IT Security and Compliance Thought Leadership – SecurityExperts

How Big an Issue is Security; How can it be Addressed?

Other than the technology itself of an IoT device and the service it provides, the single most important characteristic that will define either success or failure, no matter what the size of the business, will be the security of that device.

The IoT is only in its infancy and yet there have already been an alarming diversity of exploits that have rocked our consciousness including hacking into personal medical devices, automobiles, home security devices or highly publicized access to industrial systems controlling basic infrastructure like power.

A concern for the future of IoT is that manufacturers are being pushed to release products as soon as they can so they don’t fall behind competitors.  Historically, that means that important security issues haven’t been properly planned for or tested, which means they can be ripe for a whole new wave of viruses and other malware, denial of service attempts and most critically, an attacker taking unauthorized control of the devices.  One of the obvious worries that many security experts have is that many of the manufactures that are now working to develop IoT devices haven’t had to think about network security for previous versions of their products (e.g., automobiles, home appliances, personal medical devices, cameras).

To try and stay ahead of the potential exploits and inappropriate access to sensitive data, the manufacturers are going to have to deal with the same tried and true security areas that other network devices like firewalls, routers, handhelds, tablets, laptops and other network based systems have had to deal with. This list includes:

  • Authentication
  • Authorization
  • Encryption of sensitive data at rest and in transit
  • Maintaining updates
  • Monitoring the physical security of IoT devices
  • Privacy and confidentiality with regards to security standards
  • Secure administration

In short, the security implications of the IoT devices are the same as virtually every other type of connected device you have come to rely on. The more secure an IoT device is with respect to the above security areas, the more likely it is to be adopted and to stand the test of exploits and hacking.

Impact of a Data Breach on a Small Business

While our main focus is as a provider of IT compliance and security consulting services, we have been called in to help a few small businesses handle security incidents and data breaches. These calls come to us after the client has discovered there’s been a security incident or data breach and as a result is seeking to engage a security consulting firm for the first time.

In such cases, SystemExperts typically has to guide the client through the entire incident response process. Too often in these cases the client is not aware of its legal obligations regarding notifications and the triggers that determine what notifications must be performed. SystemExperts has found that in some cases, small companies are not fully aware of what laws, regulations, or contractual obligations are applicable prior to discovering the security incident.

In our experience, the impacts of a data breach vary wildly.  Companies that have an existing security program and have an established security incident response policy and plan that they have previously tested suffer smaller impacts. Companies that have not prepared for a data breach in advance  typically experience the greatest impact.

A data breach could cause the financial failure of a company, although no SystemExperts’ clients have suffered that consequence.  Other impacts can include:

  • System outages of several days as changes are made to prevent a reoccurrence
  • Loss of business due to reputation damage
  • Costs associated with notifying all impacted individuals
  • Costs associated with compensating all impacted individuals
  • Time, effort, and costs to contact the media and respond to inquiries from the media
  • Time and effort to notify state or federal agencies
  • Long term costs associated with new compliance requirements
  • Costs associated with forensics investigation, if any
  • Costs associated with resulting legal action, if any

Some data breaches may be the result of a fundamental design flaw in a company’s website or IT system.  In such cases, it could take several days or even weeks to implement all of the changes necessary to prevent a reoccurrence of the data breach. In other cases, a company may be able to determine the root cause and long term fix in less than one business day. Companies that can address the remediation quickly usually already have a security program in place.

The costs of notifying all impacted individuals and the costs associated with compensating all impacted individuals can vary greatly. If the company has sufficient audit logs in place, or the assistance of a qualified computer forensics team, it might be possible to prove that only a small number of individuals are impacted by the breach. Note that cost of having a certified forensics team performing an investigation can be expensive. SystemExperts knows of one company that was able to demonstrate that a breach only impacted nine individuals out of thousands of customers without needing to engage a third party. Knowing that level of detail greatly reduced their costs and time required to perform the notifications. In other cases, a company may be forced to assume that every customer and employee has to be notified and potentially compensated.

When a breach occurs, some companies will simply refer the impacted individuals to free credit report agencies. In other cases a company may decide to reimburse impacted individuals for identity theft protect services or even the legal costs to recover stolen identities. Often that decision is based upon a desire to preserve the reputation of the company.

The costs associated with media are also highly variable. In some situations a company may engage a third party public relations firm to help draft statements and even launch a campaign in order to preserve the company’s reputation. There is also the time and effort required to educate all staff about what they should do if they receive a media inquiry.

