There’s a lot of hype around securing the Internet of Things (IoT). At the end of the day, I suggest that a more reasoned approach is in order. Securing the IoT will not be achieved by frantic worry about the volume of endpoints. Myopic focus on the volume of devices in an IoT ecosystem can lead to an important misstep: forgetting that it’s the Internet of Things. That means that all this data is passing through the network. Therefore, tackling security can only occur with diligent attention to the core of the IoT, namely, the network stack. In that way security can become as pervasive as the IoT itself.
I recently had the privilege of participating in a panel discussion at LiveWorx’s CXO Forum on Securing the IoT. Here are two predictions with respect to the IoT and security that I shared with the audience and my co-panelists at the event:
- Access and identity management will be critical in an IoT ecosystem. However, the username and password won’t be part of tomorrow’s approach: the password will die – and soon. It’s not radical to point out that passwords are insufficient on their own for authenticating access to sensitive data. I don’t think that means we’re going to go immediately to 21 levels of authentication, for example. We do need a human factor, and it can be biometric, or it can be at an endpoint. We’re familiar with straightforward biometrics such as the iPhone’s fingerprint scan, but there are also newer methodologies that track the exact way a human swipes a smartphone screen. We can leverage technologies such as this to enhance security in the IoT and its member devices.
- Our industry must work together in public-private partnerships to put a stop to the proliferation of regulations – country by country or region by region – that are creating a tangled web of laws, regulations, and guidelines around security. Conflicting guidance, standards, and regulations cause confusion rather than clarity. International standards bodies and government regulators should consider removing territorial blinders and revisiting the real mission: ensuring, to the greatest extent possible, that information and communications technology (ICT) are genuine and free from compromise and will not permit control over the operations for which they are used.
While strong international standards for IoT security and new authentication methods are just two pieces of the larger puzzle that will make IoT more secure, they are essential pieces. We at Cisco are working to make inroads in both these areas. Stay tuned.
Tags: internet of things, IoT, security
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 13 bulletins being released which address 48 CVEs. Three of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer, GDI+ Font Parsing, and Windows Journal. The remaining ten bulletins are marked as Important and address vulnerabilities in Microsoft Office, Sharepoint, .NET, Silverlight, Service Control Manager, Windows Kernel, VBScript/JScript, Microsoft Management Console, and Secure Channel.
Read More »
Tags: 0-day, coverage, ms tuesday, rules, security, Talos
I am often asked about how I transitioned from a music teacher to a Data Privacy and Compliance Leader. Reflecting on my journey over the last 15 years, I have realized that it’s the same strengths that I demonstrated as a music teacher that have contributed to my success in the high tech sector. One of the lessons I learned is trying to turn weaknesses into strengths doesn’t work for me. Focusing on my core strengths regardless of which sector I work in is what enables me to achieve my best results. I encourage you to do the same as too often we don’t focus enough on our strengths and what sets us apart. Here’s what’s worked for me: Read More »
Industrial control system (ICS) operators and owners have found themselves in an unenviable position. Once air-gapped, serial-based critical industrial control systems are now becoming more and more connected. And while many of the systems themselves have not changed, the networking world around them has changed dramatically, introducing vulnerabilities and threats that had been nearly non-existent ten or 20 years ago. Each networked connection from the control network to the corporate network is another potential avenue of attack. Control networks are designed to be static and predictable, but more and more commercial off-the-shelf applications and operating systems, as well as routable protocols, are now being introduced. This is creating more complexity with no greater visibility leaving operators blind to what is on their networks.
Read More »
Tags: FirePOWER, Industrial Control Systems, security
Over the past three years, Cisco has invested in the creation of an application security awareness program. The program helps the good citizens of this company understand, apply, and act upon a strategy to build more trustworthy products. We launched the existence of the program to the world at the RSA Conference 2015. I am sharing this with you because we’ve created something unique to the industry, and we want to encourage other companies to pursue the creation of an application security awareness program.
When you think about security awareness, do you envision phishing e-mails, Nigerian princes, and tailgating cyber criminals? Security vulnerabilities are a fact of life, but we can help our organizations develop a greater level of understanding and a desire to put security first in their development efforts. At Cisco, we believe that security awareness training should feature traditional training about crazy links you should not click under any circumstances and how to stop strangers from entering your buildings, as well as application security awareness. Application security awareness, when done well, can drive security culture change to make a company and its products and solutions safer. Moving an organization to focus on security is possible, because we have done it.
Enough talking about it, please take a sneak peek at how we do it here in this video.
Read More »
Tags: security, security awareness, security dojo