Suppose a lunch companion says, “I think there’s something wrong with this tuna salad.” Safeguard To determine if the problem is tuna not to their taste vs. tuna gone bad, would you scarf it down? Probably not. Now remove tuna salad from the example and substitute a web browser extension. (Stay with us here.) Let’s say you’ve been warned that an unknown extension could be used for fraud. Should you download it and let it marinate in your company’s network? The FTC says that’s what the owner of ClixSense.com did, and it’s just one example of conduct challenged as deceptive or unfair.

safeguard

ClixSense – a sole proprietorship owned by James V. Grago, Jr. – is a rewards website that pays users for clicking on ads, taking online surveys, or completing other tasks. As part of the enrollment process, ClixSense collects users’ full names, addresses, dates of birth, and other personal information. In addition, people must create usernames and passwords and answer security questions. If users earn more than $600 a year from ClixSense, they have to turn over their Social Security numbers, too.

Visitors to ClixSense.com were promised “the latest encryption and security techniques to ensure the security of your account information.” But according to the complaint, at least through 2016, the site didn’t honor that claim. The FTC alleges that ClixSense didn’t perform network vulnerability and penetration testing, didn’t use established techniques to protect against third-party attacks, didn’t implement reasonable access controls, didn’t use techniques to detect cybersecurity events, and didn’t use encryption – among other techniques – to protect sensitive consumer information stored in plain text on its network.

Related:- Spiridon Loues and the To start with Fashionable Marathon Race

What’s more, the FTC says ClixSense let employees store plain text user credentials in personal email accounts, didn’t change third-party default logins and passwords, failed to use readily available security measures, and maintained consumers’ information, including their Social Security numbers, in clear text on the company’s network and devices.

In November 2015, a user warned ClixSense about a publicly available browser extension that appeared to allow people to click on ads without actually viewing them. To use a term well-known in the industry, the browser extension purportedly facilitated click fraud. And that’s where the iffy tuna salad analogy comes into play, because how did ClixSense respond to the concern about this suspect browser extension? According to the FTC, ClixSense simply downloaded it onto its own network without taking proper precautions. There it sat for months as hackers used it to access credentials on employee laptops, change employees’ logins and passwords, and redirect visitors to an unaffiliated adult website – all clues that should have alerted ClixSense that its network had been compromised.

Ultimately, hackers used credentials lifted from an email on a compromised employee laptop to access an old ClixSense server still connected to the network. That server used the default credentials ClixSense had never changed. If lawsuits were horror movies, this is where you’d cover your eyes and yet still feel compelled to peek at what happened. That’s because hackers used the old server to connect to the new server, which is where they downloaded personal information maintained in clear text on about 6.6 million consumers, 500,000 of them in the U.S. The hackers then offered stolen data for sale on a questionable website.

Related:-Greece – The Heritage of the Sanctuary of Olympia

The complaint challenges the company’s claims about using “the latest security and encryption techniques” as false or misleading. The FTC also alleges that the failure to use reasonable security was an unfair practice.

For people who follow FTC data security enforcement, the proposed order is worth a careful read. Among other things, the order prohibits misrepresentations about the privacy, security, confidentiality, or integrity of personal information, including the extent to which encryption and security techniques are used. In addition, before collecting personal information, Mr. Grago and any company he controls must put a comprehensive information security program in place. The proposed order lists eight specific features the program must have, all tied to the conduct and lapses alleged in the complaint. Also required: periodic third-party security assessments and annual certifications that the requirements of the order are in place. Once the proposed consent agreement is published in the Federal Register, you will have 30 days to file a public comment.

What can other companies take from this case?

Deliver on your security pledges. Security claims are more than cut-and-pasted boilerplate. Like any other objective representation, they need the support of solid substantiation.

Monitor for suspicious activity and respond quickly and thoughtfully. Use affordable tools to alert you to unexplained traffic on your network or changes to your website. If you suspect a security incident, implement a forceful red zone defense. But don’t “investigate” with a wayward click or download your tech team hasn’t thought through. Turn to the FTC’s Data Breach Response publication and video for advice.

A confidential credential can be consequential. Most business people know that certain kinds of data – for example, Social Security numbers and account information – can be toxic to a consumer’s identity if they fall into hackers’ hands. But stolen login credentials can inflict harm, too. Let’s face it: People have been known to use the same username and password on more than one site. Because the theft of a user’s login on your site could serve as a skeleton key to give hackers access to consumers’ bank accounts, medical records, or other highly sensitive information, keep a close eye on credentials. Start with Security has more tips on passwords and authentication.

Donating devices like laptops, phones, and flash drives may seem like a noble thing to do—after all, it’s good for the environment and makes devices available at a lower price point for people who may not otherwise be able to afford them. However, device recycling can pose a serious and often overlooked security risk. Device security is a concern that has to be addressed before donating so you can trust that your personal information will remain protected.

devices

In a 2019 report, security operations company Rapid7 revealed thedangers of recycling and discarding devices. Researcher Josh Frantz visited 31 businesses that sold refurbished computers and accept donated hardware, spending $650 on 85 devices. He then set out to extract data from them. The results were astonishing and alarming: Out of 85 devices, only two had been wiped properly and only three were encrypted. He found over 366,300 files and managed to extract email addresses, Social Security numbers, dates of birth, credit card numbers, drivers license numbers, phone numbers, and even a couple of passport numbers.

