Internet of Things: Challenges of securing IP-enabled devices


Photo: Sharat Sinha

A few years ago, the idea of having home and office appliances connected to a network may have seemed like something straight out of science fiction. Today, however, as technology continues to develop and evolve, this is fast becoming a reality that is increasing in complexity and sophistication.

Commonly referred to as the ‘Internet of Things’ (IoT), this connectedness is seeing a surge in growth, as everyday appliances are being IP-enabled and connected to the network. Clearly, it is a trend which seems set to continue.

Last month’s Internet of Things (IoT) Asia Exhibition and Conference, held in Singapore, reflected the direction local enterprises are moving towards to enhance their competitive advantage, with devices in the IoT used to better address their consumer and/or enterprise needs. But the benefits of IoT, while often cited as significant, have been countered with talks of increased security risks, which could be substantial, particularly in areas such as critical infrastructure, where they become targets for nation states and criminal organisations intent on accessing confidential data and information.

What are the vulnerabilities posed by IoT?
Analyst group Gartner projected that by 2020, the number of IP-enabled devices, not including PCs, tablets and smartphones, will hit 26 billion units globally, while IDC’s assessment pegged that number at 212 billion units. These numbers are significant, as each device represents another potential entry-point for hackers to launch targeted attacks on enterprises. With more devices communicating and sharing potentially confidential and sensitive data, coupled with the emergence of unprotected networks, the conclusion is obvious: there will be far more vulnerability points for security breaches.

Secondly, vendors with little or no security expertise are likely to overlook the security aspect of their low-cost IP-enabled devices that can be hooked up to the IoT. Thus, it may not be surprising to find basic security features absent in these devices. Moreover, there are no security standards to conform to in the majority of these devices—each differing in purpose and construction, utilising different operating systems and plugging into different parts of a network or system. As a result, protecting these devices and the communication between them has become a big challenge.

The third major risk is the devices’ connection to cloud-based applications and services. New data is constantly being uploaded, processed and deposited in the cloud, bringing the issue on data sovereignty into question. Moreover, data collection is often vague, with little clarity on access control and management, resulting in further complexities to segment and secure these massive volumes of data.

How to secure the Internet of Things
Fortunately, securing the multitude of potential attack points exists. This involves leveraging the same strategy as other IP-based communications.

Firstly, it is important to identify and understand which devices are part of the IoT network. Crucial knowledge about the nature of IoT devices is one of the stronger approaches in making decisions to protect the device and manage its data, similar to the security functions currently in existence for mobile endpoints. If a device is infected with malware, for example, it can be blocked from accessing the IoT network.

As IP-enabled devices differ in functionality, the most logical solution is to secure these devices at a network level rather than the endpoint level, thereby overcoming the limitations present in endpoint security functions. Depending on the support of inspection of IoT communications protocol, IoT can also leverage on existing network security solutions like firewall and IPS. In addition, by using the Zero Trust principles of least privilege access with granular segmentation, enterprises can secure IoT data and application access.

While the IoT may offer potential for improving the way that enterprises and government currently operate, it is fundamental to overcome the biggest challenge faced: the regulation surrounding IoT data collection system and the way these records will be used, shared and secured. To achieve this, it is imperative for enterprises, governments and standard organisations to collaborate and leverage expertise to overcome IoT’s complex, multi-faceted security vulnerabilities.

Sharat Sinha is Vice President, Asia Pacific, Palo Alto Networks

[Source: MIS Asia]

ISACA Names Matthew S. Loeb as CEO

Rolling Meadows, IL, USA (5 June 2014)—ISACA, a global professional association serving 115,000 information systems assurance, security, governance and risk professionals, has selected Matthew S. Loeb, CAE, as its new chief executive officer. With a strong background in enterprise strategy, corporate development, global business operations and governance, Loeb brings his extensive experience in leading innovation and strategic growth to ISACA.

“The ISACA Board of Directors welcomes Matt, and we look forward to working closely with him and building on our 45-year history helping our members and their enterprises drive value through information and information systems,” said Tony Hayes, 2013-2014 international president of ISACA and chair of the CEO search panel. “Matt is the right person to lead ISACA and is an ideal match for the execution of ISACA’s Strategy 2022, a long-term plan to expand the association’s reach into critical areas impacting business and technology, including cybersecurity and privacy. His experience in digital publishing, certification, global expansion and new programs in emerging technologies is key as we continue to enhance our resources for enterprises and members.”

