Tips to Prevent Online Identity Theft

There are few new trends in online identity theft, although some attacks are becoming more sophisticated, the basic steps to prevent exploits remains the same.

Be on the lookout for attacks that use broken English in the message body. While most now use proper English and use the same style and logos that are used by the companies the message purports to be from, many attacks can be detected through awkward and incorrect use of grammar.

Phishing attacks are also becoming more focused. Businesses that frequently use FedEx to ship packages often see forged emails that appear to be a warning about shipping delays or undeliverable packages.  Law firms are seeing emails that ask employees if they remember working on a specific case. And just this week the US-CERT issued a warning about email-based phishing campaigns targeting airline consumers. 

There are several steps that people should take to reduce the likelihood they will succumb to an online attack, easily identify when their online identity has been compromised, and recover from an infection.

If a service that you use offers multi factor authentication or two-factor authentication, enable it and use it.

Do not reuse your work passwords for any non-work services. Use a unique password for each service.  Use a good password manager that includes a password generator (as long as the use of a password manager does not conflict with your employer’s policies).

Consider using an obfuscated unique username for any financial management, banking, or healthcare related sites that do not use an email address as your username. If the system’s list of usernames is stolen, this can help prevent attackers from using the information from multiple sites to craft a well targeted phishing attack. For example, if my typical username is John_Smith, I might use 77JMS_47 as a banking username. If I receive an email from my bank that contains the username John_Smith I know to delete it.

Here are key tips to remember:

  • Do not click on embedded links in an email message unless you explicitly trust the source of the email.
  • Do not download any software that you are offered from the Internet. If you think you need a software package, ask your corporate IT department for advice or authorization.
  • Make sure your antivirus is installed, current, active, and is configured to automatically update at least once a day.
  • Make sure you have an automatic backup process and that backups are being performed successfully. Take the time to learn how to perform a restoration from backup before you need to do it in an emergency.
  • Do not send information that an attacker might be able to use to steal your identity in clear text. This includes passwords, account numbers, personally identifying information. (This advice also extends to any information that you would prefer never to appear on a public web page and associated with your name.)
  • Be cautious about visiting websites. In the physical world, people are cautious about visiting neighborhoods known to have a high crime rate. The same judgment  should be used when surfing the web.
  • Segregate all of your online purchases on a single credit card and your offline purchases to a different card so you will able to more easily recognize fraud.
  • When getting rid of an old computer, physically remove the hard disk and destroy it, or securely store it, so that nobody can read any data that might remain on the disk.


Network Access Control (NAC)

Controlling access to the network is fundamental security control. For shared networks, the capability of users to connect to the network should be restricted. Well known security frameworks such as ISO 27002, Information technology – Security techniques – Code of practice for information security management, includes this control as a recommendation. And the Payment Card Industry Data Security Standard (PCI DSS) also requires restrictions to network access.

ISO 27002 recommends that to prevent unauthorized access to network services, the  incorporation of controls to restrict the connection capability of the users may be required for shared networks, especially those extending across organizational boundaries.

PCI-DSS requires that companies implement physical and/or logical controls to restrict access to publicly accessible network jacks. For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.

Neither of the these standards mandate the use of Network Access Control (NAC). Some organizations meet the access control requirements by implementing MAC address filtering. However, MAC address filtering is easily bypassed by spoofing the MAC address of a device and it lacks several features incorporated into today’s NAC solutions.

The current generation of NAC  solutions allow organizations to implement policies that address:

  • Device authentication
  • Device configuration
  • Device behavior
  • System integration

Early NAC solutions were expensive and complex. Many NAC deployments failed or stalled, due to complexity, the lack of interoperability and proprietary technologies used in the NAC solutions. Vendor lock-in was an issue. Modern NAC solutions are much better suited for multi-vendor, heterogeneous environments. Vendors of both NAC solutions and operating systems have developed standards to facilitate interoperability and advanced feature sets.

Some NAC products require an agent to be installed on each endpoint. Others are agentless. This can be an important decision point when selecting a product.  If an organization needs to control IoT devices, an agentless system should be used.  If agents are to be used, does the vendor provide agents for all of the platforms that need to be supported?

Device authentication is more robust than simply checking the MAC address of the device. Policies can require the use of X.509 issued to each authorized device. Some systems can examine multiple factors including the  username, authenticated state, email address, IP Address, MAC address, hostname, device type, and operating system.

Policies mandating device configuration can require connecting devices to have current operating system patches, an active firewall, active anti-virus and/or anti-malware installed. Some systems can even prohibit devices that have restricted applications installed.

