Embedding security into architecture and design of major IoT projects is the best way to catch problems earlier, avoid costly patchwork, lower the risk of data breaches, and to meet compliance needs. However, research shows that most of the times security is either completely forgotten or is just an afterthought. Same is true for IoT where race to the being first in the market is on, and taking care of security and privacy of critical assets is not given due importance in design and implementations. Continue reading
IoT is not only about connecting machines; the technology can do countless other amazing things. Recently I had the privilege of working with few non-profit organizations promoting education. The solution involved Raspberry Pi, which is used in many IoT application, to make a big difference in education.
Millions of families across the globe are forced into perpetual poverty due to lack of access to quality education.
Either schools are not available in many parts of the world, or, if schools exists, qualified teachers are hard to find. While many non-profit organizations are creating video lessons, in rural areas of many countries, Internet is not available to enable access to these video lessons. A major question is how to make this content available to students in these schools, and this is where Raspberry Pi comes into picture.
Our solution involves partnering with non-profit organizations creating video lessons and using Raspberry Pi to make these lessons available to schools. Raspberry Pi has proved to be a promising platform because of few key features:
- With Micro SD card, it is possible to load video lesson locally on the device eliminating the need for the Internet web servers.
- HDMI port is available to connect Raspberry Pi to a TV set in classroom.
- Raspberry Pi has a complete operating system which enables adding features like running local Web Server and Web Browser.
- Cost is one of the major factors. Raspberry Pi is available at very low-cost.
- There are no moving parts in Raspberry Pi, so the system can work for a long time with little to no support.
- While the main use case is to connect Raspberry Pi to a TV monitor in the classroom, WiFi is enabled so that other computers or handheld devices can also be used to view these lectures.
The hope is that this solution will bring much-needed solution to schools in villages and other remote areas to solve the issue of lack of teachers and quality lessons. This is especially important for science subjects where teacher are hard to find and retain. The overall cost of the solution is low as it needs a small size TV and a Raspberry Pi device. The next frontier is to add an option of solar panels to reach out to places where continuous electricity is not available. Raspberry Pi is a small device, but it is expected to make a big difference in the life of students in these neglected schools.
Phishing is becoming a major threat vector and preferred method for attackers to break into victim networks. Verizon Data Breach Investigations Report shows that more than two-third attacks in espionage category used phishing as an attack vector.
Typical phishing attacks start well before people start receiving phishing emails.
Attackers use social media web sites to do research on potential targets and to craft “real-looking” emails. Once phishing emails are launched, it is almost certain someone will click on a link or download a file and open it. However, the good news is that a phishing attack is not successful just because someone clicked on a link. There are a number of additional steps before data exfiltration where information security teams can interrupt the attack and break the chain of events to avoid the data breach.
Following are typical steps that are part of a phishing attack that happen in a sequence (which I call as a “phishing attack chain”):
- Attackers do research on public sources of information, craft phishing emails, and send to potential victims.
- When someone clicks on a link or downloads a file, attackers exploit an existing vulnerability to install malware or create a backdoor.
- Attackers use the malware or backdoor to download additional malware components.
- The malware is used to scan victim’s network, gather interesting information, and collect data.
- Exfiltrate data as last step of the attack.
Information security professionals can use the following security controls to break the phishing attack chain and avoid data loss:
- Create social media policy and educate employees about phishing attacks. This will not stop phishing attacks but can make the attackers task difficult.
- Use spam filters. However, spam filters are limited in the face of sophisticated and targeted phishing attacks.
- Sandboxing technologies, when used effectively for email, can be very helpful in identifying and blocking phishing emails by testing links and attachments for malware.
- If email software provides option for rewriting subject line or adding a footer to each email, use this feature for all email incoming from the Internet. Add specific words to subject line or a footer at the bottom of emails to warn recipients that that email is coming from outside of the company. This will help them be a little more cautious when clicking on links.
- Apply patches on end-user devices so that a click does not result in exploiting old and known vulnerabilities.
- Restrict outbound traffic on firewalls which will help deny malware unrestricted outbound access. Monitor for dropped outbound packets on firewalls to detect potential malware infections and as an early warning mechanism.
These are just few quick and simple controls but a comprehensive strategy is required to guard against phishing email attacks. A comprehensive approach will include many additional steps. For example, network segmentation, restricting email access on laptops/desktops that are used for controlled parts of the network, denying email and web access from servers, and other measure can be very helpful. Some businesses also use products and services for education and awareness which could be an effective tool. Cost-benefits analysis of all controls will help decide picking up the ones that have the best potential of mitigating risk associated with phishing attacks.
Data Breach Digest is the latest report from Verizon RISK team. This is the same Verizon team that publishes Verizon Data Breach Investigations Report or more commonly known as DBIR. The main idea behind the Data Breach Digest is to share knowledge about specific data breaches with the security community. This is a report that tells story behind selected data breaches: What happened, who did it, how was it discovered, the response, and recommendations so that you can avoid being in the same situation. It is a must read for every information security professional.
How Data Breach Digest is different from Verizon Data Breach Investigations Report (DBIR)? DBIR is more about finding trends from a large amount of data that Verizon collects from many partners across the globe. Data Breach Digest, on the other hand, takes the readers closer to individual breaches. There are only 18 data breaches in the Data Breach Digest. However, each of these 18 data breaches are discussed in detail.
Data Breach Patterns are Very Common
As noted in the report, contrary to what people think, breaches are not usually unique and follow very common patterns. Twelve out of eighteen data breached included in the digest cover about 60% of all data breaches cases recorded in DBIR.
Six other data breaches cover the most “lethal” data breaches that were either difficult to detect/stop or had huge impact on business.
Just to give you an idea about what you will find in the report, the first data breach in the list involves a targeted social engineering attack. It describes how an employment offer to chief design engineer through a social media site resulted in loss of intellectual property including design of an innovative construction equipment. While reading the story behind the data breach, you will realize how attackers trap people through social engineering and how incident response is more than just tools and technologies and investigators need to have general investigative skills as well.
If you have incident response responsibility or you want to manage information security program effectively, this report is for you. You will learn techniques attackers are using and how to defend against similar attacks.
If there is one thing that a reader can take away from the Data Breach Digest, it would be Attack-Defend Cards included in the report. Each of the eighteen data breaches included in this report comes with one-page summary named Attack-Defend Card. This page summarizes the breach scenario (including frequency and sophistication level), who are the attackers and what are their techniques, useful data about the incident, and how to defend against it.
A Tool for Security Awareness
Data Breach Digest is a great tool for security awareness programs. Readers can use the Attack-Defend Cards very effectively in raising awareness across IT and non-IT communities.
Want to know about dangers of USB devices? There is a card for that! Partner misuse, there a card for that! SQL Injection, there is a card for that. You got the idea!
Relevance to Industry Sectors
Just like DBIR, this report also sheds light on particular scenarios that a specific industry must pay attention to. Manufacturers, Transportation, Utilities and Professional Services folks: Pay special attention to Cyber Espionage. Accommodation, entertainment, retailers and hotels? POS intrusion is your biggest area of worry. Mining? Keep an eye on insiders. In short, you will find relevance of specific data breaches covered in this report to your industry.
This report is a good read for the weekend or if you are on a long flight to a regional office on the other side of the continent. Enjoy and share with others!
Data Breach Digest can be downloaded from Verizon web site http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/
Manufacturers have been building products (or things) for a very long time. A major shift is in the competitive landscape is about making these products or things “smart”. Now, people not only need a light bulb, but they want a “smart” light bulb. Now a blood pressure meter has to be able to save historical data, provide trend analysis, and make it available to doctors for better care of patients. Same is true for any other product that we can think about. A new IoT industry is emerging rapidly with smart, connected products that can do much more than traditional capabilities of these products.
Any manufacturer who does not seriously pursue a “smart products” strategy will definitely be left behind and go out of business. It is written on the wall, although some people may not see it.
The question for manufacturers is how should they pursue a smart products strategy and get into the Internet of Things or IoT universe.