He will assume his role as ISACA CEO on 1 September 2014. Loeb will come to ISACA after having completed a 20-year career as staff executive for the Institute of Electrical and Electronics Engineers (IEEE) and as the executive director of the IEEE Foundation.

“As enterprises continue to invest in information systems to build personal relationships with their customers and gain business efficiencies, challenges of compliance, risk, big data, privacy and cybersecurity are increasing complexity for ISACA members in their work to ensure trust and value from these systems.” said Loeb. “While ISACA already delivers resources to help, we have the opportunity to do even more, including increasing appreciation for the role our professionals play in advancing economic prosperity and keeping the digital world safe. I am privileged to have the opportunity to partner with ISACA’s board and employees to grow the organization’s influence and impact globally.”

Established in 1969, ISACA serves members in more than 180 countries and offers four globally recognized certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC). ISACA developed the COBIT framework, which helps companies govern and manage their information and technology, and recently launched the Cybersecurity Nexus program to help enterprises develop their cybersecurity work force and address the global skills shortage.

Loeb takes over the position from Acting CEO Ron Hale, Ph.D., CISM, who has filled the role since Susan M. Caldwell retired in September 2013 after 21 years as CEO of ISACA.

Additional information about ISACA is available at www.isaca.org.

 

About ISACA

With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) credentials. The association has more than 200 chapters worldwide.

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center

Follow ISACA on Twitter:  https://twitter.com/ISACANews

Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial

Like ISACA on Facebook: www.facebook.com/ISACAHQ

 

Contact:

Kristen Kessinger, +1.847.660.5512, news@isaca.org

Joanne Duffer, +1.847.660.5564, news@isaca.org

[Source: ISACA]

Four Things You Didn’t Know About Cloud Security

As more organizations move their data to cloud-based platforms, best practices for protecting sensitive assets continuously evolve. One of the biggest stumbling blocks IT professionals face with cloud security is purely conceptual—fail to understand the cloud and you will fail to understand the threats your assets face.

Let’s explore four ideas about the cloud that have clear security implications, both good and bad…

Emulate the biggest cloud user
The single biggest user of cloud storage—and thus the biggest stakeholder in keeping it secure—is the US federal government. More than 50% of government organizations now store their data and applications on a cloud-based platform and almost US $2 billion is spent each year keeping these cloud services functional and secure.

So what does this mean for you? It means that, of all places, the US government may be one of the most worthwhile organizations to emulate when it comes to best practices for data security in the cloud. In fact, the White House’s cloud-computing strategyprovides an excellent template for safely migrating sensitive data.

20% of data center devices are obsolete
Growing demand for cloud services has led to a virtual epidemic of providers upgrading their infrastructure in a haphazard, inefficient manner. In fact, data from the Uptime Institute indicates that one-fifth of all cloud servers are “obsolete, outdated or unused.”This widespread inefficiency represents a serious hidden security risk—many cloud users have had their sensitive data unknowingly exposed through systems that are improperly monitored, security resources that are stretched too thin, or improper offloading of old drives, servers and other hardware.

In this case, being vigilant about whom you work with is the best way to stay safe. Compliance with SSAE 16 or ISO 27001 usually indicates that a data center is prepared to meet the challenges associated with growth.

Data encryption does not equal privacy
Data encryption is a major selling point of many cloud services, and most of us have been brought up to believe that encrypted data is inherently safe. That changes in the cloud, however. If your encryption keys are being held by your provider, are your assets really secure? Whether it is a malicious insider or a government operative working under the auspices of the US PATRIOT Act, encryption keys are surprisingly accessible by third parties.

Instead, practice two-factor encryption of sensitive data—encrypt it before sending it to the cloud to make sure it cannot be accessed by an outsider.

The biggest threats may be from within
According to research conducted in February 2012 by IBM and the Ponemon Institute, the single biggest threat to sensitive data is user error. More than viruses, data breaches or insecure application programming interfaces, your own employees pose the biggest threat to the security of your cloud-stored data. Simple mistakes like improper password storage or forgetting to log off a shared workstation jeopardize countless assets every day.

