Tag: security

Can the community secure the Internet of Things?

Can the community secure the internet of things? Cisco’s Christopher Young believes so.

As more devices become connected Cisco Systems hopes the security issues can be addressed by the developer community.

“The Internet of Everything is not only turn every company into a technology company but its going to force every company to truly become a company that delivers security,” says Christopher Young, Senior Vice President of Cisco’s Security Business Group.

Speaking at the Australian Cisco Live! Conference in Melbourne today, Young described how business is going to have to change the way it treats the data it collects from sensors.

“Not just in consumer security,” continues Young. “If I’m using technology or I’m delivering a service that’s leveraging technologies like cloud or connected devices and creating information about individuals or organisations through these connected devices then a consumer or enterprise is going to expect a level of security.”

Young sees three major ways that security is becoming more challenging for organisations; changing business models, a dynamic threat landscape and increasing complexity.

The latter point is the area that focuses many executive’s attention in Young’s experience with audiences he speaks to nominating complexity and fragmentation as their greatest concern.

“They get so many products and so many devices and so many tools and so much complexity they really don’t know, in so many cases, where to focus their efforts.”

Young cites Cisco’s Chief Security Officer, John Stewart, that the most fundamental security defence is getting the basics right.

Earlier this year at the release of the company’s 2014 security report, Stewart spoke to Networked Globe on how businesses are struggling with the complexity they face.

“Even the most sophisticated and well funded security teams are struggling to keep on top of what’s happening,” Stewart said.

This problem ties into the other areas that Young identifies, particularly the ‘industrialisation’ of the malware world.

“We have more well funded, more innovated, more determined adversaries than we’ve ever had as an industry.

“It used to be some high school kid in his room trying to infect a bunch of machines with viruses or some guy from Nigeria sending you an email asking you for a hundred bucks and he’ll give you a thousand bucks later.

“The world we live in today has nation states and criminal syndicates and very well funded, very sophisticated attackers so hacking has become an industrialised activity.” Young says, “here’s supply chains involved, there’s support agreements written; the bad guys will even sell each other a contract.”

Young’s views echo those of Sophos Labs’ Vice President Simon Reed who said last year that “now there’s money involved, there’s serious effort, the quality of malware has gone up.”

Part of the solution Young sees involves getting the community involved which is the motivation behind the Cisco Security Challenge announced last week.

“You can only just guess and imagine what all the different security challenges will look like in a world that’s just starting to get formed.”

“Let’s get the community involved in trying to solve some of the problems that we know are going to be inherently introduced by IoE.”

Similar posts:

  • No Related Posts

Using data laws to create an economic advantage

Will the EU data laws give European business a competitive advantage?

Yesterday I posted piece on Business Spectator about Australia’s new privacy regulations, little did I know that the European Union Parliament was about to release its own.

The EU regulations look interesting and certainly seem on  first look to be far more comprehensive than Australia’s effort that I describe as a toothless, box ticking exercise.

A notable aspect of the EU’s announcement of the new rules is its claim that the updated regulations are expected to generate €2.3 billion in economic benefits each year.

Whether the EU’s rules prove to be an economic cost – as Australia’s effort will almost certainly turn out to be – or a competitive advantage remains to be seen, however the European Parliament is certainly making a case for data security and privacy protection as being an important selling point in a highly competitive digital world.

The competitive advantages between countries and continents in the 21st Century will be vary different to those that determined the economic winners of the previous two centuries.

Similar posts:

  • No Related Posts

Accountability and security

Experian’s massive data breach shows why we, and our governments, have to start taking security seriously.

Security writer Brian Krebs has followed up last year’s story that US credit reporting agency Experian had been selling personal data to Singaporean based identity thieves with the guilty plea from the scheme’s architect.

Krebs points out that the leader of the identity thieves, Vietnamese national Hieu Minh Ngo, could access up to 200 million consumers’ records.

It’s almost impossible to say how much theft, fraud and misery was inflicted on innocent Americans who had their personal details misused by Ngo’s customers.

The amazing thing is it appears that Experian’s executives or shareholders will not suffer any sort of penalty – civil or criminal.

In an age where companies are collecting masses of data on everyone, it’s inconceivable that those trusted to store and protect that information – particularly credit reporting agencies – seem beyond any accountability for failing in their core responsibilities.