Any good NAC (Legacy or modern) includes the ability to monitor the actions of users and devices and report on what is happening. This capability should integrate with an organization’s IDS and IPS systems. Integrations with security information and event management (SIEM) systems are also common.

Important features for modern NAC solutions is include Mobile Device Management (MDM) either directly in the NAC product or via good system integration with products from major MDM vendors. Support for BYOD users is important.

Another important feature is the ability to manage contractor and guest access.

One emerging area is the ability to support and control IoT devices. Flexible baseline control, and predefined baseline profiles for well know IoT devices is one method to address these devices. A baseline determines the security state of an endpoint that is attempting a network connection, allowing the protection resources to decide the suitable level of access. A baseline feature must work in heterogeneous endpoint environments.

Some of the leading vendors in the NAC market are (in alphabetical order):

  • Aruba
  • Auconet
  • Bradford Networks
  • Cisco
  • Extreme Networks
  • ForeScout
  • Pulse Secure

US Border Policy Shifts May Drive Changes in Laptop Security

by Ericka Chickowski, Contributing Writer, Dark Reading, March 31, 2017

In-cabin laptop ban and requirements to unlock devices for border patrol could have enterprises revisiting their on-device data policies.

The new travel ban enacted by the U.S. Department of Homeland Security for laptops in the cabin of flights from certain countries may have corporate risk managers revisiting policies about how road warriors handle data on laptops and mobile devices.

Enterprise employees may find that government actions won’t just put a crimp on convenience but could also have heavy implications – from a regulatory and intellectual property protection perspective – when combined with growing powers of US Border Control to demand travelers unlock their devices for inspection. As things develop, large organizations doing international business may be facing a new minefield when it comes to device-based data portability in and out of U.S. soil.

At the bare minimum, experts believe this latest decree by the feds will bolster resolve for existing policies on endpoint security as worries about devices disappearing from checked luggage grows.

“It’s going to force people to actually implement and enforce the policies they have on paper,” says George Wrenn, CEO and founder of CyberSaint Security, and a research affiliate MIT’s (IC3) Critical Infrastructure Protection Program. He explains that most large organizations already have policies on device encryption, authentication and data storage to plan for loss or theft. “They’re just not enforced,” he says, “because people will carry their laptops and they’re considered to be using other compensatory strategies to prevent the loss of intellectual property and data.”

The question now becomes how to effectively enforce policies that have long been ignored, says Jonathan Gossels, president and CEO of SystemExperts.

“This is not rocket science.  We are talking whole disk encryption, good quality passwords or two factor authentication, and key management,” he says.  “Blocking and tackling, but it has to be enforced by each company to be effective.”

Nevertheless, even with the basic blocking and tackling in place, many organizations may still be squirrely about laptops with corporate secrets or customer data sets being parted from their caretakers into aircraft holds.

“Most organizations won’t feel comfortable with employees packing away their company-owned laptops and other IT equipment into their luggage, even if they are properly secured with encryption and passwords,” says Richard Steinnon, Chief Strategy Officer of Blancco Technology Group. “So, I imagine that employees traveling to the countries included in this ban will likely be asked by their employers to not carry these devices with them. If they have to, they will likely be told to remove all non-essential data before they check in their IT assets in their baggage.”

In some instances, simply leaving a corporate laptop unattended may already be against company policy. For example, warns Eric O’Neill, national security strategist for Carbon Black and a former FBI counter-terrorism operative, military contractors likely wouldn’t be able to bring their laptops on affected legs.

“When traveling internationally, the rule of thumb is to keep all critical devices on your person – especially phones, laptops and tablets that have important information on them, or access to important or sensitive information,” he says.

The travel ban is just one part of the equation. Even more troubling are the inspection rights that border patrol have increasingly been asserting with regard to devices, even those locked by their possessors.

“The long-term substantial impact is that key information may be exposed, unpredictably, and for no substantive reason, to inspectors who have no right to that access,” says Mark Graff, CEO of Tellagraff and former CISO for Nasdaq. “This development may well open these companies to litigation exposure any inadvertent violation of data security regulations. It is only a matter of time before companies fined for violating federal standards take the federal government to court for forcing that violation with the new order inspection practices.”

Both the laptop ban and the requirement of unlocking devices for inspectors throw up data confidentiality and integrity issues, explains Phillip Hallam-Baker, vice president and principal scientist at Comodo. However, the latter is a lot more difficult because there are few compensating controls.

