirements

Chapter 9 – Identity and Access Control Requirements

Chapter 10 – Usage Context and Environmental Requirements

Chapter 11-  Interoperability, Flexibility and Industrial Design Requirements

Chapter 12 – Threats and Impacts to the IoT

Chapter 13 – RIoT Control

I hope you enjoy reading this book as much as I did. In this book Tyson has done a great job of explaining the business and security concepts of IoT to executives, architects, engineers and anyone else responsible for IoT in a comprehensive way. In doing so he provides the necessary background for building a cyber security IoT practice and ensures that customers are provided a higher level of assurance to products and services they are selecting for IoT.

If  you want to buy this  book, for your convenience, here is the link to RIoT Control on Amazon.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 4: Perceived Barriers to Security for SMBs

We hope you enjoy episode 4 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Cost of implementing Security – the cost is too high but how much does it cost after you’ve been breached
Lack of skilled Personnel – difficulty in finding the right people
– Physical Security –  often overlooked when thinking about cybersecurity
– We are too small we don’t need security – all organizations need security. Cyber criminals are now targeting smaller companies because they don’t consider security a priority
– Educate Staff –  All staff need to be educated about cybersecurity, breaches commonly occur from within

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

Facebooktwittergoogle_plusredditpinterestlinkedin