The Internet of Things: The Company Refrigerator is Now a Risk to your Network Security
As the number of devices that connect to company networks continues to escalate, the Internet of Things (IoT) is presenting a new set of network security challenges for those same businesses. To make matters even more complicated, these challenges are following on the heels of another issue that businesses are still trying to get their arms around; bring your own device (BYOD), where IT departments continually deal with network security risks related to employee-owned mobile devices that are used to access businesses’ networks. The new set challenges presented by the IoT, however, dwarfs the BYOD issue in terms of the sheer number of potential access points that are now available for exploitation by hackers as well as the relative ease of gaining access.
One of the key functionalities of the IoT is the ability for virtually any type of device, appliance, equipment, etc. to be connected the company’s network while at the same allowing access to outside vendors and contractors to monitor the activity that takes place with that device using newly developed sensors. For example, a connected refrigerator could be monitored by a vendor to determine when drinks and food items need to be restocked with a direct benefit being that the refrigerator’s “inventory” is being tracked in real time. Real time inventory tracking provides a “win” for both parties; the company knows that the refrigerator will always be full and the vendor can maintain the inventory without having to make unnecessary visits to assess which items need to be replaced. The same process can monitor toner levels in printers, climate control systems, manufacturing processes, etc.
The risks that come along with these benefits are twofold:
1) The sensors that connect things to company networks are relatively easy to hack – One of the primary drivers of the growth of sensor technology is their low cost, part of which is due to manufacturer’s focus on delivering new generations of high utility sensors that operate with many of the same security vulnerabilities as personal computers. At this point in time, integrating state of the art anti-hacking defenses is simply too expensive.
2) Hackers can gain access to company networks through the portals being used by third parties – Even if a business’ network is well-defended, vendors’ and suppliers’ systems may not be. In many cases, the third parties with outside access to a company’s network are seen as low-hanging fruit by hackers.
At this point in time, cyber attacks facilitated by weaknesses in IoT hardware are being accepted as a necessary evil that is far smaller than the potential benefits of connecting everything to the web. For businesses, weighing specific benefits versus the inherent risks to network security is a prudent first step before taking the big plunge into the IoT.
Three Industries that Must Raise the Bar in Encryption for Their Own Protection
One of the easiest predictions regarding network security issues for 2014 and beyond is that the scale of cyber attacks will increase. In light of the recent release of the network security framework by the National Institute of Standards and Technology (NIST) which highlighted security concerns for 16 industrial sectors, here are three industries that must raise the bar in encryption immediately.
* Healthcare – The problematic launch of the Affordable Care Act provided a glimpse of the potential for havoc related to private patient information, but the real security risks in this sector are centered on the growing number of patients in the system and the increasing rewards presented by successful intrusions. Statistically speaking, the most common data targets in healthcare related to cyber intrusions are payment information, medical histories and insurance records. As if the potential for cyber attacks isn’t enough, additional motivation for upgraded data encryption is arriving in the form of an increase in HIPPA-related audits in 2014.
* The financial sector – The customers of financial service firms can see their banking information fall into the hands of hackers via network intrusions, illicit card swipers, information left on mobile devices, etc. While there are security standards in place, such as PCIDSS, the recent slew of high profile breaches indicates that hackers have upped their game enough to work around elemental security measures.
* Utilities – One of the biggest challenges related to network security and the need to encrypt data is the general mindset in the sector. According to recent studies, three-quarters of the providers in this sector have experienced network intrusions in the last year but there is still a tangible neglect of major security issues in approximately two-thirds of the same organizations. While the lack of urgency toward improving network security may be related to either the expense of upgrading systems or the perception that utilities aren’t primary targets, the successful shutdown of an already fragile electrical grid, for example, could result in rapidly escalating costs rivaling or exceeding the largest financial breaches.
As hacking capabilities increase, so too does the level of damage that can be incurred by successful intrusions. As the stakes get steadily higher, these industrial sectors will have to raise the bar in their encryption efforts, or risk potentially devastating losses.
Has the NSA Cracked SSL Encryption?
When the New York Times published an article in early September 2013 that hinted at the NSA’s newfound ability to crack Secure Sockets Layer (SSL) encryption codes, the first reaction by many industry watchers was that the agency had achieved open access to online activities ranging from sending and receiving emails to making purchases on Amazon. In the weeks following the article’s release, however, the analysis of “circumstantial” evidence and other NSA activities has led industry experts to question whether the agency has actually decoded the algorithms used for SSL encryption or is using other methodologies for access.
These possible methodologies include:
* Using networks of computers to target specific users and running calculations until a specific code is broken. The successes of these types of attacks are currently assumed to be limited to weaker codes.
* Hacking to get specific algorithmic keys that are used for encryption
* Using legal means, coercion, or intimidation to gain access to encryption keys used by companies that provide internet services
Of the methodologies for gaining access, the use of the threat of legal action is one area that can’t be fortified due to the fact that many smaller companies simply don’t have the resources for lengthy and/or complex court battles. At the same time, leaked documents have revealed that larger internet companies have been cooperating with the NSA regarding access since 2007. Whether that access included the provision of encryption keys is still up for debate.
Prior to the headline grabbing NSA revelations, the Certification Authority Browser Forum, which sets guidelines that govern SSL protocols, had already mandated that customers with 1024 SSL certificates migrate to the new standard of 2048-bit RSA/DSA by the end of 2013 due to concerns that the existing shorter codes had become vulnerable to quantum computing attacks. This change will raise the algorithmic complexity of encryption codes, which will make brute force computing attacks less effective. The question remains, however, whether the NSA will be able to exploit the human aspect of the equation to reach their objectives.
California proposes mandatory kill-switch on phones and tablets
Politicians and law enforcement officials in California will introduce a bill on Friday that requires all smartphones and tablet PCs sold in the state be equipped with a digital “kill-switch” that would make the devices useless if stolen.
Datacenter Relocation & Migration
There are many reasons a business or datacenter might need to relocate and data center relocation can be costly and difficult. Mergers, acquisitions or exploding market success are just a few of the many reasons you might be considering data center migration. You depend on your IT infrastructures to drive your critical business operations. Engaging in Datacenter relocation will likely be the most critical and difficult tasks your company can take on.
Partner with established experts who will create a comprehensive plan. At DCI, our team of certified project managers and engineers offer end-to-end relocation services that save time, reduce expense and minimize risk exposure.
IT Consulting Company | Microsoft & Cisco Consulting | Network Security | Microsoft Exchange Consultant
IT Managers Business Executives Has your technology become unreliable? Look to us for answers. Looking for IT help? We have so…
Visit our new and improved website!