Imagine the havoc someone could wreak with all that information—it could open you up to credit card fraud, ID theft, doxxing, and more. Moreover, tests run by Limited Results found that discarded low-cost IoT devices can be used to acquire wireless network passwords, which may enable a hacker to gain entrance to an otherwise secured network.

Discussions involving device security tend to focus on what to do while your device is in your possession. Protecting devices with passwords, using a password manager to store secure login information, and using caution with open WiFi networks are all good measures. However, as the Rapid7 report shows, the risk doesn’t end when you retire your old tech for the latest model.

Recycling devices can put your personal data at serious risk, as the machines may still contain thousands of files of personal information, and resellers that promise to wipe them may not live up to that promise. Anyone who plans to recycle, resell, or donate a device must take the task of wiping it into their own hands.

Related:- 6 Amazing Homestays In Kollam For A Heavenly Stay

Wipe the system

A factory reset may seem like the quickest and easiest way to erase all data from your device, but unfortunately, it’s not that easy. Data can stay on discarded devices and drives for years, even after a factory reset. Luckily, with a little extra effort, you can keep your data safe and unrecoverable.

There are a number of applications out there to wipe a hard drive or SSD. For Windows, Eraser is a popular choice, and Digital Trends has a good guide for how to use it. Another popular option is to erase a hard drive using Darik’s Boot And Nuke, also known as DBAN, a free data destruction program that completely erases all the files on a hard drive (check out Lifewire’ guide on DBAN here). Other similar programs include CBL Data Shredder, MHDD, PCDiskEraser, and KillDisk. There are dozens of free data destruction software programs out there, so find the one that works best for you. If you’re looking to wipe solid-state drives or multiple disks in a RAID, Digital Trends recommends PartedMagic.

Once you’ve wiped the hard drive, remove it from the device and destroy it thoroughly. This may seem extreme, but data could still be extracted from the device unless it is physically destroyed. Frantz recommends using a hammer, industrial shredder, drill, incineration, acid, electrolysis, or—if you’re reallycommitted—thermite. Just make sure to do this safely and use appropriate gear, like goggles and gloves.

Related:- The Most Beautiful Destination Wedding Venues in India

Consider sustainability-as-a-service

Another way to retire tech securely is partnering with an organization that safely and responsibly recycles it. As an individual, you should conduct due diligence before donating a device to find out the resellers’ security practices. As an enterprise, find a reputable service provider that can help recover, repurpose, or recycle tech with device security as a priority.

Since 2016, HP has recycled 271,400 tons of hardware and supplies and continuously made device security a priority through its Device-as-a-service (DaaS) offering, which includes end-of-use services to help your organization sustainably prepare for a technology refresh. HP’s sanitization service permanently destroys the storage media in accordance with the latest industry standards, reducing the workload on your organization and providing peace of mind.

Before we get to most common cyber security mistakes made by enterprises, let’s take a step back and think about the world of 10-15 years ago. Remember how it was? If you’re like most people, you’d be using a flip phone, you’d be using that creepy landline phone, you’d be ordering food over the phone, you’d be renting DVDs, and you’d be using those confusing street maps. Now that we look back, we can’t help but feel weird about it.

That’s because technology has touched almost every aspect of our lives and changed it forever. Whether it’s the way we communicate, the way we eat, the way we travel, the way we get entertained and—most importantly in the context of this blog—the way we work. Digitization has disrupted almost every type of business—whether small or significant—and has made everything smoother, faster and efficient. But as Richelle Mead says, “Most good things come with the risk of something bad.” Here, this risk comes in the form of cyber-attacks.

cyber security

There was a time when only the big firms used to care about cybersecurity because they had to, you know. Nobody used to care about the cybersecurity concerns of SMBs—just like your Facebook cover photo. That time is long gone, and the tables have turned (nobody still cares about your Facebook cover photo though). It might seem counter-intuitive, but around 95% of reported credit card breaches hail from small businesses. So, it’s dead wrong to think that SMBs are not spared. They should care for it even more as 60% small businesses close after suffering a data breach.

So, it’s pretty clear that cyber-attackers spare no one. That’s why having proper people, infrastructure, policies, and strategy is of paramount importance. And the enterprises seem to have understood this. They’ve started taking cyber security seriously and have begun taking proper actions. While doing so, many commit mistakes that come back to haunt them. To avoid such errors and their implications, we’ve come up with the five most commonly committed mistakes by businesses.

Related:- 7 ways to build a perfect capsule wardrobe like Anushka Sharma’s

Here are the five most frequently made cybersecurity mistakes by enterprises. Watch out for these!

1.  Who is going to attack our business? We’re not Apple or Google.

This is attitude problem more than anything else. As I made it clear before, smaller businesses tend to get targeted more by cyber perpetrators. Do you know why? That’s because of this we’re-not-Google-attitude. Because of this attitude, many SMBs don’t take cybersecurity seriously, and that’s exactly what hackers want. Such dubious stance results in weak security practices and that ultimately results in…you can guess the rest.

2.  Not training the staff

It’s no secret that employees are your most significant cybersecurity risk. A wrong click at the wrong place could make you fall prey to a phishing scam. We’re not telling you to enroll every employee for a cybersecurity course (it’d be great if you could do that), but we’re telling you to get them aware of the basics through proper training by an expert. We also suggest making security policies and guidelines that include the use of security practices such as antivirus, strong passwords, using secure protocols, encryption software and two-factor authentication. Such policies create ‘security-first’ environment—something that’s needed to thwart cyber attackers.