For many organizations, the best investment that can be made in cloud-data security is training. Team members who have to access important data need to know proper safety techniques and these techniques should be implemented and enforced on a day-to-day basis.

Rich Murphy
Director of Technical Account Management—BlackStratus

[Source: ISACA]

IT’s Hottest Jobs: Information Security Architect

[Randy Gross]

Job title or job role:

Information Security Architect

Key responsibilities for this individual:

Information security architects plan and carry out security measures to protect an organization’s computer networks and systems. Their responsibilities are continually expanding as the number of cyberattacks increases

The information security architect is responsible for analyzing information security systems and applications, and recommending and developing security measures to protect information against unauthorized data modification or loss. Access control, intrusion detection, virus protection, certification, audit, incident response, security engineering, development and implementation of security policies and procedures are some of the areas that this individual is engaged in on a regular basis. Typical job responsibilities can include:

  • Designing security models; reviewing and approving security configurations and installation of firewall, VPN, routers, IDS scanning technologies and servers.
  • Overseeing security awareness programs; educating staff on information security policies, procedures and practices.
  • Monitoring industry security updates, technologies and best practices to improve security management.
  • Participating in the development of hardware/software/network security procedures and guidelines that support information security policies.

Top industries or markets needing this position:

Demand for information security architects is high. As cyberattacks grow in frequency and sophistication, many organizations find themselves falling behind in their ability to detect these attacks. Security architects are needed to develop innovative solutions to prevent hackers from stealing critical information or creating havoc on computer networks.

The federal government is expected to greatly increase its use of information security architects to protect the nation’s critical IT systems. In addition, as the healthcare industry expands its use of electronic medical records, ensuring patients’ privacy and protecting personal data are becoming more important. More information security architects will likely be needed to develop the safeguards that will satisfy patients’ concerns. Financial services companies also have a growing need for information security architects.

Preferred job roles or work background desired in this job role:

Candidates for the position of an information security architect should have at least eight to 10 years of experience in the IT field, with a broad range of exposure to all aspects of business planning, systems analysis and application development. Additionally, three to five years of experience specifically devoted to information security is advisable.

A bachelor’s degree (or advanced degree) in information technology, information security, computer science, mathematics or a related field is also the norm for this job.

Many employers will also require or prefer that candidates have advanced security-related industry certifications. Examples include CompTIA Security+, CompTIA Advanced Security Practitioner, Certified Information Systems Security Professional (CISSP), Certified Network Security Professional (CNSP) and Certified Hacking Forensics Investigator (CHFI).

Technology, business and soft skills needed for success in this role

Technology skills for an information security architect should include:

  • Knowledge of risk assessment procedures, policy formation, role-based authorization methodologies, authentication technologies and security attack pathologies
  • Technical proficiency in security-related hardware and software, forensics and other security systems and tools.
  • Technical proficiency in broader areas of IT, including networking, servers, desktops and mobile devices.

Desirable business and soft skills should include:

  • Oral and written communication skills with the ability to present and discuss technical information in a way that’s understandable for non-technical audiences.
  • The ability to lead both technical teams and project teams that cross multiple business functions.
  • Problem solving and analytical ability.
  • Strategic thinking and relationship management.

Top challenges of acquiring this talent:

Like many higher-level IT jobs, the role of information security architect is one that currently has more demand than supply. The Bureau of Labor Statistics reports that the employment outlook for security architects is expected to grow about 20 percent through the year 2018 as the need for information security and workers with security skills increases.

Best sources for recruiting individuals into this role:

Because the security architect is responsible for maintaining the security of a company’s computer system, they must think like a hacker would, anticipating the moves and tactics that hackers might use to try and gain unauthorized access to a computer system or network. Some IT experts feel that the best security architects are former hackers, making them very adept at understanding how the hackers will operate.

Best sources for developing internal staff into this role:

Many security architects begin their careers in entry-level positions as IT support specialists. This job provides the training necessary to become familiar with network systems, security and problem solving.

A lower level IT staff member often will demonstrate the aptitude and attitude to be trained and certificated for security-specific jobs. Someone in an entry-level position may operate software to monitor and analyze information, while a more senior-level position could be engaged in investigative work to determine whether a security breach has occurred.