To read what other experts have to say, click here.

Hacking of Facebook pages possible, but not probable, experts say

by Kayla Canne, Sun Chronicle Staff, March 4, 2017

James Lang, a selectman candidate before he was eliminated in February’s preliminary election, was caught with Facebook posts disparaging Muslims. He apologized, told The Sun Chronicle he would quit the race, and shut down his Facebook page.

Two days later, Selectman Paul Belham was found with anti-Muslim posts on his Facebook page, along with posts mocking the accent of Mexicans. Belham dismissed the posts as the work of social media “hackers” who find their way into his account every few months, despite attempts to clean up his page and change his passwords.

Then within days, Lang was back, claiming he, too, was the apparent victim of hackers, and was staying in the selectman’s race, where he finished in last place.

The two situations within a week of each other begs the question: How could two small town officials end up targets of social media hackers posting similar content?

Is it remotely possible?

Cybersecurity experts couldn’t be sure, but they did lend some insight into how social media pages could be hacked.

“Hacking means basically getting unauthorized access to a social media account to do whatever you want with it,” said Azer Bestavros, a computer science professor and cybersecurity developer at Boston University.

And the hackers themselves? They could be anyone — from an estranged ex-wife with an ax to grind to a passerby who stumbles upon a Facebook profile left open on a public computer. Then, there are more sophisticated hackers.

“Say, someone wants to get into the Department of Defense,” Bestavros said. “Their computer comes with a lot of protections, naturally, so instead they might make their way into it by hacking into employees’ accounts.

“They start by hacking normal people with the hope they would get to the real target.”

Also, users who frequently visit risky sites open themselves to viruses that can latch onto their keystrokes or find passwords hidden in their computers, Bestavros said.

And, some offer hacking as a service. Yes, you can buy access to social media accounts.

“It’s difficult with cybersecurity because there’s so many reasons or ways this happens,” Bestavros said. “But, if you have somebody who is determined to hack your account, they probably will.”

And that’s simply due to the nature of social media sites, said Jonathan Gossels, president of a Sudbury network security consulting firm, SystemExperts.

“Social media sites are designed to make it easy for people to get on and disseminate information,” he said. “They’re not designed to be highly secure sites.”

Joe Clapp, a senior consultant with the firm, said hackers tend to find usernames and passwords from less secure sites and — because people tend to use the same password for several sites — use that information to hack in elsewhere.

The motivation isn’t always clear.

“If someone’s purpose is to spy on you, they’ll just spy on you,” Bestavros said. “But they could also use you to get to your friends or to see how people would react to different postings. It could be getting revenge.

“It could be as simple as bragging rights or as serious as propagating some agenda or virus, or to get people to click on a link posted by someone they could usually trust.”

Clapp described social media hacking as a “target of opportunity” — hackers use the platforms of others as a billboard for their own opinions, products or research, oftentimes unbeknownst to the victims themselves.

But if Lang and Belham were the victims of hackers, there is one way to clear their name.

“I would urge them to launch an investigation with Facebook,” Clapp said. “They can look at the technical trail and IP addresses to find where these posts came from. They can look and see, did it come from this account itself?”

Bestavros said he couldn’t comment on Lang or Belham’s postings directly, but did say the length of the posts — which stretch back as far as 2014 for both men — could be suspicious.

“It’s unusual. If you’re hacked once, you would think you’d learn your lesson and be more guarded,” he said. “It does suggest there is some persistence there. Typically, you don’t see the same person being hacked every few months.

“Could it be possible? Yes. Is it likely? That’s another question I don’t think we can answer.”

Some Basic but Effective Advice for Secure Online Transactions

Just about everybody shops online these days. Even so, many people worry about security issues and fraud.  I was recently asked if I could share some high-level tips and best practices for online transactions. Here is what I recommend:

  1. Try to consolidate all online purchases onto a single credit or debit card.  That way, you are more likely to notice any unusual (potentially fraudulent) transactions.
  2. Never enter your credit card into a checkout page on a website unless you see that the URL (web address) for that page begins with HTTPS://.   The last “S” tells you that your credit card information will be sent securely (encrypted) over the Internet. That may seem very technical, but look at the example below:
  3. For rentals and Airbnb type arrangements, don’t fall for the common scam, where the supposed lessor requires payment in advance using prepaid cash cards like OneVanilla. Think about it; you are sending irrecoverable cash equivalent to an unidentified stranger who probably doesn’t actually have a rental or apartment for you to use.

How Big an Issue is Security; How can it be Addressed?