A breach may also have a big impact on a company’s compliance costs. For example a small company that handles a small number of credit card transactions could end up being required to perform an annual PCI-DSS level one compliance assessment as a result of a breach.  That level is usually reserved for companies that perform over a million transactions a year for an single card brand. The cost of a level one PCI-DSS assessment could drive some small business out of business.

Depending on the type of breach there may also be fines levied and legal costs. In March of 2016, Target’s annual report revealed that the  cumulative expenses from its late-2013 breach totaled $291 million through fiscal 2015.

Companies that did not have a security and compliance program prior to a data breach often end up implementing a security and compliance program after experiencing a data breach. That is also long term, ongoing cost, but one that most companies find is worth the  effort and expense once they have experienced the costs that a breach can entail.

Importance of Following IT Security Policies

Just as in the 1980s when manufacturing companies recognized that quality was an attribute that had to baked into every facet of an organization (from design, production, delivery, and through product lifecycle), not inspected in at the end of the process, effective cyber security depends on every employee playing a part in keeping the enterprise secure.

The most sophisticated and expensive security technologies and tools can be instantly undermined by poor employee judgement and actions [taking confidential data and removing it from its controlled environment like a payroll application and copying it onto a thumb drive that can easily be lost or stolen]. Not surprisingly, most data breaches are caused by mistaken behavior of employees simply trying to do their jobs and not malicious actors.

The best money any organization can spend is in educating its employees about their role in keeping the enterprise safe.

What are some of the steps that organizations can take?

  1. Develop an appropriate use policy that spells out how corporate IT resource can and cannot be used. For example, dont visit shady web sites at work.
  2. Dont click on embedded hyperlinks in an incoming email message from someone you dontknow and trust. Too often, it is a malware vector.
  3. Dont share passwords IT should set minimum password quality standards.
  4. Dont ever download software onto a work machine when a web site requests you to do so your browser has all the software you need. Let the IT professionals take care of any softwareupdates or upgrades.
  5. Dont copy data from a controlled environment.
  6. Employee security awareness must be a compulsory part of onboarding every employee andthose responsibilities should be formally acknowledged annually.

IoT Security Nightmares

At the same time that consumers and manufacturers are getting excited about the potential opportunities, capabilities, and revenue that the Internet of Things (IoT) enhanced devices can offer, many are already starting to understand the frightening lack of essential security functionality and the potentially overwhelming opportunities for exploitation.

The IoT is only in its infancy and yet there have already been an alarming diversity of exploits that have rocked our consciousness including hacking into personal medical devices, automobiles, home security devices or highly publicized access to industrial systems controlling basic infrastructure like power.

What makes a device part of the IoT is that it is a physical object, is connected to and interacts with a network of some type and can transmit data that it is collecting. These networks can be embedded systems for a business network, a personal area network (PAN) interacting through RFID or even a more public network. The important issue is that IoT devices transmit data from themselves to a collecting agent or system and that is where the sensitive information can be vulnerable to exploitation.

The worrisome part of the future of IoT is that manufacturers are being pushed to release products as soon as they can so they don’t fall behind competitors. Historically, that means that important security issues haven’t been properly planned for or tested, which means they can be ripe for a whole new wave of viruses and other malware, denial of service attempts and most critically, an attacker taking unauthorized control of the devices.

IoT device manufacturers are going to need to perform “red team” analysis to help determine how the devices can be abused in unforeseen ways and what the consequences could be. One of the worries about the future of the IoT is that many of the manufactures that are now working to develop IoT devices haven’t had to think about network security for previous versions of their products (e.g., home appliances, personal medical devices).

To try and stay ahead of the potential exploits and inappropriate access to sensitive data, the manufactures are going to have to deal with the same tried and true security areas that other devices like firewalls, routers, handhelds, tablets, laptops and other network based systems have had to deal with:

  • Authentication
  • Authorization
  • Encryption of sensitive data at rest and in transit
  • Privacy and confidentiality with regards to security standards
  • Maintaining updates
  • Monitoring the physical security of IoT devices
  • Secure administration

Why it is Important for Companies to Invest in Cybersecurity Awareness Training

Technology is only as effective as the people that operate it.

Cybersecurity awareness training is the most cost effective investment any organization can make in preventing data breaches, system compromise, reputational damage, and loss of intellectual property.

