In recent years, IoT has been on the rise, with billions of new devices getting connected each year. The increase in connectivity is happening throughout markets and business sectors, providing new functionalities and opportunities. As devices get connected, they also become unprecedently exposed to the threat of cyberattacks. While the IoT security industry is still shaping, the solution is not yet clear. In this article, we will review the latest must-know about IoT visibility & security and we will dive into new approaches to secure the IoT revolution.
IoT visibility & security in 2019:
1. IoT endpoint security vs network security
Securing IoT devices is a real challenge. IoT devices are highly diversified, with a wide variety of operating systems (real-time operating systems, Linux-based or bare-metal), communication protocols and architectures. On top of the high diversity, comes the issues of low resources and lack of industry standards and regulations. Most security solutions today focus on securing the network (discover network anomalies and achieve visibility into IoT devices that are active in the network), while the understanding that the devices themselves must be protected is now establishing. The fact that IoT devices can be easily exploited makes them a very good target for attackers, aiming to use the weak IoT device as an entry point to the entire enterprise network, without being caught. Besides that, it’s important to remember that network solutions are irrelevant for distributed IoT devices (i.e., home medical devices), that has no network to protect them.
Manufacturers of IoT devices are therefore key for a secure IoT environment and more and more organizations are willing to pay more for built-in security into their smart devices.
2. “Cryptography is typically bypassed, not penetrated” Shamir’s law
In recent years we see a lot of focus on IoT data integrity, which basically means encryption & authentication. Though very important by itself, it’s important to understand that encryption doesn’t mean full security. When focusing mainly on encryption & authentication, companies forget that the devices are still exposed to cybersecurity vulnerabilities that can be used to penetrate the device and receive access into the decrypted information, thus bypassing the authentication and encryption entirely. In other words, what’s known for years in the traditional cyber industry as Shamir’s law should now make its way to the IoT security industry: “Cryptography is typically bypassed, not penetrated” and therefore companies must invest in securing their devices from cyber attacks and not just handle data integrity. To read more about that, please visit Sternum IoT Security two-part blog post.
Cybersecurity is the process of protecting and defending an enterprise’s use of cyberspace by detecting, preventing and responding to any of the malicious attacks like disabling, disrupting, injecting malware, or anything thing else aimed to harm the organization.
At its center, cybersecurity defends your organization from vicious and threat attacks aimed to disrupt and steal information from your organization. Cybersecurity risks are similar to financial and reputational risks as it could directly affect the organization’s growth, driving the costs up and adversely affecting the revenue.
If you’re a part of an organization, and especially, if your workplace stocks sensitive information of individuals or clients involved, then this is an ideal time to educate yourself regarding cybersecurity and ways to safeguard your organization against cyber attacks and threats with the help of professionals who hold cybersecurity certifications.
To stay secure many businesses regularly test their systems to identify vulnerabilities. Penetration testing is one of the most common types of cyber security assessment but in recent years a growing number of businesses have also turned to ‘bug bounty’ programmes to supplement their testing programmes.
Penetration testing (often referred to as pen testing) is a well-known and established form of assessment, typically carried out by a company that specialises in ethical hacking. (Covered here in great detail by Redscan’s extensive glossary). Bug bounty programmes, however, are a more recent offering, viewed by many as a complement to penetration testing, helping to widen the scope of security testing on platforms that are already well-secured against attacks.
Many large organisations run their own on bug bounty programmes, including Google, Facebook and Microsoft (which paid out millions in bounties in 2018). Even the EU has begun funding programmes.
First announced in 2015, the United Kingdom (UK) finally published its Digital Strategy that went into effect on March 1, 2017. Per the government’s website, the goal of this document is to provide a blueprint how the UK will build on its success to date in developing a world-leading digital economy that works for the greater good. This is particularly important given that the UK is a global capital for financial technology, which generated £6.6bn of revenue in 2015.
In early February 2017, Tallinn Manual 2.0 was published by Cambridge University Press. Led by the NATO Cooperative Cyber Defence Centre of Excellence, publication of the initial Tallinn Manual occurred in 2013 and focused on the applicability of international law to conventional state-authorized and operated cyber warfare. Authored by a group of international law experts, the recent follow-up focuses on a full spectrum of international law as applicable to cyber operations conducted by and directed against nation states, ranging from peacetime legal regimes to the law of armed conflict.
in December 2016, Russian President Vladimir Putin approved a new information security doctrine, which updates the older 2000 version. The doctrine, a system of official views on the insurance of the national security of the country in the information sphere, regards the main threats to Russia’s security and national interest from foreign information making its way into the country, and sets priorities for countering them.
The new GDPR (General Data Protection Regulation- see the full document here ) issued by the EU earlier this year raises many questions among compliance and privacy officers. Who is required to comply with the GDPR and are companies really expected to revamp the entire way they handle customer privacy?