The Wild, Wild West of IoT Security
Computerworld (08/03/15) Evans, Nicholas D.
Security in the Internet of Things (IoT) is an unorganized, untamed “wild West” situation that could create a number of risk situations, writes Nicholas D. Evans, who leads the Strategic Innovation Program for Unisys. These things include drones with attached firearms, connected cars that could be remotely sabotaged, and hacked hospital systems that could threaten the safety of patients. One main problem with IoT security is that it is frequently an afterthought that is added to solutions only when issues are found, rather than having them be built in. There are signs of improvement, such as reference architecture recently published by the Industrial Internet Consortium, which examines key characteristics of IoT and key concerns. This is meant to provide developers, engineers, systems integrators, and organizations with a common vocabulary and approach to building and implementing secure and interoperable IoT systems. Organizations that are designing and implementing IoT solutions should first have a clear sense of the possible threat scenarios, have a framework to understand devices and their networks, and take a holistic approach to cybersecurity.
Bastille Promises to Find Malicious Wireless Devices in Corporate Networks
Network World (08/12/15) Greene, Tim
Startup company Bastille has developed a product that they say will help enterprises monitor the wireless connections in their enterprise, possibly offering a means of monitoring Internet of Things (IoT) devices. The product consists of a system composed of radio-frequency sensors that are deployed in an overlapping mesh, similar to Wi-Fi access points, throughout a given area. The sensors continuously scans all radio frequencies in the area between 50MHz and 60GHz. This data is then encrypted and sent to Bastille’s private cloud to be processed. The sensor network allows CISOs visibility into the wireless connections being made within their facilities and can identify unwanted and potentially dangerous connections, such as an employee trying to connect to network devices using an infected personal mobile device. Founder and CEO Chris Rouland believes the system could be particularly useful for monitoring the security of IoT devices, which often lack security features. The system is meant to be deployed in facilities where important assets reside, such as data centers or executive suites. The system is currently in beta and will likely be available in the first quarter of 2016, with its release possibly coinciding with the RSA security conference.
Retail CIOs Must Balance Security Innovation
CIO (08/05/15) Goldman, Sharon
The major breaches of Home Depot and Target’s payment systems in 2014 were a major wake-up call for the retail sector, and experts agree that retail CIOs are taking data security seriously. Boston Retail Partner’s 2015 POS/Customer Engagement Benchmarking Survey found that payment security was among retail CIOs’ top three priorities for 2016, with major focus on encryption and tokenization. Perry Kramer, vice president and practice lead a Boston Retail Partners, says that retail businesses are in a unique position, with a large amount of potentially vulnerable data — ranging from customer’s payment and personal information to proprietary merchandise/product data and financial plans — and hundreds of thousands of access points, often manned by employees with little or no training in how to securely handle technology. Kramer says that this means retail business should “make every effort possible to lock down peripherals and every risk point.” The situation is only getting worse and more and more aspects of the retail business involve technology. Marketing, for example, has largely become a technology-driven effort that could potentially open businesses to attack. That is why retail CIOs have to be involved with all line-of-business efforts to adopt technology and make sure these efforts include taking the necessary steps to secure this new technology.
Hackers Trick Email Systems Into Wiring Them Large Sums
Wall Street Journal (07/29/15) Simon, Ruth
In what is known as “corporate account takeover” or “business email fraud,” many cybercriminals use publicly available information and flawed email systems to trick businesses into transferring money into fraudulent bank accounts. Malicious computer software can allow criminals to collect passwords to email systems, and then to falsify wire-transfer instructions. Although companies of all sizes have been targeted by these scams, small businesses are especially vulnerable because they lack the budget for security and investigations. Some insurers now offer “social engineering fraud” coverage as an add-on to standard crime policies. The schemes cost companies more than $1 billion from October 2013 through June 2015, the FBI reports, based on complaints from businesses in 64 countries. A recent advisory says that the FBI’s Dallas office identified six Nigerians who had targeted about 25 local companies with emails that appeared to come from the companies’ high-level executives. A spokeswoman for Nacha, the industry-run group overseeing ACH transactions, says that businesses are strongly advised to “work together with their financial institutions to understand and use sound business practices to prevent and mitigate the risk of corporate account takeover.”