Category Archives: Cyber Industry

IoT Security in 2019: Things You Need to Know

In recent years, IoT has been on the rise, with billions of new devices getting connected each year. The increase in connectivity is happening throughout markets and business sectors, providing new functionalities and opportunities. As devices get connected, they also become unprecedently exposed to the threat of cyberattacks. While the IoT security industry is still shaping, the solution is not yet clear. In this article, we will review the latest must-know about IoT visibility & security and we will dive into new approaches to secure the IoT revolution.

IoT visibility & security in 2019:

1. IoT endpoint security vs network security

Securing IoT devices is a real challenge. IoT devices are highly diversified, with a wide variety of operating systems (real-time operating systems, Linux-based or bare-metal), communication protocols and architectures. On top of the high diversity, comes the issues of low resources and lack of industry standards and regulations. Most security solutions today focus on securing the network (discover network anomalies and achieve visibility into IoT devices that are active in the network), while the understanding that the devices themselves must be protected is now establishing. The fact that IoT devices can be easily exploited makes them a very good target for attackers, aiming to use the weak IoT device as an entry point to the entire enterprise network, without being caught. Besides that, it’s important to remember that network solutions are irrelevant for distributed IoT devices (i.e., home medical devices), that has no network to protect them.

Manufacturers of IoT devices are therefore key for a secure IoT environment and more and more organizations are willing to pay more for built-in security into their smart devices.

2. “Cryptography is typically bypassed, not penetratedShamir’s law

In recent years we see a lot of focus on IoT data integrity, which basically means encryption & authentication. Though very important by itself, it’s important to understand that encryption doesn’t mean full security. When focusing mainly on encryption & authentication, companies forget that the devices are still exposed to cybersecurity vulnerabilities that can be used to penetrate the device and receive access into the decrypted information, thus bypassing the authentication and encryption entirely. In other words, what’s known for years in the traditional cyber industry as Shamir’s law should  now make its way to the IoT security industry: “Cryptography is typically bypassed, not penetrated” and therefore companies must invest in securing their devices from cyber attacks and not just handle data integrity. To read more about that, please visit Sternum IoT Security two-part blog post.

3. 3rd party IoT vulnerabilities

One of the main issues in IoT security is the heavily reliance of IoT devices on third-party components for communication capabilities, cryptographic capabilities, the operating system itself etc. In fact, this reliance is so strong that it has reached a point where it’s unlikely to find an IoT device without third-party components within it. The fact that third-party libraries are commonly used across devices, combined with the difficulty to secure them, makes them a sweet spot for hackers to look for IoT vulnerabilities and exploit many IoT devices through such 3rd party component.

Vulnerability in third-party components is very dangerous. In many IoT devices, there is no separation and segmentation between processes and/or tasks, which means that even one vulnerability in a third-party library is compromising the entire device. This could lead to lethal results: attackers can leverage the third-party vulnerability to take control over the device and cause damage, steal information of perform a ransomware attack on the manufacturer.

it’s not only that third-party components are dangerous, but they are also extremely difficult to secure. Many third-party components are delivered in binary form, with no source code available. Even when the source code is available, it’s often hard to dive into it and asses the security level or vulnerabilities inside it. Either way, most developers use the open-source components as black-boxes. On top of that, static analysis tools and compiler security flags lack the ability to analyze and secure third-party components and most IoT security solutions cannot offer real-time protection into binary code.

VxWorks vulnerabilities

A recent example of such third party vulnerability that affects millions of devices can be found in the security bugs found in the VxWorks embedded operating system. These vulnerabilities exposed every manufacturer that used VxWorks operating system, even if security measures like penetration testing, static analysis, PKI and firmware analysis were taken.

To summarize, in order to provide strong and holistic IoT protection, you must handle and secure all parts of the device, including the third-party components. Sternum IoT security solutions focus on holistically securing IoT devices from within and therefore offers a unique capability of embedding security protection & visibility into the device from end-to-end. Sternum’s solution is also operating during real-time execution of the device and prevents all attack attempts at the exact point of exploitation, while immediately alerting about the attack and its origins, including from within third-party libraries.