Look for employees who demonstrate good organizational and problem-solving skills. They also need strong problem-solving and analytical skills

Time needed to train and “on-board” an individual into this role:

This is not an entry-level position. Many people venture into the occupation only after working in other IT roles such as computer technician.

Because of the critical nature of the information security architect, several years of experience in advanced security tasks is highly recommended. This experience may be gained by prepping an internal candidate for a senior security position; or recruiting an experienced security architect from another organization.

Candidates for the position of an information security architect should have at least eight to 10 years of experience in the IT field, with a broad range of exposure to all aspects of business planning, systems analysis and application development. Additionally, three to five years of experience specifically devoted to information security is advisable.

Competitive salary and benefits required to hire this individual:

The average pay for an information security architect is $106,974 per year, according to PayScale, a provider of data and insights around salary and career topics. Total pay for this position (salary and benefits) ranges from $82,714 to $157,556. Factors such as geographic location, known technologies, certifications and practical field experience can affect the salary level.

Best ways to measure success of the individual in this role:

The Information Security and Control Association has developed high-level guidance for information security governance and evaluation of security performance. They propose six areas that organizations should focus on when measuring the performance of security personnel and programs:

  1. The strategic alignment of information security in support of business objectives.
  2. Executing appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level.
  3. Integration of all relevant assurance functions to maximize the effectiveness and efficiency of security activities.
  4. Optimizing security investments in support of business objectives to achieve the best return on security investments.
  5. Using information security knowledge and infrastructure efficiently and effectively.
  6. Monitoring and reporting on information security processes to ensure that objectives are achieved.

About the author: Randy Gross is the Chief Information Officer for CompTIA, the ICT Industry Trade Association.

The Latest Kuluoz Spam Campaign Kicks Off

At 06:47 PST on May 20 Palo Alto Networks WildFire detected the start of the latest Kuluoz spam campaign. The total number of e-mails detected quickly rose to over 30,000 per hour around noon PST and had not begun to slow down as of 1:30PM PST.

 

Kuluoz is a descendant of the Asprox malware and spreads by sending copies of itself as an e-mail attachment. As the malware infects more systems, the systems begin sending more e-mails which leads to more infections. Kuluoz makes money for its owner by installing other malware, such as crimeware or fake antivirus programs.

Kuluoz e-mails often trick the reader into thinking they are delivery notifications (such as UPS or Fedex), or notices from airlines or payment processors. In this case the e-mails claim to contain a document about a court case.

Subject: Hearing of your case in Court
From: Notice of Appearance

Pretrial Notice,
Please, download the copy of the court notice attached herewith to read the details.
Note: The case may be heard by the judge in your absence if you do not come.

Truly yours,
Clerk to the Court.
Olivia Smith

Each e-mail carries one of the following attachments:

  • Court_Notice_May-20_Date_IN-FN_2014.exe
  • Court_Notice_May-20_Date_EN-RM_2014.exe
  • DC_Court_Notice_ER_NSER[4 Random Numbers].zip

These attachments are different versions of the malware that has been packed to evade antivirus engines. Twelve of the 53 scanners on virustotal.com now detect the first variant of the malware, but only three detect the latest version.

To determine where the highest number of infected nodes are, we mapped the sending IP address for each of the attach e-mails to their rough geographic location. While there are infected systems around the world, the largest concentration is in North America, particularly the United Stats and Canada.


Geographic Distribution of Koluoz Spam Nodes in North America

Thus far we’ve detected the following command and control servers in use.

  • 192.69.192. 178:443
  • 59.106.185. 11:443
  • 173.203.113. 94:443
  • 69.60.8. 88:8080
  • 205.186.156. 218:8080

The network traffic generated by each Trojan uses the HTTP protocol, and despite its use of port 443, is not encrypted with SSL.

As with most fast-spreading malware, antivirus engines will typically begin detecting the files a day or two after the spread has begun. While we haven’t seen any indication that the spam volume has begun to slow down, we do expect the campaign to wind down in the next 24 hours, but a new campaign will probably be close behind. WildFire users can rest assured that they’ll be protected from whatever Kuluoz has in-store next.

[Source: Palo Alto Networks]

English
Exit mobile version