If we look at the evolution of smart things, it can be described in a simple diagram as follows. Most of the manufacturers are creating “things” at the very left hand side. The target is to move the right with smart connected things that can integrate into consumer and business applications. The big question for manufacturers is how to get there?
- Step One – The first step in the IoT strategy for manufacturers is to identify what intelligence they can build into their products. At minimum the products should be able to collect data. Ideally any product should be able to take some action based upon the collected data, receive instruction through standard protocols, and take some action based upon received instructions. The manufacturers need to think about “use cases” for their products. A smart light bulb can change color of light, intensity, and other characteristics based upon surroundings, is able to conserve energy, and so on. This is where the imagination of people is the only limit. A manufacture must believe that each product can do more than what it is doing today.
- Step Two – The second step in the strategy is to build capability where smart products can communicate with external world and with each other. A manufacturer can get help from open source protocols, Internet and wireless service providers, and software components built by different vendors. Partnership with external companies can play a key role in expediting connectedness of smart things. Cellular wireless networks may be the best choice for mobile products or remote areas. On the other hand, traditional networks may work well for stationary products. In some cases manufacturers may have to build “gateways” to talk to smart products and external vendors can help achieve this goal very quickly.
- Step Three – Any IoT strategy needs to bring value to the manufacturers in terms of money and to consumers in terms of better functionality and convenience. Integration of newly smart products with business or consumer applications is a must to achieve value. Typical consumer applications are focused on mobile phones whereas business application integration may include customer relationship management systems, ERP, data analytics and so on. While thinking about integration, the manufacturers must adopt standardized APIs and other interfaces so that any application vendor can consume data, make decisions and communicate back to the smart things/products.
Connected smart products are not only business imperative but also can generate new revenue streams for manufacturers in terms of ongoing service contracts. By adopting this approach and logically dividing the IoT journey in different parts manufacturers can use a divide-and-conquer approach to quickly go to market.
IoT is all about connecting devices and machines to the Internet who can talk to each other, collect and share data, analyze the data, and bring business value out of data analytics. A fair argument is that we have been using sensors and devices to collect and analyze data for a very long time (at least for 2-3 decades), like industrial control systems and SCADA networks. Then why there is so much hype about the Internet of Things as the concept is not entirely new?
This is true! Sensors, networking, data collection, and data analysis has been going on for quite some time. However, what is really new and exciting now is as follows:
- Cost of Building Sensors and Devices – In the past, sensors were very costly and we could use these for limited purposes only due to lack of a good business case. Now the cost of sensors has gone down drastically and it is very easy to build devices to collect data.
- Availability of Wireless and Mobile Technologies like LTE – In the past it was very difficult and costly to connect remote sensors and devices. The networks to connect devices were either not available or had very low bandwidth and high latency. With the availability of new technologies, this situation has changed drastically and networks are available everywhere and at a very low cost.
- Two Way Communications to Make Decisions and Take Actions – In the past typical data collection was one way and in many cases it was not real time. It was difficult to have two-way communication to take actions on data. With the availability of new networks and powerful devices, realtime two-way communication has become a reality and it is making use of IoT more interesting.
- User Interface and Mobile Apps – Many of the IoT technologies of today rely on apps built for mobile devices that provide an easy user interface. That was not the case just few years back.
- Availability of Low Cost, High Bandwidth Networks to Transmit Data – For massive data collections, the overall cost of network to transmit data to data processing centers has gone down. While we did talk about wireless networks earlier, this is more about data transmission in bulk.
- Cloud Based Processing and Storage for Data Analytics – Cloud Computing now provides on-demand machines for processing and storing data which makes scalability achievable. Building infrastructure was an issue in the past.
- Common Business Applications and Use Cases – Many new use cases of IoT technologies have emerged starting from home technologies to smart cities and smart grids, to healthcare and so on.
- Open Source API, Tools, Protocol Standardizations – Open source technologies and standardization of protocols is also playing a role in wider adoption of IoT. Now people can build devices and applications that can work across a wider range of vendors.
These are just some of the reasons why IoT is getting popularity and wider adoption although the concept is not entirely new. Adoption of IPv6 addressing, especially in wireless networks, is also lifting limitation on the number of machines that can be connected to the Internet.