4. Regulation is kicking in

In the past two years, we’re seeing a across industries effort to create regulations and standards for IoT security. We are expecting to see more of these efforts shaping into real regulations that will obligate manufacturers to comply with them.

A good and important example is the FDA premarket cybersecurity guidance that was published last year and is expected to become a formal guidance in 2020. The guidance includes different aspects of cybersecurity in medical devices (which is in many cases are essentially IoT devices) such as data integrity, Over-the-air updates, real-time protection, execution integrity, third-party liabilities and real-time monitoring of the devices.

Another example is the California Internet of Things cybersecurity law that states: Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure.

We expect to see more states and countries forming regulations around IoT security since these devices lack of security may have a dramatic effect on industry, cities, and people’s lives. Top two regulations that are about to be released are the new EU Cybersecurity Act (based on ENISA and ETSI standards) and the NIST IoT and Cybersecurity framework.

The post IoT Security in 2019: Things You Need to Know appeared first on CyberDB.

Four cyber security myths affecting British businesses

Businesses need to take their cyber security seriously. There are huge financial implications for being hacked, not just from the perspective of lost revenue and weakened reputation, but also in the form of stricter regulations from laws such as the General Data Protection Regulation (GDPR). However, there are a number of myths about cyber security that make it difficult for companies to know what the best course of action is. Here are four myths about cyber security that are still affecting British businesses.

Myth #1: Cyber security is purely dealt with by the IT department

One commonly held myth that can actually put businesses at risk is the idea that cyber security is something that the IT department (and only the IT department needs to be concerned about). Of course, it is necessary to provide your IT team with the budget and resources to defend your business against the risk of a cyber-attack.

The nature of cyber crime means that it is something that the whole of the company needs to be aware of, and understand how to respond to it. For example, directors and senior staff need to understand the risk of them being targeted with business email compromise (BEC) attacks. And all employees need to be aware of the dangers of phishing schemes.

Ensure that your IT department is provided with the resources to provide the relevant training to all members of the team. It is also a good idea to make cyber security an important company-wide issue so that responsibilities are fully understood.

Myth #2: Small businesses don’t get targeted by cyber criminals

It can be easy to look at the cyber criminals and hackers making headlines and believe that cyber attacks only occur against large businesses and huge organisations. Yes, it is common to read about well-known brands losing significant quantities of data, and that can lull small businesses into an assumption that it is only those large businesses that are the targets of cybercrime.

However, this couldn’t be further from the case. In fact, recent statistics show that around 60 per cent of small businesses suffer some form of hacking attempt every year. Small businesses can be considered easy targets by hackers because they may not have the money to invest in powerful cyber security. So, if you are a small business owner, don’t discount the possibility of being attacked just because you aren’t large. If you appear to be a quick win for hackers, they will target you.

Myth #3: Antivirus and firewall software is enough

Some businesses still believe that they can simply rely on their antivirus and firewall software in order to keep their business IT system secure. But the truth is that modern cyber criminals are too advanced and sophisticated to simply use these sorts of security.

To defend against skilled hackers, businesses need to invest in similarly advanced defences. This could include everything from ethical hacking and penetration testing to round-the-clock system monitoring and endpoint protection. It’s worth speaking to cyber security experts who will be able to provide you with advice and guidance on the kind of defences that your system needs.

 

Myth #4: Digital security and physical security are separate issues

Plenty of businesses understand that cyber security is a serious issue with hackers and criminals becoming more and more sophisticated and resourceful. This has seen them organisations invest in the kind of skills and software required to keep the business IT system safe, and clearly that is a good thing.

However, it can also lead to organisations overlooking the dangers of physical security breaches. If cyber criminals can gain access to your building or easily carry out surveillance, it can make it much easier for them to gain access to your system. So, it is essential that you should consider that your physical security is an important aspect of your cyber security, and invest in it in the same way.

Leading physical security provider Maltaward recommends a full range of security measures in order to keep your site secure in this blog, which includes CCTV across the property, security doors and even the use of concrete barriers to prevent unauthorised access to the company carpark or other areas of your working premises.

The post Four cyber security myths affecting British businesses appeared first on CyberDB.