IoT: Get Security Right The First Time

Let’s start building security into the Internet of Things now, before everything becomes connected — and hackable. The Internet of Things (IoT) is weaving itself into the fabric of everyday life, including smart grids, smart meters, connected cars, and devices for the home. Gartner reports there are more than 2.5 billion connected devices today, and by 2020, there will be more than 30 billion. While there’s excitement about IoT’s potential to create new business and boost productivity and convenience, the technology community can’t forget about security. If there’s one thing IT professionals know, it’s that if something is connected to the Internet, someone will try to hack it. Unfortunately, the technology industry has a long history of ignoring security in the rush to open new markets, and we may see it happen again with IoT. We’ve already witnessed instances of hackers exploiting security holes in smart TVs and baby monitors. In some cases, IoT may be able to use existing security technology, such as encryption. Encryption can be used to authenticate devices and, when used with VPNs, can safeguard sensitive data in transit. [All work and no play make the IoT boring. See Playing Games With The Internet Of Things.] Although VPNs are most often thought of as a technology to secure communications with corporate networks and the Internet, they can just as easily be implemented within devices to support machine-to-machine (M2M) communications and more innovative forms of connectivity. However, encryption also comes with its own drawbacks. Consider key management, for example. As billions of connected devices get rolled out, there is a looming logistical challenge to secure and manage encryption keys. A...

Stop the Bleeding: How Enterprises Can Address the Heartbleed Bug

By now, you’ve likely heard about the recently discovered Heartbleed bug. At its simplest, this bug allows cyber criminals to exploit a flaw in technology that encrypts sensitive information, making all types of communications sent over an “HTTPS” connection, including emails and online credit card payments, as easy for them to read as this sentence. But that’s not all – once that sensitive personal and/or company data is obtained, cyber criminals can then use the stolen online personas to gain access to other password-protected areas, such as online banking accounts, social media channels and corporate networks. Security expert Bruce Schneier said that “on the scale of 1 to 10, this is an 11.” Understandably, there’s a lot of media attention being given to this topic. But before hitting the panic button, read on to see how exactly your enterprise, or even you personally, might be affected. What’s the Heartbleed bug again? Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from IMs to remote access, and Heartbleed is a vulnerability specific to an open-source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat. By exploiting this susceptibility, cyber criminals can compromise users’ cryptographic SSL keys, making what should be encrypted communications appear in plain text. Why it’s a problem According to Neil Rubenking of PC Mag’s SecurityWatch, the website “that was created to report on Heartbleed states the combined market share of the two biggest open...

Ransomware Looks to Blackmail Enterprises

When most people think of threats to their computer systems and networks, the usual suspects come to mind — malware and keystroke loggers that are meant to steal passwords to remotely access corporate networks and online accounts. Then, of course, there are the viruses designed simply for the sake of destruction, rendering one’s computer little more than an expensive, oversized paperweight. But perhaps the most dangerous threat of all is one that, while it has been around for a long time, is only now coming into prominence. It’s called “ransomware,” and if it sounds scary, that’s because it is. CryptoLocker is a well-known example circulating today. Ransomware is an accurate moniker, as this breed of malware encrypts the contents of your computer and then its creator offers to provide the decryption key — for a nominal fee, of course. Thinking of booting up in safe mode and deleting the ransomware from your computer? That’s all well and good, except your files are still encrypted and you still don’t have the key to unlock them. Ransomware Threatens Enterprises on Multiple Levels Encrypting your most important files isn’t the only method that cyber criminals employ, however. They can also place files on your computer that put you in an awkward position. Common practice includes downloading indecent materials on a computer that one uses for work. Employees fearful of losing their jobs for having illicit content found on their devices are that much more likely to pay the “ransom.” And if it works against one employee, cyber criminals have good reason to suspect that others in the same organization will acquiesce, meaning...

Why Enterprises Are Struggling So Much with Encryption

Encryption. For most organizations, the need for it is very apparent, but for some reason, its implementation often falls well short of goals and expectations. The obvious question here is: why? A recent Ponemon Institute study took a closer look at what exactly is giving enterprises such a headache when it comes to efficiently using encryption. The results were interesting, to say the least. According to InformationAge, the research, which included more than 4,800 business and IT managers worldwide, unsurprisingly revealed encryption use is on the rise, as companies try to stay ahead of growing privacy and compliance regulations, consumer concerns and increasingly sophisticated cyber attacks. In fact, 35 percent of organizations now have enterprise-wide encryption, compared to 29 percent last year. What was surprising, however, was the apparent objective shift, “For the first time, the primary driver for deploying encryption in most organizations was to lesson the impact of data breaches, whereas in previous years the primary concern was protecting the organization’s brand or reputation.” An alarming fact found in the study is only 20 percent of organizations polled think they are obligated to disclose data breaches, and of those, nearly 50 percent believe that because the data is encrypted, that circumvents the need to publically acknowledge an infiltration occurred. While the ethics of those policies are certainly subject to debate, a bigger problem perhaps is that all organizations surveyed are challenged with simply finding their sensitive data, as more than 60 percent agree that discovering exactly where it resides is the greatest challenge to deploying an encryption policy. More than half also agreed managing keys and certificates...

Stopping Remote Access Breaches with “Honey”

Encryption has long been one of the most effective tools to prevent the exposure of sensitive data. As such, hackers are constantly working on new ways to crack encryption algorithms and exploit lapses in security. Information security professionals must be ever vigilant and constantly create innovative new methods to thwart attacks. Recently, one interesting new encryption security method has come to light that takes inspiration from another, quite different tactic, honeypots, to trap and confuse hackers. The new approach, called “Honey Encryption”, could potentially offer more effective digital security by making fake data appear to be legitimate and valuable information to hackers. The project, developed by former RSA chief scientist Ari Juels and the University of Wisconsin’s Thomas Ristenpart, is currently a prototype and takes advantage of the brute-force cracking methods used by attackers. With each incorrect guess a cracking program makes, the software adds a piece of made-up data to the dataset. For example, if a hacker is trying to break into an enterprise’s credit card database, the program will create numbers that look like real credit card numbers, instead of the gibberish that attackers would currently see. With thousands of attempts in a typical attack, hackers will be bombarded with fake information, making it enormously difficult to determine whether information is real or not. Currently, the prototype only protects encrypted data stored in password vaults, but the technology could have tremendous future implications for other forms of encrypted information. One day, a similar program could perhaps generate bogus but plausible network communications when a hacker is trying to break into a VPN’s encrypted tunnel. Or, a hacker...