However, before venturing into the IoT bandwagon, it is important that companies work on building their own IoT frameworks that encompass device management, end-to-end data paths, security, encryption, storage, analytics, and use cases.
Building an IoT framework is a key to make IoT initiatives successful and achieve business value.
How brain works? can we learn after childhood? What is our mental capacity? What are the myths and what is reality? This article from McKinsey & Company sheds some light on these questions.
“Misconceptions about the brain are embedded in corporate training programs and could be sabotaging their effectiveness. Companies should reevaluate them in light of the latest scientific insights.”
When it comes to training and development of workforce, Organizations have been relying on different companies, life coaches, executive consultants, and training gurus. Given the knowledge economy we live in, exploring new ideas about learning, training and development is imperative for the growth of business. This article is great to answer some of the common questions and misconceptions.
Software Defined Networking or SDN brings a paradigm shift and new promises about how networks are designed and operated. The biggest change is separating the control plane from the data forwarding plane, which, in the current network paradigm are tied together on the same box. This will allow not only ease of management from a centralized location but will also make plumbing of new protocols easy.
While SDN is focussed on networking, it also brings added advantages for information security, some of which are listed below.
- For SDN networks, security can be baked into network forwarding plane, whereas it is an add-on feature in traditional networking.
- Security Policy managed by a centralized controller
- Network Function Virtualization (NFV) provides a huge advantage
- Enables virtualization of security functions (e.g. Firewalls, IPS, Anti-Malware, etc)
- SFC or Service Function Chaining
- Enables security functions (Firewall, IPS, Web filtering, Anti-Malware etc) to be placed in-line of data path
- Easy to plug in new functions or plug out functions not needed
- Granular Controls (Applying policies on each virtual interface instead of network segments)
- Simple quarantine of individual workloads in case of security incidents
- Security Policy follows workloads when migrating in Cloud environments
- Speed, Agility, and Cost Benefits
- Achieving and demonstrating compliance is relatively easy
- Enables inspecting all network traffic compared to traditional network security technologies where high volume inside traffic inspection is difficult
Note: There is an updated CISO Mind Map for 2016 on this URL
As the InfoSec landscape changes constantly, so do the responsibilities of a CISO. Virtual Security Appliances are becoming more common in the Cloud environment. Similarly IoT and Software Defined Networking (SDN) is picking up steam and can’t be ignored by a CISO.
As many of you know, I have been publishing CISO Mind Map for a number of years. The last update was made in December 2014. I have added/updated some items based upon the latest industry trends and changes in the technology landscape, although a major part of the Mind Map is the same.
Permission to Use – Like always, permission to non-commercial use of this Mind Map is granted as long as proper citations and references are provided. Any trademarks or service marks used in the Mind Map are the property of their respective owners.
PDF Download – PDF Download of the Mind Map is available at this link.
The Verizon 2015 DBIR just released today, and as someone said. It is “the best” DBIR ever. The report provides a number of important findings and new data analysis especially around the cost of data breaches. The report contains analysis of 2122 confirmed data breaches and 79790 security incidents. It is available for download from http://www.verizonenterprise.com/DBIR/
So what is new? Here is a summary:
- There were 70 partners contributing to this data set. Compared to last year when 50 partners contributed to DBIR 2014, this is 40% increase.
- Like 2014 DBIR, a vast majority of security incidents (96%) still fall into nine major categories.
- There is a significant hype about mobile threats. However, the data shows that mobile threats are not playing a significant role in real data breaches yet.
- Verizon created a new model for estimating cost of data breaches, which comes out to be 58 cents per stolen record.
- Verizon analyzes top three threats for different industry segments.
- The “detection deficit” is still playing a huge role in data breaches. This means the attackers are getting smarter but defenders are not making much progress.
- Phishing is playing a big role. People open about 23% of phishing emails and about half of them open attachments.
This year’s data breach is better than ever with more contributors to the data set and new recommendations from Verizon to detect breaches early, minimize the damage, and better respond to security incidents. This is a “must read” for information security professionals.