The Internet of Things (IoT) movement has been underway since the first mobile device connected to a wireless network, but its momentum in the global enterprise space today is leaps and bounds beyond where it was a decade ago, and is just the beginning of what’s to come over the next five to 10 years. What’s slowing its growth, and in some cases being pushed aside altogether, is how all those endpoints – which in themselves include sub-endpoints – are being secured and protecting sensitive information from hackers. (Enterprise Mobility Exchange)
The importance of the integrity of the data generated by IoT devices cannot be overstated. Much of the anticipated economic benefits of the IoT count on the massive amounts of data generated by IoT device to not just be available, but to be accurate. This is especially true in industries like healthcare, where there are not just implications for billing, but for life-support. Manufacturers don’t bake security in at the start because as of yet there is no real demand for it. Most security “solutions” are retro-fitted PC-based approaches that fail to account for the differences between IT and IoT (hint: it's more than just one letter). If history is any indication, the world will learn too late the folly of not having IoT security keep pace with device utility.
Defcon 2017 has come and gone, but Senrio was honored to support the fantastic IoT Village event this year. this year over 86 teams participated in the competition with hundreds of people watching lectures and participating in Q&A sessions. Our hat is off to ISE for yet another fantastic run of this event. In addition to our usual sponsorship support, Senrio also donated its flagship product Senrio Insight for use by the conference organizers to help them:
Update: The full gallery of our photos from IoT Village 2017 is viewable here. Enjoy!
If you want to learn how to reverse engineer or exploit embedded systems and mobile devices, we can show you!
The problem wasn’t specific to Axis, which seems to have reacted far more quickly than competitors to quash the bug. Rather, the vulnerability resides in open-source, third-party computer code that has been used in countless products and technologies (including a great many security cameras), meaning it may be some time before most vulnerable vendors ship out a fix — and even longer before users install it.
Still, there are almost certainly dozens of other companies that use the vulnerable gSOAP code library and haven’t (or won’t) issue updates to fix this flaw, says Stephen Ridley, chief technology officer and founder of Senrio — the security company that discovered and reported the bug. What’s more, because the vulnerable code is embedded within device firmware (the built-in software that powers hardware), there is no easy way for end users to tell if the firmware is affected without word one way or the other from the device maker.
Read the full article
CEO venerable of the DuoSecurity, Dug Song wrote a poignant blogpost honoring Black History Month. If you are unfamiliar with DuoSecurity, they are a information security startup rocketship providing Two-Factor Authentication and unprecedented security tools to enterprises worldwide. It was quite nice to have our CTO listed alongside some incredible security icons. Thanks for including us. You can read that blogpost here:
On this Down the Security Rabbithole podcast we're joined by Stephen A. Ridley & Jamison Utter for a discussion on the finer points of Internet of Things (IoT) security ... or complete lack thereof. If you own gadgets that are 'connected' or you are ever around them (hint: you're surrounded by things that pull IP addresses right now) then you need to listen to this podcast. Some great discussion in what was the very first podcast we recorded in 2017.
How insecure are products like broadband routers and smart surveillance cameras? The Security Ledger sat down with three experts from the firm SENRIO to discuss the matter: Stephen A. Ridley, the Founder and Chief Technology Officer; Jamison Utter, Senrio’s Vice President of Field Operations and Margaret Carlton-Foss, the company’s Vice President of Research.
Today, security is little more than a cost center for companies developing new, connected products. Building in security features, like a hardware security model or more robust application security and identity management features, adds to the complexity of the development process and the time needed to complete a product. On the other side of the ledger, however, there is little to compel smart device makers from expending that time and effort.
“(The FTC) is changing the cost benefit ratio of having security in products,” said Ridley. “Up to now, there has been no reason to have any security, so the stuff you’ve seen was more altruistic in nature.” The FTC’s suit against D-Link will give vendors pause, he said. “They have to ask: do we spend x on security now if we can avoid paying x-squared in the cost of litigation and class action suits,” Ridley said.
Listen to the Podcast here.
New Year's Resolutions for IT Security Executives and the Cybersecurity Threats Facing Businesses in 2017
What is one resolution every IT security executive should make for the coming year?
“DATA, DATA, DATA. Effective Information Security departments these days are less about cool tech for IR, detection, policy, and orchestration. We have a wealth of those for traditional endpoints/networks. What we now see is that Information Security (like the rest of technology) is that we need to be better about storing and utilizing data (and in an actionable time-frame). The largest transportation networks own no cars. The largest search engines and social media sites generate no content. It's all about data management. Security is now no different. Solutions that don't speak to how data is stored, searched, parsed, and effectively plugged into your existing architecture need to be ignored. Security products need to provide operational value now. We've evolved past the ‘how’ and now need to focus on the ‘why.’ Security solutions have the burden of bringing more to the enterprise than just security.
What’s the biggest cybersecurity threat facing companies in 2017?
“VISIBILITY, VISIBILITY, VISIBILITY. Networks have grown more diverse and now include more than just servers and endpoints that an agent can be installed into for policy, management, and enforcement. Gartner predicts that by 2020, over 15% of all network intrusions will leverage embedded devices. These devices are (from a CISO's perspective) impossible to ‘get into.’ So how do you make sure these devices aren't compromising your network security posture? Look for solutions that speak to this. This burgeoning blind-spot is symptomatic of the CURRENT ‘visibility’ problem. How can you cheaply and efficiently get visibility into the behavior of assets on your network without incurring the cost of archiving terabytes worth of pcaps? Visibility is king. And at the heart of the visibility problem is the DATA problem. The deluge of alerts. The overloaded SIEM. The ‘analysis paralysis’ of your Operations/Security team. Look clever solutions to the data/visibility problem that are tractable and accessible.”
"It's not a very political issue," said Jamison Utter, VP at Portland, Ore.-based Senrio, an IoT cybersecurity firm. "I believe that the issue is pretty strong and apparent, and doesn't have much to do with party or politics. This is a societal problem, not a Democrat or Republican or whatever issue."
“If we consider the disruptive changes that IoT, and globalization of commerce have made on our economy (and culture) maybe we can stop looking for workforce in all the same places. What I am saying here is that we want 8-5 in the office workforces. That’s not where people are, or want to be. Cyber security is not a suit-and-tie, 8-5 job. Let’s flex to a globalized workforces (mobile, on the go) and non-traditional forces; stop looking for your classic computer science grad (they don't make the best analysts, criminals don’t do things by the book). But let’s instead look to displaced soldiers (that might think about security differently) or former security workers, even former criminals. The influx of different thinking might help the perspective of the entire industry.”