No one is born knowing how to use computers and networks securely. There are basic dos and don’ts and it is imperative for organizations to teach their employees how to do their jobs securely.

We advise our clients on dozens of specific policies and practices, but here are just a few to illustrate:

  • Don’t use your personal password for work – make sure you use a strong password containing a mix of alphanumeric and special characters and not the local sports team – go Pats!
  • Don’t share passwords
  • Never click on a hyperlink embedded in an email message that comes from someone you don’t know and trust.
  • Never enter sensitive information (either business or personal) on a web page that doesn’t show HTTPS at the top.  The “S”  at the end of HTTP means the message will be encrypted as it is sent across the Internet.
  • Don’t open attachments from strangers or people you don’t trust.  You can’t know what type of malware may be embedded in the attachment.
  • Don’t go to sketchy sites from a work computer – ‘nuff said.
  • Don’t ever download software – your computer has everything it needs – let the IT professionals take care of any updates.

Education, education, education. It pays off!

How are Hackers Tricking Social Media Users?

One of the most popular exploitation methods used by hackers when targeting social media users is social engineering. Using confidence tricks, a hacker can manipulate his target into performing actions or disclosing confidential information. If pulled off successfully, a social engineering attack could result in a hacker gaining complete access to its target’s social media account with little effort.

One method a hacker could use exploits Facebook’s account recovery policies. To gain access to your Facebook account when you forget the password, you can have Facebook send a password reset link to your email. If you no longer have access to your email, you have the option of contacting Facebook and asking them to change the email on the account. For Facebook to accept a request to change the email on an account, the person requesting the change must confirm their identity as the account owner.

There are two main ways to confirm your identity, a picture of a government-issued ID or two non-government options. Once the user has supplied this information, Facebook checks to see if the photo, name, and birthday of the supplied forms of ID match what is on the Facebook account. All other information on the ID is not needed and is asked to be covered up before sending to Facebook. If the photo, name, and birthday match what is on the account, then Facebook will approve the email change request. A hacker can exploit this by simply downloading a photo of their target and researching their targets name and birthday. Given the nature of social media accounts, this information is not hard to obtain. Once the hacker has this information, he can simply photoshop his way into gaining complete access to his target’s Facebook account.

Through various phishing attacks, hackers can trick social media users into downloading and distributing malware. Common attacks use enticing posts, content sharing, and tagging on social media sites to trick users into visiting a website that prompts them to download malware disguised as an Adobe Flash update. Agreeing to download the Flash update results in the installation of malicious hidden programs that can monitor keystrokes and govern web traffic. Additionally, the malware infects the user’s social media account, forcing it to post and share malicious content.

With recent data breaches disclosing account credentials from large social media sites such as LinkedIn and Myspace, everyone who uses social media should be changing their passwords. One of the largest reasons social media accounts are being compromised today is due to users reusing passwords that are easily found in recent data breaches online. Another reason as to why social media accounts are being compromised, especially Twitter, is due to unmonitored access for third-party applications. Because third-party programs like news and photo-sharing applications can post to your Twitter account after you authorize them, they become a security risk. If that application gets hacked, your Twitter account may get compromised as well.

What Exactly Does the Future of IoT Security Hold?

Picking up on the conversation from my previous post, the Internet of Things continues to pose challenges for many manufactures as they now have to think about network security for new versions of their products.

One of the worries about the future of the Internet of Things (IoT) is that many of the manufactures that are now working to develop IoT devices haven’t had to think about network security for previous versions of their products.

What makes IoT such a fascinating area is the huge diversity of things that could be considered a smart IoT device: fitness bands, nanny cameras, door locks, TVs, lightbulbs, coffee makers, personal medical actuators, home appliance sensors, transportation actuators, and weather sensors to name just few.  The real hope is that these devices will work together and make our lives and the management of our lives easier and tailored to our own needs.

One thing we know for sure about the future of the IoT is this: securing IoT devices requires thinking about exactly the same things we have had to before for wireless routers, handhelds, laptops and desktop systems.

  •      Authentication to them
  •      Authorization of the transmission of data
  •      Encryption of sensitive data at rest and in transit
  •      Privacy and confidentiality with regards to security standards
  •      Maintaining updates
  •      Monitoring the physical security of devices
  •      Administration of the devices

The worrisome part of the future of IoT is that manufacturers are being pushed to release products as soon as they can so they don’t get left behind.  Historically, that means that important security issues haven’t been properly planned for or tested which means they can be ripe for a whole new wave of viruses, denial of service attempts and other malware as well as taking unauthorized control of the devices.  IoT device manufacturers are going to need to perform “red team” analysis to help determine how the devices can be abused in unforeseen ways, and what the consequences would be.

