In recent years, IoT has been on the rise, with billions of new devices getting connected each year. The increase in connectivity is happening throughout markets and business sectors, providing new functionalities and opportunities. As devices get connected, they also become unprecedently exposed to the threat of cyberattacks. While the IoT security industry is still shaping, the solution is not yet clear. In this article, we will review the latest must-know about IoT visibility & security and we will dive into new approaches to secure the IoT revolution.
IoT visibility & security in 2019:
1. IoT endpoint security vs network security
Securing IoT devices is a real challenge. IoT devices are highly diversified, with a wide variety of operating systems (real-time operating systems, Linux-based or bare-metal), communication protocols and architectures. On top of the high diversity, comes the issues of low resources and lack of industry standards and regulations. Most security solutions today focus on securing the network (discover network anomalies and achieve visibility into IoT devices that are active in the network), while the understanding that the devices themselves must be protected is now establishing. The fact that IoT devices can be easily exploited makes them a very good target for attackers, aiming to use the weak IoT device as an entry point to the entire enterprise network, without being caught. Besides that, it’s important to remember that network solutions are irrelevant for distributed IoT devices (i.e., home medical devices), that has no network to protect them.
Manufacturers of IoT devices are therefore key for a secure IoT environment and more and more organizations are willing to pay more for built-in security into their smart devices.
2. “Cryptography is typically bypassed, not penetrated” Shamir’s law
In recent years we see a lot of focus on IoT data integrity, which basically means encryption & authentication. Though very important by itself, it’s important to understand that encryption doesn’t mean full security. When focusing mainly on encryption & authentication, companies forget that the devices are still exposed to cybersecurity vulnerabilities that can be used to penetrate the device and receive access into the decrypted information, thus bypassing the authentication and encryption entirely. In other words, what’s known for years in the traditional cyber industry as Shamir’s law should now make its way to the IoT security industry: “Cryptography is typically bypassed, not penetrated” and therefore companies must invest in securing their devices from cyber attacks and not just handle data integrity. To read more about that, please visit Sternum IoT Security two-part blog post.
Cybersecurity is the process of protecting and defending an enterprise’s use of cyberspace by detecting, preventing and responding to any of the malicious attacks like disabling, disrupting, injecting malware, or anything thing else aimed to harm the organization.
At its center, cybersecurity defends your organization from vicious and threat attacks aimed to disrupt and steal information from your organization. Cybersecurity risks are similar to financial and reputational risks as it could directly affect the organization’s growth, driving the costs up and adversely affecting the revenue.
If you’re a part of an organization, and especially, if your workplace stocks sensitive information of individuals or clients involved, then this is an ideal time to educate yourself regarding cybersecurity and ways to safeguard your organization against cyber attacks and threats with the help of professionals who hold cybersecurity certifications.
According to recent reporting, the North Atlantic Treaty Organization (NATO) announced that its Cyber Operations Center (COC) is expected to be fully staffed and functional by 2023. The new COC marks NATO’s understanding of the importance that cyberspace plays in conflict, particularly in times of political tensions that has resulted in cyber malfeasance that has targeted elections and critical infrastructure. The establishment of the COC is a natural evolution in how to address cyber attacks in a more timely manner by integrating cyber actions with more conventional military capabilities. In early 2014, after notable cyber incidents were a part of international incidents that occurred in Estonia in 2007 and Georgia in 2008, the Alliance updated its cyber defense policy to classify digital attacks as the equivalent of kinetic attacks under its collective security arrangement under Article 5 of the treaty.
In those particular instances, Russia was suspected in orchestrating or at least tacitly supporting the cyber attacks that afflicted both states. Since then, Russia’s alleged cyber activities have only become more brazen in their scale and aggressiveness. From suspected involvement in launching cyber attacks against Ukrainian critical infrastructure to launching a variety of cyber operations to meddle in the elections of foreign governments, Russia has taken advantage of the uncertainty of cyberspace where there is little consensus on key issues such as Internet governance, cyber norms of state behavior, or the criteria by which cyber attacks escalate to a point of war.
The White House has recently published its new National Cyber Strategy, rescinding an Obama-era memorandum Presidential Policy Directive-20 (PPD-20) that laid forth the process by which the United States would undertake cyber attacks against cyber foes, to include foreign state actors. The Strategy consists of four primary pillars designed to guide how the United States will undergo defensive, and perhaps more importantly, offensive actions in order to preserve its interests in cyberspace. Per the Strategy, the four pillars are:
A recent article revealed that the United States government has gotten better at providing unclassified cyber threat information to the private sector. Law enforcement and intelligence organizations have greatly cut down the time it takes to provide unclassified versions of cyber threat indicators (a term that can reference that can refer to a variety of technical data that includes but is not limited to IP addresses, malware, e-mail addresses, etc.) to the Department of Homeland Security (DHS) to disseminate promptly to the private sector. The process had traditionally been slow as it involves an originating agency to determine if the indicator has been properly vetted without exposing sources and methods, per the article.
Speed of delivering pertinent threat information is certainly an improvement in a domain where attacks occur in seconds. A November 2017 report from the DHS Office of the Inspector General provided a report on actions taken during 2016 in fulfillment of direction mandated by the Cybersecurity Information Sharing Act of 2015 with regards to the sharing of threat indicators. Per the report, despite successfully classifying indicators and defensive measures, it still faced challenges effectively sharing such information across the public and private sectors. The report advocated enhanced outreach and a cross-domain information processing solution.
Nowadays the cyber security is essential for individuals, companies, economies, governments and nations as a whole. The reality is that all of them are trying to stay on track against the latest cyberattacks, but there are some countries committing most to cybersecurity.
One of the best ways to determine where most of the cyber attack really come from in real time is by using the map created by Norse.
Another great alternative if you want to find out which are the countries best prepared against cyberattacks is to use the Global Cybersecurity Index (GCI) created by the International Telecommunication Union (ITU). As described by them it is “…a survey that measures the commitment of Member States to cybersecurity in order to raise awareness.” The GCI covers the five pillars of the ITU Global Cybersecurity Agenda (GCA): legal, technical, organizational, capacity building and cooperation.
In June 2018, Vietnam’s National Assembly passed a new cyber security law that has generated much concern for its stringent restrictions on popular social media organizations. Per the law that will go into effect January 1, 2019, tech companies would be compelled to store data about Vietnamese users on servers in-country, a move designed to improve the security of Vietnamese nationals. Vietnam has been historically weak when in it comes to cyber security, and has been ranked among the bottom regionally. According to a 2017 report by the United Nations’ International Telecommunications Union Global Cyber Security Index (GCI), Vietnam ranked 101 out of 165 countries in terms of being vulnerable to cyber attacks. The GCI is a survey that measures the commitment of member states to cybersecurity to classify and project development process at the regional and global levels.
There are several critics of the new cyber security law. Such a move – as has been expressed with regards to China’s new cyber laws – can potentially impact economic development and deter foreign investment. Perhaps more alarming, dissenters and even some Vietnamese lawmakers signed petitions and conducted peaceful demonstrations to denounce the new law. At the crux of this protest is the potential for the government to use this law in order to stifle human rights and privacy concerns such as online freedoms of speech and expression. According to the law, Vietnam’s authorities will have the discretion to determine when expression might be identified as “illegal” and restricted. It bans Internet users in Vietnam from organizing to conduct activities for “anti-state purposes” or to be allowed to distort the nation’s history. Unsurprisingly, Amnesty International has underscored how the law could empower the government to monitor everything people say online.
A recent interview of Russian President Vladimir Putin revealed insight into his – and by extension – Russia’s views concerning cyber attacks, and really the cyber domain, as a whole. Made at a joint press briefing with France’s president, when asked about alleged interference in the 2016 U.S. presidential election, Putin remarked: “Action always causes reaction” and that “If one does not want to get a reaction he does not like, rules for actions need to be set.” Putin pointed out that in the early days of nuclear weapons, governments had found a way to negotiate guidelines on their use, an effort that should be replicated in today’s political climate. While not necessarily as catastrophic as nuclear weapons, the potential impact is similar in that the disruption and/or destruction of interconnected information technology can potentially impact millions of people. The implication is certainly clear: an international understanding needs to be done sooner rather than later.
These public pronouncements of the Russian president are noteworthy as they provide insight into not only how Russia views the activities that transpire in cyberspace but express a potential avenue of engagement for world leaders to approach Russia on these issues. Cyber norms and discussions of how states have been ongoing in international forums. The preferred U.S. approach – via the United Nations Group of Experts in the Field of Information and Telecommunications in the Context of International Security (GGE) – notably stalled in June 2017, calling into question if this Western-preferred approach to establishing norms will succeed under this umbrella.
Recently, the U.S. Federal Trade Commission (FTC) is investigating whether Facebook, Inc. used personal data by an analytics firm associated with the Trump campaign. Specifically, the FTC is trying to determine if the company violated terms of an earlier consent decree when 50 million users’ data was transferred to Cambridge Analytica, a data and media consultancy firm. To date, Cambridge Analytica has been accused of misrepresenting the purpose of some of its data mining, which yielded something like 30 million Facebook profiles it could comb for data. This calls into question how consumer information is shared with other entities, particularly when consent was not provided.
Social Media & GDPR
This revelation has called into question how social media sights harvest the personal information from their platforms. As one article pointed out, “Some large-scale data harvesting and social manipulation is okay until the election. Some of it becomes not okay in retrospect.” This is indeed troubling in a time when personal information is constantly used by malicious actors for monetization purposes or used in support of the conduct of other operations (e.g., social engineering, spam, phishing, credential theft, etc.). A recent report by a content marketing agency revealed that Facebook logins can be sold for USD $5.20. Such access provides a criminal to a compromised individual’s contact list to target other individuals. According to the same report, an individual’s entire online identity – to include personal identifiable information and financial accounts – could be sold for USD $1,200.00. After initially denying the claim, Facebook acknowledged the breach and promised to take action.
First announced in 2015, the United Kingdom (UK) finally published its Digital Strategy that went into effect on March 1, 2017. Per the government’s website, the goal of this document is to provide a blueprint how the UK will build on its success to date in developing a world-leading digital economy that works for the greater good. This is particularly important given that the UK is a global capital for financial technology, which generated £6.6bn of revenue in 2015.