3.  Not updating on time

Let’s get this clear, updates come with a purpose, and that purpose is improvement. Newer versions comprise of patches, security updates that protect you against security vulnerabilities of past releases. No matter what it is, your antivirus, your OS, browser, protocols, server updates…your IT department must make sure that updates are installed on time every time.

Related:- One of America’s Favorite Comedians Is Setting Out for Space

4.  Not investing in cybersecurity

Unfortunately, many companies still don’t see cybersecurity as something worth investing in. Whether it’s people, security software, software devices, monitoring systems; this is the time when you cannot afford to take security lightly. See a security consultant, let him/her do a security testing, and s/he will tell you what’s needed.

5.  “The IT guy will take care of it.”

You hired an IT person. Read it again; you hired an “IT” person. But it’s never a good idea to expect an IT person to take care of everything. This has to do with skills as well as priority. S/he might not have a vast knowledge of security. And even if s/he possesses, s/he must have a plethora of other responsibilities. Maintaining the security requires a lot of attention, and your IT person might not be able to give it. That’s why hiring a security specialist on permanent or consultation basis is essential.

One of the most pressing and controversial issues of our times has been the security and integrity of America’s elections. Fair and free elections are unquestionably a central pillar of the United States, enabling the people to choose their own destiny.

Unfortunately, US elections also have a history of being exposed to security threats, including from those who seek to shift the balance of power to their own unique advantage. This has become exacerbated as a result of the shift in recent years to electronic voting.

Recent examples include the nearly 20,000 emails that were stolen from the Democratic National Committee right in the middle of the 2016 Presidential election campaign season and the American intelligence community’s assertion that the Russian government had interfered in the election for its own benefit.

elections

Furthermore, several weeks after the chaotic Democratic 2020 caucus in Iowa, the city of Los Angeles also found numerous faults and glitches in its new voting system as well. These kinds of incidences raise serious questions leading into the upcoming 2020 election scheduled for November 3rd.

The simple fact of the matter is that American voting machines are a significant security risk. This is because they utilize outdated computer systems, hardware, and software, much of which is no longer even serviced. From this alone, it shouldn’t be difficult to see how America’s election integrity is vulnerable to attack.

In this piece, we’ll dive into exactly how America’s electoral integrity is at risk due to cyber attacks, and then talk about the best methods that can be used to improve both access and security in the country’s elections.

Related:- Top Five Habits of Highly Successful Business Owners

How Are America’s Elections at Risk?

You might have seen headlines touting America’s “voting security crisis.” The integrity of election data has always been at risk. For example, election results can be incorrectly reported, creating inaccuracies by honest human error. Malicious actors can attempt to deliberately introduce inaccuracies into the vote totals and then destroy the evidence necessary to audit the election results. Registration data can be altered.

Voters can also be intimidated or deterred from accessing their polling site, therefore preventing their ability to cast a ballot in the first place. Illegal or fraudulent voting can and does happen (it’s just really a question of how often).

The list goes on.

That all being said, with most voting in the US currently being done electronically, there are a number of major cybersecurity vulnerabilities that America’s election processes are exposed to as well.

The main threats to current electronic voting in the United States can be summed up in the following ways:

Breaches of Servers

One of the most significant major threats against US elections is when hackers will physically breach electoral servers in an effort to gain credentials to provide them with access to the rest of the system.

The recent tampering of servers in Georgia is an example of this. In this case, it was discovered that election-related files had been deleted from the main server, although it was fortunately also found that no election-related data had been compromised.

DoS and DDoS Attacks

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) are designed to slow down access to computer systems, thereby allowing them to disrupt both the actual casting of votes and auditing once the election is complete. They are also among the cheapest and yet most effective methods to hack elections and political campaigns.

The main difference between the two is that DoS attacks utilize a single computer and internet connection in order to target a system. In contrast, DDoS attacks utilize several computers and connections to target their systems. Both are massive threats to American election security.

Specifically, hackers can attempt to attack US elections through DDoS attacks by distributing botnets, which are essentially collections of malware-infected computer systems, to crash web servers by overloading their resources with massive traffic.

Speaking of malware…

Malware

Malware is an umbrella term referring to most kinds of malicious software, consisting of Trojan horses, ransomware, worms, viruses, and spyware. It arguably is the greatest threat to voting online, because it can be introduced literally anywhere to help prevent a vote from being cast as intended.

The most common way for malware to be used to disrupt voting, besides being used in DDoS botnet attacks as described above, is to disable or otherwise compromise vote-casting systems. It can also be used to alter voting records or to attack election auditing software as well.

What’s worse, is that malware is usually not easy to detect, being disguised as legitimate-looking software updates or ballot definition files.

Indeed, the threat of malware to online voting is so great that many have suggested that turning to vote by paper ballots is the only surefire defense against it (more on this subject later).

Related:- Successful Real Estate transactions

How Can Elections Be Made More Secure?

The question, of course, is how can America’s elections be made more secure without sacrificing the access to voting that Americans enjoy?

Currently, only 53% of Americans believe that the United States government would be capable of resisting a major cyber attack on an election. Even though that may be a narrow majority, it still doesn’t express that Americans have a great degree of confidence in America’s cyber defenses as a whole.

The good news is that there are several defenses we have available to combat the threat of election hackers and cybercriminals. These include, but are not limited to:

Do We Need A Department of Cybersecurity?

All elections in the United States are conducted at the local level (including the Presidential election) in literally hundreds of thousands of voting precincts. In other words, US elections are highly decentralized.

There are many pros and cons to such a system. On one hand, it would be thought that such a decentralized system would make it much more difficult for hackers and criminals to influence. But on the other hand, the localized nature of America’s election means that there are literally hundreds of thousands of unique targets for cybercriminals. Each precinct or voting system can be targeted to influence an election outcome, whether it be on a local, state-wide, or Federal scale.

This is exactly why there has never been a greater need for proper cybersecurity training to ensure that each individual voting precinct is properly protected. While the Department of Homeland Security has branches that handle election cybersecurity audits, it could be that we are now at the point that an entirely new Department of Cybersecurity (with a special focus on securing the integrity of America’s elections) could possibly be needed.

A Turn Back To Paper Ballots?

Electronic voting machines are often thought of as being the way of the future. That being said, cybersecurity experts are still warning that paperless voting is a very bad idea.

University of Michigan Professor J. Alex Halderman, for instance, has expressed dire concerns that online voting systems are simply too vulnerable to hackers as it currently stands. It took him and his students just 48 hours to gain control over an online voting system meant for Washington D.C. elections, for instance.

Professor Halderman suggests moving over entirely to a system that only uses paper ballots. As archaic as the idea may sound, he argues that a paper ballot system complete with a risk-limiting audit afterward is by far the best way to ensure electoral integrity while also ensuring easy access to America’s voting population.

Securing Voting Machines and Online Security

Of course, if America doesn’t move over to an entirely paper-based voting system, better actions will need to be taken to secure our voting machines. In fact, this step is absolutely necessary to ensure that American elections can be secured.

As mentioned previously, one of the most common forms of attack against online voting is DoS or DDoS attacks, which are designed to overwhelm web servers via internet traffic. The problem with American voting machines today is their age, as most are very likely to break down. Some election officials have been forced to turn to online outlets such as Amazon or eBay to just find replacement parts.

In a survey conducted by the Brennan Center, 31 states have directly stated that their voting machines are in need of replacement before the 2020 election, but two-thirds of those states also stated that they do not have the necessary funding to do so.

One solution: bolster the defenses of the voting machines themselves. Common security applications, such as firewalls and virtual private networks, are designed to protect and encrypt designed to encrypt internet traffic to external servers, thereby preventing them from becoming the target of a DDoS attack. Many consumer VPNs now use the same encryption protocols as their enterprise counterparts, like Cisco and Norton, making them a plausible solution to protect against attacks like packet sniffing.

Certificate-backed digital signatures are an example of a method that would both authenticate and validate the person voting online as well as provide an added layer of security as compared to traditional forms of electronic voting.

Another idea is for each individual to vote via both paper ballot and electronically at the same time, and for the ballot to be verified against one another. And while this method may not be 100% foolproof either, there is simply no independent way to truly assess whether the vote is legitimate.

Conclusion

There are positive changes that we can make to America’s election processes before the 2020 election hits.

Replacing or updating old machines with modern security measures and investing more funding at the Federal level for election cybersecurity are just two examples of measures that could help ensure America’s elections remain both secure and accessible.

As discussed in our recent webinar, one of the main benefits of using digital certificates for authentication is that they can be used to secure all of your endpoints – users, machines, and devices. Let’s take a closer look at how some our customers* are taking advantage of that benefit to secure various endpoints.

Authentication

Machine Authentication

A payment services company operating payment kiosks and computers in retail convenience stores uses digital certificates to authenticate the kiosks and encrypt communications to and from their servers.

The challenge

A US-based payment processing company operates 10,000 on-location payment kiosks and computers in convenience stores across the country. Their services allow customers to pay a network of various service providers (e.g., utility companies, phone providers) bills in cash. The company needed a solution to ensure only approved machines could communicate with their back-end servers and also encrypt the information being transmitted between the kiosks/computers and the servers.

The solution

Including a digital certificate on each kiosk or computer not only identifies the machine and proves that it is allowed to access the network, but also encrypts data transmission to and from the company’s server. Using our API, the company is able to programmatically push certificates to each of the kiosks, automating deployment, renewal, and other stages of the certificate lifecycle.

Related:-At 40, Gisele Bündchen is fashion’s queen of glamour

Mobile Device & Laptop Authentication

A law firm uses digital certificates to authenticate employee-operated mobile iOS devices and laptops.

The challenge

An Illinois-based law firm standardized on Apple products for their 250 employees, including mobile phones and tablets to allow employees to work remotely. To ensure only approved devices could access and operate on the corporate networks, the law firm sought a cohesive authentication solution that would cover the entire range of machines and devices – MacBook Pros, iPads, and iPhones.

The solution

Compatible with personal computers, tablets, and mobile phones, digital certificates offer an easy to deploy and manage solution that covers all of the legal firm’s needs. We even have a mobile authentication solution designed specifically for iOS devices. With the mobile solution, policies and device restrictions are configured using Apple’s free profile configuration utility and apply to all issued certificates, making it easy to deploy certificates across an organization. Certificates are issued and delivered using SCEP over the air enrollment so certificates can be installed directly on the devices with the click of a button.

Related:-Styling Tips Grooms can Take From Saif Ali Khan

User Authentication

ISO New England uses digital certificates to authenticate users to their online energy trading portal.

The challenge

ISO New England, operator of the New England bulk power system and wholesale electricity market, manages an energy market trading application accessed by power generators, regional utility companies, and other market participants. Due to the critical nature of ensuring efficient and reliable delivery of electricity, and based on recommendations from the Executive Order to improve Critical Infrastructure cybersecurity, ISO New England wanted to strengthen the level of identity authentication for all users of their trading application.

The solution

NIST’s Preliminary Cybersecurity Framework, the set of standards, guidelines, and best practices that has been drafted to put the recommendations from the Executive Order into action, specifically mentions the inadequacy of passwords as a means of authentication. To meet NIST’s recommendations, ISO New England has implemented our authentication certificates for all users of their eMarket portal, adding a second layer of security beyond usernames and passwords.

As the only public Certificate Authority trusted in all popular browsers and operating systems that is authorized by the North American Energy Standards Board (NAESB), we have been a key member and active participant in establishing PKI standards for NAESB. In choosing us for their authentication needs, ISO New England found a NAESB-compliant partner who is committed to helping them meet their need for strong authentication in a way that is transparent for their stakeholders, while ensuring highly-trusted, authenticated energy transactions.

There are a wide variety of approaches for ecosystem how to identify devices, and also how devices authenticate into services. Ultimately the mechanisms your organization chooses to employ will be and should be driven from more top level strategy and perspective. IoT strategy revolves around two central factors. It will be rare for an organization to implement an IoT product just for the sake of technology, so first and foremost, organizations need to articulate high level ideas like how, where, and why they want to leverage IoT concepts to generate new value for their business.

IoT

Answers to these questions will then drive the product capabilities, connectivity and integrations required to achieve the strategic vision. Another critical factor requiring analysis, but unfortunately often addressed too late in the development cycle, is the risk assessment and selection of risk mitigation technologies in the IoT solution.

 

This risk profiling helps to look at all the potential threats to safety, privacy, fraud, and other potentially negative areas. The risk magnitude or concern associated with each area is very dependent on a huge range of factors including but not limited to, the company’s general risk threshold, industry of operation, and legislative constraints. When peeling back the IoT ecosystem profile, there are a number of general areas that organizations will need to be concerned with in order to appropriately mitigate risks associated with their IoT solution.

Define and Assess the Risks and Attack Vectors

First, let’s consider a sampling of potential risks / attack vectors against an IoT ecosystem. Many of the attacks in IoT mirror traditional cyber-attacks like: Thing in the Middle, Denial of Sleep, Eavesdropping or Snooping, or a replay attack.  The impact of each of these attacks will vary significantly based on the details of the ecosystem and device environment, as well as the aforementioned business risk concerns. However, we can generalize a bit to dive into the details and mitigation of some of these. If we take the Thing in the Middle concept, we can imagine a scenario where a malicious party may want to fake temperature data from a monitoring device in order to force a piece of machinery to overheat and therefore bringing physical and financial damage to the operating organization. There are a number of technical components that could be employed to mitigate this risk. Ultimately though, what we’re looking at is how does the relying service trust the data sent from the device? Trust is a very interesting concept in these IoT ecosystems, as it depends not only on the definition of the term, but the assurance needs of the relying parties, as well as the technical capabilities of the endpoints in the ecosystem. A core related topic to trust, is the concept of identity. So, how can the service receiving and making decisions from the device sensor data, trust both who is sending the data as well as the data itself that it is receiving? First the service needs to establish trust with the source of the data – this is authentication, and second it needs to be assured that the data has not been modified since it was sent over the network – this is integrity.

We’ll focus most of this discussion on the authentication side of the equation. There are a couple areas to this question, but first we’d need to look at how the device authenticates and proves to the services that it is an entity the service trusts. This authentication can be done numerous ways, with device name/password, shared secrets, API keys, symmetric keys, or certificate based with PKI. Each of these solutions have tradeoffs between security, assurance, ease of use, scalability, feasibility and cost to implement.  In the assurance area, we could look at a specific question of how the relying services can be assured that the device is who it says it is?

Related:- 4 Time Tracking Issues and How to Resolve Them

Assessing Assurance

If we look at the device name & password scenario in comparison to a scenario leveraging digital certificates & PKI, the assurance level will look at questions along the lines of the following:

  • How were the credentials generated?
  • How were they provisioned to the device?
  • How are they stored on the device?
  • Were the credentials sent in clear text at any point where a 3rd party could have intercepted them?
  • Were the credentials updated after provisioning, and if so where they done securely?

Strong Identity and Authentication Mechanisms

Within this framework, I’ll speak towards a ‘best practice’ implementation of PKI and compare it to a more traditional device name/password scenario, demonstrating how to build a higher assurance model, which enables greater risk reduction and less likelihood of falling to victim to a thing in the middle attack while addressing some of the questions raised above.

One of the benefits of PKI in our device context, is that it can be implemented without the relying service knowing any part of the device’s secret. PKI relies on two parts, a public key – often bound to an identity certificate – which can be exposed publicly, and private keys, which should remain just that, private. In a device environment, the best practice here is to leverage secure hardware, like a Trusted Platform Module or equivalent, for generation and storage of the private keys. These hardware containers provide very strong assurance that the private keys have not been and will not be exposed. By starting with these secure hardware components to secure keys, you have a great basis for building trusted identity. Leveraging the assurance of the key storage, in a certificate based PKI deployment, you will want to issue a digital certificate which binds some notion of identity information to the public key corresponding to the private key. This process is often done with devices on the manufacturing line. This digital certificate can now be used in a number of scenarios, to securely authenticate the device, and also bootstrap communication privacy negotiation with the relying services, all without the secrecy of the private keys being at risk. Comparing this approach to a standard username and password, there are numerous points where the assurance starts to degrade. The generation of username and password must be done somewhere. Maybe that can be done on the device, but often that will fall to another service, and the sent to the device during provisioning. In this device name/password example, there are numerous areas where the credentials have the potential to leak out or be intercepted.

Let’s then move to the usage of these credentials for authentication to services. Ideally the transport mechanism for the exchange of credentials is done in an encrypted channel, so that they can’t be intercepted. The interception of the device name/password credentials is a significant risk, where as in the PKI scenario interception of the credentials is a minor point, as the exchange really only revolves around the public key and certificate, which can’t be used in any useful way without the possession of the corresponding private keys which are protected on the device’s storage. Within the PKI scenario, we also have the opportunity to get a multiple benefit by leveraging authentication approach such as Mutual TLS, which will both authenticate each party, but at the end of the handshakes, also have established a secure channel between the points. Within the device name/password scenario, the secure channel establishment is likely going to be a separate activity.

Finally, looking at the lifecycle of the devices, we often need to consider the mechanisms employed to update the devices while in the field. It’s undoubtable not a trivial task, but should be feasible in each case. Leveraging PKI, the device with secure hardware should have the capability to generate new keys if needed, and send updated certificate signing requests to the services. In this scenario, again, the private components stay private. Whereas in a device name / password scenario, the update and sharing of new credentials reinstates the questions about the security of mechanisms used on the device to generate new credentials, the storage of those credentials, and the transport of the credentials to the service.

Related:- Tips for Transitioning to a Servitization Model

Just the Tip of the Iceberg

By now, it’s apparent that this discussion can go much deeper into the analysis of risks and the consumption of specific technologies to mitigate the risks. Identity is a huge concept, which when addressed holistically, can help to architecture your ecosystem in a safe and secure manner. When building IoT solutions operators and devices manufacturers are very well served finding partners with background and expertise securing communications over attempting to implement an in-house or custom solution. Security will not be a bolt on feature, and requires organizations to perform deep analysis, into the goals and risks profiles the organization is willing to accept. If you have a specific use case or scenario, and are tackling these problems, we’d love to work with you to help build a practical and cost effective solution to secure your IoT vision.

Certificate-based authentication is the use of a Digital Certificate to identify a user, machine, or device before granting access to a resource, network, application, etc.  In the case of user authentication, it is often deployed in coordination with traditional methods such as username and password.

Certificate

One differentiator of certificate-based authentication is that unlike some solutions that only work for users, such as biometrics and one time passwords (OTP), the same solution can be used for all endpoints – users, machine, devices and even the growing Internet of Things (IoT).

Why Is Certificate-Based Authentication Used?

Ease of deployment and ongoing management

Most certificate-based solutions today come with a cloud-based management platform that makes it easy for administrators to issue certificates to new employees, renew certificates and revoke certificates when an employee leaves the organization. Solutions that integrate with Active Directory can make the enrollment and issuance process even easier, by enabling auto enrollment and silent installations.

Unlike some authentication methods like biometrics or OTP tokens, there is no additional hardware needed.  Certificates are stored locally on the machine or device. This not only saves on costs, but can also alleviate management pains around distributing, replacing and revoking tokens.

Related:-The Most Beautiful Rivers Around the World

User-friendly

There’s always a tradeoff between increasing security and the costs involved and burden on end users. Most people don’t think of it, but using certificates is very easy for end users. After the certificate is installed (and in some cases, this can happen automatically), there is nothing further to be done. Additionally, most enterprise solutions already support certificate-based authentication.

Leverage existing access control policies

You can also easily leverage existing group policies and permissions to control which users and machines can access different applications and networks.  This way you can ensure only privileged users can access sensitive or critical operations.

Mutual authentication

Another benefit of using certificates is that it allows for mutual authentication, meaning both parties involved in a communication are identifying themselves, whether that communication is from a user-to-user or a user-to-machine or machine-to-machine. For example, a client must prove its identity to a company intranet and the intranet must prove its identity to the client, before a connection can be made.

Extending to external users

Certificates are also easy to roll out to users outside of your organization (e.g. partners, independent contractors and freelancers) who may need to access your networks. They won’t need additional software on their local machine and the ease-of use means you won’t need to provide much additional training.

Related:-10 Places Handpicked For Photography in India

How Is Certificate-Based Authentication Used?

Certificate-based authentication is quite flexible and can be used in a number of ways, but here are some of the most common use cases we hear from our customers. You’ll notice the common theme with all of these and certificate-based authentication in general, is to allow access only to approved users and machines and prevent unauthorized users or rogue machines.

User authentication

  • Windows Logon
  • Accessing corporate email, internal networks, or intranets
  • Accessing cloud-based services, such as Google Apps, SharePoint and Salesforce

Machine and device authentication

  • Identifying on-location/in-field machines that need to communicate with back-end services (e.g. payment kiosks located in convenience stores)
  • Identifying all employee laptops and mobile devices before allowing access to WiFi networks, VPNs, Gateways, etc.
  • Identifying all servers within the enterprise to enable mutual authentication

If you’re like Lancen LaChance, GlobalSign’s VP of Product Management for the Internet of Things (IoT), you spend your nights thinking about the unprecedented value and opportunity the IoT presents, while also worrying about how to secure it all. As more IoT systems move from the drawing board to production phases, it’s more important than ever to keep security top of mind.

Internet

We sat down with Lancen and spoke to him about some of the challenges and opportunities that are surrounding IoT security and what we can do to increase adoption, while still maintaining a safe environment.

What Does the Term “Internet of Things” Mean to You?

The Internet of Things is an extension of connectivity into a broader range of our environment which enables greater data insights, analytics and control capabilities of our world.

From our perspective, we like to think about the Internet of Everything (IoE). This is because while the ‘things’ in the equation are the key driver in some of the new components of this internet evolution, there are still the critical existing components of the Internet (servers, applications, users, organizations and more), with which all these ‘things’ need to interface and interact.

What Are Some Real World Applications of IoT Technology? Where Do You See It Adding the Most Value?

The demand for connected devices spans multiple industries, including energy, automotive, consumer devices, healthcare and more. Ultimately the potential in solving real-world problems is only limited by your imagination and time horizon to consider.

However, if we limit that to the next three to five years, there are some key areas we could address. From a business perspective, I see two basic areas an IoT solution can impact the bottom line – optimization and enhanced features. The first is the ability to enable improved efficiency and thus improve the cost drivers in a business environment. The second is the ability to add new features into a product or service which aid in competitive differentiation, adding additional value to the buyers of the product/service and allowing the provider to collect additional revenues.

From our perspective, we see tremendous value and interest in applying these technologies to improve efficiencies within more industrial and manufacturing sectors. Improving efficiencies and reducing waste in these environments by even a couple percentage points has great impact on the bottom line. In the medical space, connected healthcare is not only improving the efficiencies of healthcare provider operations, but the integration of health data with machine learning, analytics and remote response capabilities, resulting in healthier patients.

I think the biggest opportunities lie outside some of the “flashy” consumer-level devices like wearables, thermometers and smart refrigerators. Don’t get me wrong; they are important, but breaches in these systems don’t necessarily create emergency situations like they would in the industrial sector.

The Industrial IoT includes critical machines and sensors in high-stakes industries like defense, automotive, aerospace, energy and healthcare. The industrial sectors will see tremendous benefit from the IoT.  Government and municipalities also have incredible opportunity to reduce costs by improving efficiencies. And of course, technology vendors with IoT-specific solutions that are responsive to these new markets will have a huge opportunity.

We’re very interested in IoT in the industrial and manufacturing environments, automotive and in the networking space. These areas are specifically interesting to us due to both the potential business value IoT presents, as well as the security requirements of those environments. Security in these systems is paramount and must be adaptive and scalable.

Related:-You The Leader (Book Review)

What Are Some Technical Considerations for Implementing an IoT Solution?

At a basic level, the solution looks at the means you choose for gaining data from sensors on a device/platform, getting that data to the decision making entities in the system and potentially getting control commands back to the device from a decision making entity – doing this, while also being efficient and secure.

The Internet contains a range of existing technologies to enable this, both in specific protocols and software stacks, but also in architectural models. However, as additional constraints of hardware, connectivity, power and volume of data are introduced into the systems, novel approaches and technical solutions are being applied. In this area, we see trends such as Low Power networks, adoption of lighter weight cryptography like ECC, mesh and gateway-based networks all being implemented to arrive at these solutions.

What Kind of Skills, Technologies, and Systems Are Needed to Develop IoT Systems or Applications?

IoT is ultimately going to force deep experience in a range of technologies in both hardware and software. We will see some of the most complex systems in human history built over the next decade and therefore there is also a meta-layer of systems engineering that will be essential to the success of these environments.

The range of hardware environments is exploding. The device lifecycle becomes increasingly important. Ideally, I’d hope that the implementations stand on the shoulders of technology giants and leverage proven and widely deployed approaches as much as possible.

What Are the Most Widely-Used IoT Technologies So Far?

In the first iterations, we definitely see IoT solutions being like smaller versions of existing Internet, leveraging TCP/IP and Wi-Fi. In security technology, we see tremendous interest and application of PKI, as devices are able to handle cryptography quite well. It scales to billions of devices and provides a means toward a range of information security principles.

Related:-The No Nonsense Fat Melting System Review

What Barriers to IoT Adoption or Development Do You See?

Brownfield deployments will certainly be a factor – where legacy equipment and technologies are being retrofitted, or upgraded with new capabilities.

Appropriately assessing the information security risk and applying architectural and technological solutions to mitigate will be difficult. We see trends where organizations who have excellent operational capabilities in manufacturing physical products/equipment, but are now looking to fold in new connected IoT type capabilities and they have not fully brought in the appropriated software development and information security mindset into their organization.

In some cases, the organization is just honestly ignorant of the risks. In other cases, they’ve made faulty decisions to postpone or not address appropriate information security practices based on assumptions that they can build it in later or even that a potential compromise impact will be small.

How Do You Propose Meeting Some of These Challenges?

The Internet of Things is a natural extension to the capabilities the Internet of today provides. GlobalSign has worked in a number of IoT related security implementations over the past few years and is keenly in tune with the evolutions and nuances at building trust models and applying proven technologies into this new dimension of the Internet.

PKI is a tried and true standard that has been securing connections between servers, machines and devices for decades. It provides key information security capabilities, including authentication, encryption and data integrity and with GlobalSign’s high volume services and agile certificate profiles, it can be adapted to meet the velocity, variety and volume needs of the IoT. And our IAM infrastructure enables the complex relationship management (e.g. hierarchies, delegation, self- or automated enrollment) needed to support the scale and heterogeneity of IoT ecosystems.

Most importantly, we believe components of an IoT environment must be flexible, functional and easy to use, thus not compromising the user experience. And to meet these qualifications, there is no question that security must be designed into IoT systems from the beginning.

There is no question that IoT security policy is one of today’s top concerns. It impacts us as consumers, manufacturers, businesses of all sizes and government entities as well. Compounding the concern is that there is a lot of confusion in the marketplace with very little guidance, standards or policies defined and enforced today. While there are quite a few IoT security frameworks in various stages of development, they are very industry specific and mostly just suggested best practices.Policy

Recently, Microsoft published an interesting document, ‘Cybersecurity Policy for the Internet of Things‘. The document positions the critical need for developing cybersecurity policies for the IoT as the risk of cyber-attacks exponentially grows with the continued merger of physical and digital domains. Microsoft goes on to suggest a public-private collaboration to develop policies and guidelines that will address and improve IoT security.

Related:-Advantages of Online Job Search Sites

Security Concerns of the IoT User Community

In the document, Microsoft looks at IoT cybersecurity from a user perspective focused on three distinct user communities: consumers, enterprises and governments. The reasoning is that these three user communities all have differing IoT cybersecurity concerns. It is suggested that policymakers understand the concerns of each user group so that security concerns are addressed without limiting IoT innovation.

Consumers

Increasingly, we are using more and more connected devices in our daily lives – from wearables to home automation to automobiles and more. Consumer IoT usage is defined by using shared hardware with limited computing power, engaging with data through a cloud-based app, and sharing potentially sensitive data to get value from the connected device. Because data is personal to the user and sometimes sensitive in nature, consumers are concerned about the security of their private and sensitive information.

Enterprises

Improving business processes, enhancing user experiences and resolving business challenges with innovation are what’s driving IoT adoption in the Enterprise. While vulnerabilities that could expose privacy have always been a concern in the enterprise, the IoT security challenge is at a much greater scale. Areas of security concern include: a dependence on data integrity and availability, increased threat vectors such as DDOS attacks, managing security updates and regulatory compliance. Securing the IoT ecosystem and ensuring interoperability is extremely important.

Governments

The role of IoT continues to grow as governments apply the usage of more connected devices to improve services to its citizens. For Governments, IoT security concerns do not differ that much from the enterprise but there are specific security government security requirements that must be met. Resilience to threats on government infrastructure and ensuring duration and predictability of IoT security are also important.

Related:-locating A estate Broker That Is Realiable

Securing the IoT Ecosystem Depends on Key Roles

In each one of these user communities, there are unique IoT ecosystems. These ecosystems are supported by the manufacturers and integrators, developers, deployers and operators. Microsoft further discusses how each of these roles enhances IoT security and can further help policymakers understand the complexity and security responsibilities of the IoT ecosystem.

Addressing security is critical throughout each role – including manufacturing more secure devices, developing more secure platforms and systems, connecting and installing devices and software with security best practices, and ensuring the integrity of upgrades and maintenance in operations.

In all of these roles, authentication, encryption and integrity play a critical role in keeping the IoT ecosystem secure. We fully agree with Microsoft here as Digital Certificates are a foundation for IoT security. Read this blog to learn more: ‘IoT Security Starts with Identity‘.

Advancing IoT Security through Policy

Establishing well defined and universally adopted policies and guidelines will enable more secure IoT ecosystems. Microsoft is suggesting that governments work together with industry standards and certifying bodies and the private sector to establish the necessary guidelines to encourage the use of good IoT security practices to ensure security, privacy and safety. As Microsoft recommends, governments can:

  • Serve as catalysts for the development of good IoT security practices.
  • Build cross-disciplinary partnerships that encourage public-private collaboration and inter-agency cooperation.
  • Support initiatives that improve IoT security across borders.

One of the examples Microsoft highlights for collaboration between the public and private sector is Plattform Industrie 4.0. In this example, private and public sector organizations are working to create an IoT framework which includes IoT security for industrial manufacturing. GlobalSign was part of a multi-vendor IoT security demo at the most recent Hannover Messe Expo that included Plattform Industrie 4.0 and the Industrial Internet Consortium (IIC). The live demo showed how to secure communications in multi-vendor, distributed manufacturing environments.

Collaboration like this is necessary to establish the standard guidelines and policies to advance IoT security. We simply cannot rely on disparate groups establishing their own frameworks as this will continue to add to the confusion of how we secure the IoT.