The future of IoT is bright with never seen before levels of access to data with devices across an amazing level of diversity.  The fear is that this explosion of access may happen before the security of these devices is fully understood.

Security Implications of Connected Consumer Electronics

I’d like to pose a question: What do you think the security implications of connecting various popular IoT consumer electronic devices is?

A) No harder than it was for other new devices like laptops, wireless connections and smartphones, or

B) No easier than it was for previous new devices.

The answer is both and a little bit more.

Securing IoT devices requires thinking about exactly the same things we have had to before: authentication to them and amongst each other, authorization of the transmission of data, encryption of sensitive data at rest and in transit, privacy and confidentiality with regards to security standards, securing device interfaces for storing and manipulating data and the obvious yet mundane aspects of maintaining updates as well as monitoring the physical security of the IoT devices themselves.

What’s likely to exacerbate dealing with all of this work that has to get done is the explosion of IoT devices and the almost frenzied anticipation that people have for them. The result is that manufacturers are going to be pushed to release products as soon as they can. Historically, this means that important security issues haven’t been properly planned for or tested.

Keep in mind a simple fact that some device manufacturers are already having to deal with. If the IoT device is connected to the Internet it has an IP address. If it has an IP address, it can be reached by anything and anyone else on the Internet. Ask the video camera and video recorder manufacturers that were involved in the recent massive Dyn DNS DDOS attack that brought a number of sites on the Internet to their knees.

In short, the security implications of the IoT devices is the same as virtually any other type of connected device (your desktop, a laptop, your smartphone, etc.) but it is likely to be more than that because the sheer number of them will be enormous.

Risks of Plugging a Smartphone Into a Public USB Port

As smartphones continue to increase in popularity, people can find USB charging stations in almost any location. From airports to malls, businesses are offering their customers a convenient way to keep a full charge. Without much thought, most people are quick to plug their devices into any random USB port that they might find, but doing so presents an unknown danger. Although cybercrime is on the rise, most people have no idea where to start when it comes to protecting their vital mobile device. Reports of malicious hackers using public USB ports to steal data are not uncommon, and each time an individual connects to an untrusted USB port, they are taking a significant risk.

When hackers exploit a public USB port, they gain the ability to impact mobile devices in a variety of ways. They can crash the device, upload malware that automatically executes on future computers the mobile is plugged into, video jack the device recording the screen while the user performs actions, or permanently brick the device. The best way a traveler can remain secure is by using a ‘power only’ USB cable that does not allow data transfer or an AC to USB adapter.

Social Media Security Tips and Best Practices

In response to a recent query about security pitfalls surrounding social media, Jonathan Shuffler and I came up with the following tips and best practices:

  • When setting account security questions, do not use real answers.  A lot of security questions ask publicly available information, e.g., What is your favorite sports team?  An attacker would need only a few minutes to search your profile to discover what sports team you have been rooting for.  Make up an answer you can remember or answer with the opposite of the question.
  • Enable two-factor authentication for all your social media accounts.  Popular social media platforms such as Facebook, Twitter, Instagram, LinkedIn, and many others have rolled out two-factor authentication.  Two-factor authentication is one of the best ways to protect your account from being directly compromised.  This authentication can protect your account even if the attacker has your password.
  • Use a different username and password combination for everything.  This is an old strategy that is often not followed because it is difficult.  Luckily, a password manager can make this less difficult; just be sure you take the proper steps to protect your password data. Never use the same username and password combination in order to minimize the damage when a breach occurs.
  • Always configure your privacy settings.  Best practice is to keep your account private and searchable by only friends when the account is going to be used for personal information, e.g., Facebook.  If the social network is meant to be public, like Twitter, feel free to keep it open to the Internet but keep in mind that every Tweet is available to the world.  Above all things, always think twice before you share information to the world as there are no “take backs” on the Internet.
  • Be careful when adding or accepting people on social media platforms.  It is common for an attacker to copy a picture of one of your friends to use an their own.  If your account is going to be used for semi-private information validate that the request is actually coming from the person that sent it.  If you are friending strangers, keep in mind the muscular man or pretty woman could very well be a program or spammer in disguise.