Other than the technology itself of an IoT device and the service it provides, the single most important characteristic that will define either success or failure, no matter what the size of the business, will be the security of that device.

The IoT is only in its infancy and yet there have already been an alarming diversity of exploits that have rocked our consciousness including hacking into personal medical devices, automobiles, home security devices or highly publicized access to industrial systems controlling basic infrastructure like power.

A concern for the future of IoT is that manufacturers are being pushed to release products as soon as they can so they don’t fall behind competitors.  Historically, that means that important security issues haven’t been properly planned for or tested, which means they can be ripe for a whole new wave of viruses and other malware, denial of service attempts and most critically, an attacker taking unauthorized control of the devices.  One of the obvious worries that many security experts have is that many of the manufactures that are now working to develop IoT devices haven’t had to think about network security for previous versions of their products (e.g., automobiles, home appliances, personal medical devices, cameras).

To try and stay ahead of the potential exploits and inappropriate access to sensitive data, the manufacturers are going to have to deal with the same tried and true security areas that other network devices like firewalls, routers, handhelds, tablets, laptops and other network based systems have had to deal with. This list includes:

  • Authentication
  • Authorization
  • Encryption of sensitive data at rest and in transit
  • Maintaining updates
  • Monitoring the physical security of IoT devices
  • Privacy and confidentiality with regards to security standards
  • Secure administration

In short, the security implications of the IoT devices are the same as virtually every other type of connected device you have come to rely on. The more secure an IoT device is with respect to the above security areas, the more likely it is to be adopted and to stand the test of exploits and hacking.

Impact of a Data Breach on a Small Business

While our main focus is as a provider of IT compliance and security consulting services, we have been called in to help a few small businesses handle security incidents and data breaches. These calls come to us after the client has discovered there’s been a security incident or data breach and as a result is seeking to engage a security consulting firm for the first time.

In such cases, SystemExperts typically has to guide the client through the entire incident response process. Too often in these cases the client is not aware of its legal obligations regarding notifications and the triggers that determine what notifications must be performed. SystemExperts has found that in some cases, small companies are not fully aware of what laws, regulations, or contractual obligations are applicable prior to discovering the security incident.

In our experience, the impacts of a data breach vary wildly.  Companies that have an existing security program and have an established security incident response policy and plan that they have previously tested suffer smaller impacts. Companies that have not prepared for a data breach in advance  typically experience the greatest impact.

A data breach could cause the financial failure of a company, although no SystemExperts’ clients have suffered that consequence.  Other impacts can include:

  • System outages of several days as changes are made to prevent a reoccurrence
  • Loss of business due to reputation damage
  • Costs associated with notifying all impacted individuals
  • Costs associated with compensating all impacted individuals
  • Time, effort, and costs to contact the media and respond to inquiries from the media
  • Time and effort to notify state or federal agencies
  • Long term costs associated with new compliance requirements
  • Costs associated with forensics investigation, if any
  • Costs associated with resulting legal action, if any

Some data breaches may be the result of a fundamental design flaw in a company’s website or IT system.  In such cases, it could take several days or even weeks to implement all of the changes necessary to prevent a reoccurrence of the data breach. In other cases, a company may be able to determine the root cause and long term fix in less than one business day. Companies that can address the remediation quickly usually already have a security program in place.

The costs of notifying all impacted individuals and the costs associated with compensating all impacted individuals can vary greatly. If the company has sufficient audit logs in place, or the assistance of a qualified computer forensics team, it might be possible to prove that only a small number of individuals are impacted by the breach. Note that cost of having a certified forensics team performing an investigation can be expensive. SystemExperts knows of one company that was able to demonstrate that a breach only impacted nine individuals out of thousands of customers without needing to engage a third party. Knowing that level of detail greatly reduced their costs and time required to perform the notifications. In other cases, a company may be forced to assume that every customer and employee has to be notified and potentially compensated.

When a breach occurs, some companies will simply refer the impacted individuals to free credit report agencies. In other cases a company may decide to reimburse impacted individuals for identity theft protect services or even the legal costs to recover stolen identities. Often that decision is based upon a desire to preserve the reputation of the company.

The costs associated with media are also highly variable. In some situations a company may engage a third party public relations firm to help draft statements and even launch a campaign in order to preserve the company’s reputation. There is also the time and effort required to educate all staff about what they should do if they receive a media inquiry.

A breach may also have a big impact on a company’s compliance costs. For example a small company that handles a small number of credit card transactions could end up being required to perform an annual PCI-DSS level one compliance assessment as a result of a breach.  That level is usually reserved for companies that perform over a million transactions a year for an single card brand. The cost of a level one PCI-DSS assessment could drive some small business out of business.

Depending on the type of breach there may also be fines levied and legal costs. In March of 2016, Target’s annual report revealed that the  cumulative expenses from its late-2013 breach totaled $291 million through fiscal 2015.

Companies that did not have a security and compliance program prior to a data breach often end up implementing a security and compliance program after experiencing a data breach. That is also long term, ongoing cost, but one that most companies find is worth the  effort and expense once they have experienced the costs that a breach can entail.

Importance of Following IT Security Policies

Just as in the 1980s when manufacturing companies recognized that quality was an attribute that had to baked into every facet of an organization (from design, production, delivery, and through product lifecycle), not inspected in at the end of the process, effective cyber security depends on every employee playing a part in keeping the enterprise secure.

The most sophisticated and expensive security technologies and tools can be instantly undermined by poor employee judgement and actions [taking confidential data and removing it from its controlled environment like a payroll application and copying it onto a thumb drive that can easily be lost or stolen]. Not surprisingly, most data breaches are caused by mistaken behavior of employees simply trying to do their jobs and not malicious actors.

The best money any organization can spend is in educating its employees about their role in keeping the enterprise safe.

What are some of the steps that organizations can take?

  1. Develop an appropriate use policy that spells out how corporate IT resource can and cannot be used. For example, dont visit shady web sites at work.
  2. Dont click on embedded hyperlinks in an incoming email message from someone you dontknow and trust. Too often, it is a malware vector.
  3. Dont share passwords IT should set minimum password quality standards.
  4. Dont ever download software onto a work machine when a web site requests you to do so your browser has all the software you need. Let the IT professionals take care of any softwareupdates or upgrades.
  5. Dont copy data from a controlled environment.
  6. Employee security awareness must be a compulsory part of onboarding every employee andthose responsibilities should be formally acknowledged annually.

Firm’s Data Storage Plan Out of This World

by Garrett Reim,  Los Angeles Business Journal, January 27, 2017

INTERNET: Startups look to satellites for higher security.

Cloud Constellation Corp. has a far-flung idea.

As businesses and governments consider ways to protect data in light of increased cyberattacks and surveillance, the startup is offering them a chance to put their information out of reach by storing it on servers within satellites orbiting the Earth.

While its system has yet to leave the ground, the company received a boost last month from Palo Alto commercial satellite manufacturer SSL, which has agreed to build Cloud Constellation’s satellites and invested, along with other backers, an undisclosed sum in the Westwood company. Cloud Constellation is projecting it will be able to launch its constellation of 14 low Earth-orbiting satellites by the first quarter of 2019.

“The advantage (of our system) is that the data that you are transmitting has no relationship or no exposure to the public networks,” said Cliff Beek, the company’s president. “There are leaks inside the network that we call the internet.”

Cloud Constellation is not alone in its pursuit of a space-based data storage and transmission system. ConnectX of Century City is pursuing a similar idea and has received investor commitments for a $100 million-plus round of capital that it expects to close in March, said Lance Parker, the company’s co-founder and chief executive. ConnectX has plans to launch three satellites manufactured by Irvine’s Tyvak Inc. by the end of next year.

But industry experts are skeptical that space-bound networks would be more secure than those on Earth. Radio frequencies, which would be used by both Cloud Constellation and ConnectX to transmit encrypted data, are vulnerable to interception and hacking, said Jonathan Gossels, chief executive of Sudbury, Mass.-based network security consultancy SystemExperts Corp., in an email.

“All it takes is one mistake, one slip up, and the whole thing unravels,” said Gossels. “Since all communication will be broadcast, every major security agency around the (world) will crack the encrypted administrative interface. This is a ‘kick me’ sign on your back.”

Cloud Constellation’s Beek responded that encrypted broadcast communications are difficult to compromise.

“Unless they are blocking it, it is very difficult to hack a radio frequency band going to a satellite,” he said.

ConnectX’s Parker, founder and former chief executive of mobile cybersecurity software developer iTag Inc., said his company would bypass security concerns with a new coding language that is inherently more secure and efficient than existing internet protocols. The coding language, in simplified terms, compacts sentences into a series of symbols, much like Chinese characters or hieroglyphics.

“It would be different than what attackers are used to or much more difficult to figure out,” he said.