There’s also the aspect of undermining the US credit system; if merchants and consumers find they can’t trust credit reporting agencies, then offering or getting credit becomes far more difficult and risky.

Until the management of companies like Experian are held accountable for their incompetence, any talk of safeguarding privacy is empty. It’s why we should treat claims that our data is held safely by government agencies or businesses with a great deal of caution.

Similar posts:

  • No Related Posts

Bill Gates and the fight for trustworthy computing

Microsoft’s task of securing its software was a huge undertaking, one that isn’t over yet.

Microsoft’s task of securing its software was a huge undertaking, one that isn’t over yet.

One of the great, and possibly under recognised, business achievements of the computer age was Bill Gates’ recognition that Microsoft’s online strategy was flawed shortly after releasing Windows 95. A few years later he had to repeat the task when the company found its products were almost dangerously insecure.

In a sprawling account of the company’s response to the security problems at the turn of the century, Life In The Digital Crosshairs, describes how Microsoft’s engineers responded to their then CEO’s call for Trustworthy Computing.

The problems at the time were vast, compounded by Microsoft’s failure to take security seriously – the first version of Windows XP came out without a firewall which ensured thousands of users were quickly infected by the computer worms rampant on many ISPs networks at the time.

As the story tells, it was a long difficult task for Microsoft to change complex and interdependent computer code involving 8,500 of the company’s engineers.

One suspects the cultural challenges were even greater in getting the managers supervising the army of engineers to understand just how serious the security threat was to Microsoft’s users.

The biggest challenge though was Microsoft’s own product line; because the company hadn’t ‘baked’ security into its software, key products like Microsoft Office relied on lax security practices to work properly.

Office and Windows also had the problem of legacy code and applications; one of Microsoft’s selling points over Apple and other competitor systems was that the company took pride in supporting older hardware and software, this in itself creates security risks when programs designed in the MS-DOS days still want to write to the system kernel.

For Microsoft the journey isn’t over, although the shift to cloud computing has changed – and simplified – the company’s security quest by making legacy issues in Office and Windows less important.

Microsoft and Gates’ success in seeing off the threats posed by the internet gave the company another decade of computer industry dominance, however dealing with security issues was nowhere near successful.

In the end however it wasn’t security issues that saw Microsoft lose its dominance; the internet eventually prevailed as Apple revolutionised mobile computing while Amazon and Google improved cloud services.

With Bill Gates reportedly finding himself getting more involved in the company he founded, the challenges of both the internet and security are two that he’s going to be very familiar with. It will be interesting to see what we write about Microsoft in 2022.

Similar posts:

  • No Related Posts

A breach of trust

In business, trust is essential as security company RSA is discovering

“Today I’m happy not to have an RSA Conference badge on me;” Mikko Hypponen, head researcher of Finnish security company F-Secure told the inaugural TrustyCon conference in San Francisco yesterday.

Hypponen was referring to what was one of the world’s most prestigious information security conferences hosted by industry vendor RSA.

RSA are known to many corporate computer users for their SecurID authentication tags; the little key fobs that give a passcode for secure networks that illustrate this post.

Sadly for RSA’s users those tags were compromised in 2010 and the company did its best to obscure, if not downright hide, the problem both from the industry and its customers.

However the killer blow for RSA’s reputation was an article in Reuters at the end of last year claiming the US National Security Agency had paid the company $10 million to weaken its security protocols.

The company denies this but the damage was done, as Hypponen says “When a security company can’t be trusted, what do they have left?”

How the RSA lost the trust of security professionals is a good lesson for all of us; our businesses rely upon the goodwill of our customers and our peers. If we betray their trust, we’re hurting ourselves.

 

Similar posts:

  • No Related Posts

Trusting the computer security industry

There’s something wrong in the way the tech security industry sells its product

I’ve been sceptical of computer security vendors for a long time and it’s interesting that even as threats evolve, the suspicion remains.

That suspicion comes from running an IT support business though the turn of the century virus epidemic, it’s hard to take the same companies whose products failed to detect the malware — and in some cases made problems worse.

At the annual Tech Leaders Kickstart event today, I found that old hostility bubbling up as a series of security vendors warned us of the terrible threats in cyberland and how their product would solve most, if not all, of our problems.

