Day: June 9, 2014

Photo: Sharat Sinha

A few years ago, the idea of having home and office appliances connected to a network may have seemed like something straight out of science fiction. Today, however, as technology continues to develop and evolve, this is fast becoming a reality that is increasing in complexity and sophistication.

Commonly referred to as the ‘Internet of Things’ (IoT), this connectedness is seeing a surge in growth, as everyday appliances are being IP-enabled and connected to the network. Clearly, it is a trend which seems set to continue.

Last month’s Internet of Things (IoT) Asia Exhibition and Conference, held in Singapore, reflected the direction local enterprises are moving towards to enhance their competitive advantage, with devices in the IoT used to better address their consumer and/or enterprise needs. But the benefits of IoT, while often cited as significant, have been countered with talks of increased security risks, which could be substantial, particularly in areas such as critical infrastructure, where they become targets for nation states and criminal organisations intent on accessing confidential data and information.

What are the vulnerabilities posed by IoT?
Analyst group Gartner projected that by 2020, the number of IP-enabled devices, not including PCs, tablets and smartphones, will hit 26 billion units globally, while IDC’s assessment pegged that number at 212 billion units. These numbers are significant, as each device represents another potential entry-point for hackers to launch targeted attacks on enterprises. With more devices communicating and sharing potentially confidential and sensitive data, coupled with the emergence of unprotected networks, the conclusion is obvious: there will be far more vulnerability points for security breaches.

Secondly, vendors with little or no security expertise are likely to overlook the security aspect of their low-cost IP-enabled devices that can be hooked up to the IoT. Thus, it may not be surprising to find basic security features absent in these devices. Moreover, there are no security standards to conform to in the majority of these devices—each differing in purpose and construction, utilising different operating systems and plugging into different parts of a network or system. As a result, protecting these devices and the communication between them has become a big challenge.

The third major risk is the devices’ connection to cloud-based applications and services. New data is constantly being uploaded, processed and deposited in the cloud, bringing the issue on data sovereignty into question. Moreover, data collection is often vague, with little clarity on access control and management, resulting in further complexities to segment and secure these massive volumes of data.

How to secure the Internet of Things
Fortunately, securing the multitude of potential attack points exists. This involves leveraging the same strategy as other IP-based communications.

Firstly, it is important to identify and understand which devices are part of the IoT network. Crucial knowledge about the nature of IoT devices is one of the stronger approaches in making decisions to protect the device and manage its data, similar to the security functions currently in existence for mobile endpoints. If a device is infected with malware, for example, it can be blocked from accessing the IoT network.

As IP-enabled devices differ in functionality, the most logical solution is to secure these devices at a network level rather than the endpoint level, thereby overcoming the limitations present in endpoint security functions. Depending on the support of inspection of IoT communications protocol, IoT can also leverage on existing network security solutions like firewall and IPS. In addition, by using the Zero Trust principles of least privilege access with granular segmentation, enterprises can secure IoT data and application access.

While the IoT may offer potential for improving the way that enterprises and government currently operate, it is fundamental to overcome the biggest challenge faced: the regulation surrounding IoT data collection system and the way these records will be used, shared and secured. To achieve this, it is imperative for enterprises, governments and standard organisations to collaborate and leverage expertise to overcome IoT’s complex, multi-faceted security vulnerabilities.

Sharat Sinha is Vice President, Asia Pacific, Palo Alto Networks

[Source: MIS Asia]

Rolling Meadows, IL, USA (5 June 2014)—ISACA, a global professional association serving 115,000 information systems assurance, security, governance and risk professionals, has selected Matthew S. Loeb, CAE, as its new chief executive officer. With a strong background in enterprise strategy, corporate development, global business operations and governance, Loeb brings his extensive experience in leading innovation and strategic growth to ISACA.

“The ISACA Board of Directors welcomes Matt, and we look forward to working closely with him and building on our 45-year history helping our members and their enterprises drive value through information and information systems,” said Tony Hayes, 2013-2014 international president of ISACA and chair of the CEO search panel. “Matt is the right person to lead ISACA and is an ideal match for the execution of ISACA’s Strategy 2022, a long-term plan to expand the association’s reach into critical areas impacting business and technology, including cybersecurity and privacy. His experience in digital publishing, certification, global expansion and new programs in emerging technologies is key as we continue to enhance our resources for enterprises and members.”

He will assume his role as ISACA CEO on 1 September 2014. Loeb will come to ISACA after having completed a 20-year career as staff executive for the Institute of Electrical and Electronics Engineers (IEEE) and as the executive director of the IEEE Foundation.

“As enterprises continue to invest in information systems to build personal relationships with their customers and gain business efficiencies, challenges of compliance, risk, big data, privacy and cybersecurity are increasing complexity for ISACA members in their work to ensure trust and value from these systems.” said Loeb. “While ISACA already delivers resources to help, we have the opportunity to do even more, including increasing appreciation for the role our professionals play in advancing economic prosperity and keeping the digital world safe. I am privileged to have the opportunity to partner with ISACA’s board and employees to grow the organization’s influence and impact globally.”

Established in 1969, ISACA serves members in more than 180 countries and offers four globally recognized certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC). ISACA developed the COBIT framework, which helps companies govern and manage their information and technology, and recently launched the Cybersecurity Nexus program to help enterprises develop their cybersecurity work force and address the global skills shortage.

Loeb takes over the position from Acting CEO Ron Hale, Ph.D., CISM, who has filled the role since Susan M. Caldwell retired in September 2013 after 21 years as CEO of ISACA.

Additional information about ISACA is available at www.isaca.org.

 

About ISACA

With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) credentials. The association has more than 200 chapters worldwide.

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center

Follow ISACA on Twitter:  https://twitter.com/ISACANews

Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial

Like ISACA on Facebook: www.facebook.com/ISACAHQ

 

Contact:

Kristen Kessinger, +1.847.660.5512, news@isaca.org

Joanne Duffer, +1.847.660.5564, news@isaca.org

[Source: ISACA]