Hack attack

Cloud Constellation was founded in 2015 after a string of high-profile data hacks, including a Target Corp. breach in 2013 that affected 40 million or more consumers, and Edward Snowden’s release of classified National Security Agency documents the same year.

Scott Sobhani, the company’s co-founder and chief executive, saw an opportunity to provide a more secure alternative to ground-based data storage and transmission networks, said Beek. Sobhani had previously worked in the satellite communications industry for companies such as Lockheed Martin Corp.

“Where (hacking) occurs is when you are utilizing public networks on the ground,” said Beek, noting the vulnerability of data traveling across shared networks. “We are moving (data) through optical lasers around the globe in a third of a second and it never touches the ground except for a satellite dish on top of a building.”

He said the company has raised an undisclosed amount of Series A funding from private investment firm Eagle Capital Group of the United Kingdom and has already closed about a third of a forthcoming $80 million Series B round, which includes the investment from SSL.

Representatives of SSL declined to comment.

ConnectX has raised an undisclosed seed round from private individuals and is anticipating that its more than $100 million round, which has yet to close, will finance a low Earth constellation of about 12 satellites.

Beek and Parker said Fortune 500 companies, particularly those in the financial services sector, would be the Cloud Constellation’s target customers, along with government departments, such as embassies in hostile territories, and health care providers.

Earth-based options

Many companies use cloud storage systems, such as Microsoft Corp.’s Azure or Inc.’s Web Services, to spread data storage around the globe. That tactic helps distribute workloads and provide backups in case one facility goes down.

Businesses that require more bandwidth, or those with reservations about sending and storing information across shared networks, sometimes opt to lease dedicated fiber-optic strands or even whole communications cables, said Jon Deluca, chief executive of downtown L.A.’s Wilcon Operations, which owns and leases private fiber-optic cable networks throughout Southern California.

A leased line can vary in cost from hundreds of thousands of dollars a year to millions of dollars a year, said Deluca.

High-security cloud storage can cost $1,200 to $1,300 a year for a terabyte, said Francis Tam, a partner at MossAdams in Seattle who performs cybersecurity audits on corporations.

Cloud Constellation is planning to charge customers $5,000 a month to transfer and store 3 terabytes of data on its private space-based network and servers. Parker said ConnectX’s system would be less expensive.

“We think we will be able to bring our cost per terabyte to down to $50 per year,” he said.

Deluca cautioned that vulnerabilities and novelties of satellite-based storage might make business customers wary and keep them away.

“For customers looking for the most secure environment, that would be a leap from what they are currently doing today,” he said. “I think it sounds like a cool proposition, but my gut reaction is that there are quite a few hurdles that might need to be overcome.”

IoT Security Nightmares

At the same time that consumers and manufacturers are getting excited about the potential opportunities, capabilities, and revenue that the Internet of Things (IoT) enhanced devices can offer, many are already starting to understand the frightening lack of essential security functionality and the potentially overwhelming opportunities for exploitation.

The IoT is only in its infancy and yet there have already been an alarming diversity of exploits that have rocked our consciousness including hacking into personal medical devices, automobiles, home security devices or highly publicized access to industrial systems controlling basic infrastructure like power.

What makes a device part of the IoT is that it is a physical object, is connected to and interacts with a network of some type and can transmit data that it is collecting. These networks can be embedded systems for a business network, a personal area network (PAN) interacting through RFID or even a more public network. The important issue is that IoT devices transmit data from themselves to a collecting agent or system and that is where the sensitive information can be vulnerable to exploitation.

The worrisome part of the future of IoT is that manufacturers are being pushed to release products as soon as they can so they don’t fall behind competitors. Historically, that means that important security issues haven’t been properly planned for or tested, which means they can be ripe for a whole new wave of viruses and other malware, denial of service attempts and most critically, an attacker taking unauthorized control of the devices.

IoT device manufacturers are going to need to perform “red team” analysis to help determine how the devices can be abused in unforeseen ways and what the consequences could be. One of the worries about the future of the IoT is that many of the manufactures that are now working to develop IoT devices haven’t had to think about network security for previous versions of their products (e.g., home appliances, personal medical devices).

To try and stay ahead of the potential exploits and inappropriate access to sensitive data, the manufactures are going to have to deal with the same tried and true security areas that other devices like firewalls, routers, handhelds, tablets, laptops and other network based systems have had to deal with:

  • Authentication
  • Authorization
  • Encryption of sensitive data at rest and in transit
  • Privacy and confidentiality with regards to security standards
  • Maintaining updates
  • Monitoring the physical security of IoT devices
  • Secure administration