The irritating thing with their pitches is that none of them would articulate how the threats are evolving, or give real time examples.

Not that there’s any shortage of real time examples with corporate security disasters like Sony and Target as great case studies of what can go wrong. Indeed, there’s very good reasons for businesses and every computer user to take security seriously.

There’s something missing in the way tech security is sold and articulates the industry articulates its message.

Similar posts:

  • No Related Posts

Tech security in a tough world

Even the professionals are struggling to keep up with a rapidly changing IT world, which is why businesses should start taking computer security seriously.

Network giant Cisco Systems released its 2014 Annual Security Report last week which should make sobering reading for every business manager and owner.

If you’re looking at a career change, the survey even suggests a possible new job.

Over two million of Cisco’s customers were examined in the survey and every single company had evidence of their systems being compromised in some way, from staff visiting suspicious websites to full scale hacker break-ins.

Keeping up with change

The survey points out IT security risks are evolving quickly as business technology becomes more complex and it’s hard for even industry professionals to keep up with the pace of change.

“Even the most sophisticated and well funded security teams are struggling to keep on top of what’s happening,” Chief Security Officer of Cisco, John Stewart, told a media briefing yesterday.

That concern was reinforced by Stewart’s colleague Levi Gundert, technical lead at Cisco’s Threat Research Analysis and Communications (TRAC) group.

“It’s not about are you going to be compromised,” said Gundert. “the question is how long is it going to take you to detect and shorten the remediation window?”

If even the world’s biggest corporations are struggling what can smaller organisations do to control the risk?

Disable Java

The biggest computer security risk is Java software. Cisco found a shocking 91% of software exploits were related to the application, “2013 was the year of the Java exploit.

It was a bad year for Java.” Says Gundert. It should also be noted that the first successful malware targeting Apple Macs, the Flashback Trojan, was a Java exploit.

The best way to deal with this risk is keep Java off your systems, the problem with that advice is many business applications – and games if you have a home office or kids use your computer – need the software to run.

If you have to use Java packages, make sure you have the latest version running on your systems.

Keep your systems up to date

It’s not just Java that is a risk, Cisco identified Adobe PDFs and Microsoft Office vulnerabilities as being other threats.

It’s important that all systems – Mac, Windows or any other operating systems – are kept up to date with the latest patches.

Lock down office systems

Except when your computers are being updated, there’s no reason for office computers to be running in Administrator mode.

Day to day use should be done in restricted user profiles; on a Windows machine, workers should be logged on as standard users, while on Macs they should be managed users, the only time an Administrator needs to be logged on is when maintenance is being done.

Watch those mobiles

The IT security industry has been watching smartphones for a while and 2013 started seeing large scale malware appearing on mobile devices, although it’s still small scale compared to PCs.

Cisco’s survey found only 1.2 percent of web based malware coming from mobile devices with almost all the infections being on Android systems.

Most of these Android infections were game add-ons downloaded from unofficial Android app stores so the message is to stick to the official, trusted services for Android apps.

Website risks

Another risky area for businesses identified by Cisco identified are websites being compromised and hijacked.

The software on these needs to be updated to the latest versions just as office computers should be.

Often, disused websites and blogs aren’t updated, the ABC discovered last year that abandoned, neglected websites are a great way for hackers and malware distributors to launch attacks or spread problems.

So if you have older websites or blogs, shut them down and redirect the domains to operating addresses.

For those operational websites password security needs to be beefed up as Cisco found ‘brute force’ attacks – where automated systems try every conceivable password combinations – were up threefold in 2013.

Professional skills shortage

A big problem facing the IT industry is a worldwide skills shortage: “There are essential a million jobs across the globe that can be filled but we don’t have trained people to fill them,” says Cisco’s Stewart. “We’ve got a dearth of talent and skills.”

For smaller businesses that means it’s harder to find someone to fix problems when they happen, for both business managers and owners it’s smarter to reduce the likelihood of having a problem rather than scrambling to find an IT professional to help after the event.

The good news from Cisco’s survey is if you’re thinking of a career change, or you have a teenager moping around looking for a job, then IT security could be the answer.

For everyone else, as business and the world in general becomes more connected the security of the systems our world is coming to depend upon is something we have to take more seriously.

Similar posts: