Mobile Security

 

 

https://sm.asisonline.org/Pages/Book-Review---Secrets.aspxBook Review: SecretsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-01-01T05:00:00Z<p>​Verus Press; available from Amazon.com; 306 pages; $24.97.</p><p>Author James Pooley is a noted expert in protection of intellectual property and trade secrets, and his knowledge and perceptions of issues related to proprietary information are evident in <em>Secrets: Managing Information Assets in the Age of Cyberespionage</em>. He provides intelligence and information security practitioners with considered approaches to contemporary issues that will guide them in enhancing the security of information assets and networks. </p><p>Pooley’s writing style is straightforward, making discussions and explanations of legal terminologies and concepts easy to understand. The book is well researched and provides historical references and perspectives that are always relevant. Pooley masterfully frames the issues of secrecy in the age of the Internet and delves deeply into specific concepts and issues geared toward protecting intellectual property. The impact of technology on information protection is explored, as are openness philosophies and global supply chain constructs.  </p><p>The thorough exploration of information ownership includes a look at how laws protect trade secrets. Pooley provides a roadmap of the regulatory processes of the cyber environment, like NIST guidance, as well as explaining how to develop information protection plans. Various chapters look at contractual considerations for sharing information, how to avoid the contamination of data, and the legal implications of sharing outside data. </p><p>A chapter on economic espionage highlights risk profiles that apply to management of information assets, plus issues such as hackers, Bring Your Own Device (BYOD) policies, and social media and messaging systems. The text includes appendixes highlighting samples of agreement documents referenced in the text.</p><p>I recommend this book to anyone who needs to address the management and protection of corporate and proprietary information assets in the information age. Insightful concepts and useful suggestions will guide the reader in protecting sensitive and competitive business information.</p><p>--<br></p><p><em><strong>Reviewer: David O. Best, CPP</strong>, ISP (Industrial Security Professional), CBM (Certified Business Manager), SFPC (Security Fundamentals Professional Certification), ISOC (Industrial Security Oversight Certification), and Security+CE, is an information assurance and security specialist with Flatter & Associates in Quantico, Virginia. He is a member of ASIS.</em></p>

Mobile Security

 

 

https://sm.asisonline.org/Pages/Book-Review---Secrets.aspx2017-01-01T05:00:00ZBook Review: Secrets
https://sm.asisonline.org/Pages/Security-Spotlight---Internet-of-Things.aspx2016-01-04T05:00:00ZSecurity Spotlight: Internet of Things
https://sm.asisonline.org/Pages/Driving-Toward-Disaster.aspx2015-06-15T04:00:00ZDriving Toward Disaster
https://sm.asisonline.org/Pages/Body-Cameras-Fashion-or-Function.aspx2015-04-01T04:00:00ZBody Cameras: Fashion or Function?
https://sm.asisonline.org/Pages/Cyberthreat-Glossary.aspx2015-02-01T05:00:00ZCyberthreat Glossary
https://sm.asisonline.org/Pages/Signal-Stoppers.aspx2015-02-01T05:00:00ZSignal Stoppers
https://sm.asisonline.org/Pages/Managing-the-BYOD-.aspx2014-12-02T05:00:00ZManaging the BYOD Revolution
https://sm.asisonline.org/Pages/device-could-allow-cell-phones-detect-bioagents-0010261.aspx2012-08-22T04:00:00ZDevice Could Allow Cell Phones to Detect Bioagents
https://sm.asisonline.org/migration/Pages/electronic-devices-009910.aspx2012-06-01T04:00:00ZElectronic Devices
https://sm.asisonline.org/Pages/dont-touch-dial-considerations-when-using-satphones-conflict-zones-009675.aspx2012-03-06T05:00:00ZDon't Touch that Dial: Considerations When Using Satphones in Conflict Zones
https://sm.asisonline.org/migration/Pages/researchers-monitoring-emergence-mobile-malware-built-mine-location-data-009505.aspx2012-02-06T05:00:00ZResearchers Monitoring the Emergence of Mobile Malware Built to Mine Location Data
https://sm.asisonline.org/migration/Pages/police-worry-criminals-use-smartphones-monitor-radio-traffic-009402.aspx2012-01-05T05:00:00ZPolice Worry Criminals Use Smartphones To Monitor Radio Traffic
https://sm.asisonline.org/Pages/00000025-going-rate-black-market-your-email-address-008950.aspx2011-08-26T04:00:00Z$00.000025: The Going Rate On The Black Market For Your Email Address
https://sm.asisonline.org/migration/Pages/lack-text-message-storage-may-hinder-law-enforcement-008528.aspx2011-05-02T04:00:00ZLack of Text Message Storage May Hinder Law Enforcement
https://sm.asisonline.org/Pages/No-Warrant-Necessary-for-Text-Message-Search.aspx2011-01-06T05:00:00ZNo Warrant Necessary for Text Message Search
https://sm.asisonline.org/migration/Pages/mobile-malware-will-grow-2011-predicts-it-security-firm-007899.aspx2010-11-29T05:00:00ZMobile Malware Will Grow in 2011, Predicts IT Security Firm
https://sm.asisonline.org/Pages/Get-Smart-About-Protecting-Phones.aspx2010-10-01T04:00:00ZGet Smart About Protecting Phones
https://sm.asisonline.org/migration/Pages/get-smart-about-protecting-phones-007664.aspx2010-10-01T04:00:00ZGet Smart About Protecting Phones
https://sm.asisonline.org/migration/Pages/new-tool-takes-aim-mobile-eavesdropping-threats-007226.aspx2010-06-01T04:00:00ZNew Tool Takes Aim at Mobile Eavesdropping Threats
https://sm.asisonline.org/migration/Pages/data-remains-discarded-drives-006079.aspx2009-09-01T04:00:00ZData Remains on Discarded Drives

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Trade-Secrets-2.0.aspxTrade Secrets 2.0<p>​The enactment of the Defend Trade Secrets Act (DTSA) of 2016 in the United States creates a new paradigm and is a watershed event in intellectual property law. U.S. President Barack Obama signed the bill into law on May 11, 2016, and the DTSA now applies to any misappropriation that occurred on or after that date.</p><p>A trade secret is any technical or nontechnical information that can be used in the operation of a business or other enterprise and that is sufficiently valuable and secret to afford an actual or potential economic advantage over others.</p><p>The law allows trade secret owners to file a civil action in a U.S. district court for trade secret misappropriation related to a product or service in interstate or foreign commerce. The term “owner” is a defined statutory term. It means “the person or entity in whom or in which rightful legal or equitable title to, or license in, the trade secret is reposed,” according to the DTSA.</p><p>Under the DTSA, in extraordinary circumstances, a trade secret owner can apply for and a court may grant an ex parte seizure order (allowing property to be seized, such as a computer that a stolen trade secret might be saved on) to prevent a stolen trade secret from being disseminated.</p><p>With this development in the law, trade secret assets are no longer stepchild intellectual property rights. Trade secret assets are now on the same playing field as patents, copyrights, and trademarks. The DTSA reinforces that a trade secret asset is a property asset by creating this new federal civil cause of action.</p><p>And there is no preemption. The U.S. district courts have original jurisdiction over a DTSA civil cause of action, which coexists with a private civil cause of action under the Uniform Trade Secrets Act (UTSA). The UTSA—most recently amended in 1985—codified common law standards and remedies for trade secret misappropriation at the state level.</p><p>The DTSA also coexists with criminal prosecutions under the U.S. Economic Espionage Act of 1996 (EEA), which makes it a federal crime to steal or misappropriate commercial trade secrets with the intention to benefit a foreign power.​</p><h4>What the DTSA Means</h4><p>A trade secret asset must be managed like other property assets. However, trade secret asset management differs because it first requires the identification of the alleged trade secret asset. Because millions of bits of information within a company can qualify as proprietary trade secrets, it is critical to classify and rank trade secret assets.</p><p>Most companies focus on the protection phase of trade secret asset management without first identifying and classifying their trade secrets. This approach is doomed to fail without a thorough analysis. Unless the company knows what it’s protecting, there can be no effective protection. And all three phases—identification, classification, and protection—must occur before an accurate valuation of trade secret assets can be determined.</p><p><strong>Proof. </strong>Additionally, information assets must be validated in a court of law as statutory trade secret assets. There is no public registry for trade secret assets. The courts require proof of four things: existence, ownership, notice, and access. </p><p>The first element requires proof of existence of the trade secret asset. The litmus test for proving the existence of a trade secret has six factors: the extent to which the information is known outside the business; the extent to which the information is known inside the business; the extent of measures taken to guard the secrecy of the information; the value of the information to the business and to competitors; the amount of time, effort, and money expended to develop the information; and the ease or difficulty with which the information could be properly acquired or duplicated by others.</p><p>The plaintiff must show that he or she owns the trade secret. A misappropriator cannot be the owner of a trade secret.</p><p>However, a person who independently develops or independently reverse engineers the trade secret can be the owner of the trade secret. By using reverse engineering, an employee who has not been granted intellectual property rights in the trade secret asset may also be the lawful owner—instead of the employer.</p><p>For proof of notice, the plaintiff must show that the defendants had actual, constructive, or implied notice of the alleged trade secret. A former employee may use his or her general knowledge, skills, and experience. However, a former employee may not disclose or use the trade secrets of the former employer. Also, the former employer is prohibited from claiming that “everything we do is a trade secret.”</p><p>The court will take judicial notice that there is both unprotected and protected trade secret information in every company. If the line is unclear, the court will draw the line in favor of the former employee. </p><p>For proof of access, the plaintiff must prove that the defendant had access to the alleged trade secret. If the evidence shows that the defendant never had direct or indirect access to the trade secret, and there is no conspiracy claim, there cannot be misappropriation. This is because misappropriation requires proof of unauthorized acquisition, disclosure, or use of the trade secret by the alleged trade secret thief.</p><p><strong>Protection. </strong>The DTSA also requires that the trade secret owner take reasonable measures to protect the secrecy of trade secret assets. This is a much more challenging task today because trade secret assets are no longer at rest in a locked file cabinet in an engineer’s office. Today, trade secrets are in motion and in use via computer systems and networks with access points all over the world.</p><p>Companies must actively monitor the access and movement of critical trade secret assets throughout the corporate enterprise, or risk the serious consequences of forfeiting trade secret assets by failing to take the reasonable efforts necessary to protect these assets.</p><p>The point is illustrated by U.S. v. Lee (U.S. District Court for the Northern District of Illinois, 2009). A 52-year-old senior scientist, David Yen Lee, suddenly resigned from his job at Valspar on March 19, 2009, and bought a one-way ticket to Shanghai, scheduled to leave on March 27.</p><p>One of Lee’s coworkers discovered irregularities in Lee’s work computer. Upon further investigation, an unauthorized program called “Sync Toy” was uncovered in invisible Windows files. It showed that Lee downloaded 44 gigabytes of paint and coating formulas, product and raw material data, sales and cost data, and product development and test information.</p><p>The FBI was informed and brought in to investigate. The bureau raided Lee’s apartment and recovered the stolen trade secret assets before Lee’s flight left for Shanghai. Valspar’s security readiness was directed to protection against outside intrusions. However, there was little security in place to guard against trade secret theft by insiders and trusted employees. </p><p>To mitigate against future insider theft, Valspar set up an internal identification and classification system for trade secrets called the CPR (classify, protect, report) model. Valspar now tracks the movement of all critical trade secret assets within the various computer environments with triggers that are activated if unauthorized activities are detected.</p><p>The reasonable measures necessary for the protection of trade secret assets continues to grow as the risk of sensitive data loss increases by various means: unauthorized uploading of trade secret assets to an insecure cloud or Web application; unauthorized email communications disclosing trade secret information; unauthorized acquisition of highly classified trade secret assets onto USB drives; and undetected incoming malware, phishing emails, and corrupted Web software all facilitate foreign economic espionage and theft of corporate trade secret assets.</p><p><strong>Seizures. </strong>Companies cannot take advantage of the DTSA’s powerful seizure provisions unless effective trade secret asset management protocols are in place before the actual or threatened misappropriation occurs.</p><p>First, the owner must demonstrate, in a sworn affidavit or a verified complaint, that the ex parte seizure order is necessary and that a temporary restraining order is inadequate. Second, that immediate and irreparable injury will occur if the seizure is not ordered. Third, that the person the seizure would be ordered against has possession of the trade secret and property that is to be seized.</p><p>Once the ex parte seizure order is granted, the court must take custody of and secure the seized property and hold a seizure hearing within seven days. Individuals can also file a motion to have the seized material encrypted.</p><p>A court can issue an ex parte seizure order, according to the DTSA, “in extraordinary circumstances” to “prevent the propagation or dissemination of the trade secret” or to “preserve evidence.”</p><p>These circumstances exist when a trade secret thief is attempting to flee the country, if he or she is planning to disclose the trade secret to a third party, or if it can be shown that he or she will not comply with court orders. </p><p>The Valspar case is an excellent example of the necessity for ex parte seizure orders. However, the FBI will not always be there, and the window of time to protect against the loss of trade secret assets and destruction of the evidence will often be shorter than the eight-day period in the Valspar case. This is why a DTSA civil cause of action and an ex parte seizure order are so important to protect U.S. trade secret assets.</p><p>The protection of trade secret assets in these circumstances requires emergency actions. Once lost, a trade secret is lost forever. The DTSA requires that the trade secret Owner file suit, and provide verified pleadings and affidavits to successfully obtain a DTSA ex parte seizure order before the de­f­en­dants know the suit has been filed. </p><p>Otherwise, without the element of surprise, the defendants—often with several clicks of a computer mouse—can transfer the trade secrets outside the country and destroy the evidence of trade secret theft by running data and file destruction software.</p><p>Therefore, to take advantage of the robust provisions of the DTSA, the trade secret owner must be able to move faster than the trade secret thief. This will require that companies develop internal trade secret asset management policies, practices, and procedures. </p><p>The DTSA creates a new paradigm. If management waits until the trade secret theft occurs to identify what the trade secret is and investigate the evidence of misappropriation, the actual trade secret assets will be long gone before counsel can provide the U.S. district court with the proof necessary to obtain an ex parte seizure order.</p><p>The result: if the losses from the trade secret theft are severe, both the board of directors and senior executives of the company can be charged with malfeasance, including the willful failure to take reasonable measures to protect the corporate trade secret assets from insider theft or foreign economic espionage.​</p><h4>DTSA Application</h4><p>What are the next steps in view of the DTSA? Every organization is different. There are no one-size-fits-all solutions. Each trade secret asset manager must audit existing approaches to protecting trade secret assets, the resource allocations within the organization, and any budgeting issues with protecting trade secrets.</p><p>A fundamental first step should be the creation of An internal trade secret control committee (TSCC). The TSCC should be charged with the responsibility to adopt policies and procedures for the identification, classification, protection, and valuation of the company’s trade secret assets.</p><p>The next step should be the creation of an internal trade secret registry (TSR). This is a trade secret asset management system that can be deployed as a cloud-based solution, on a corporate server, or on a standalone work station. </p><p>The TSR should operate like a library card catalog storing necessary trade secret asset information with hash codes and block chaining (a database that sequences bits of encrypted information—blocks—with a key that applies to the entire database) to ensure the authenticity of the data stored in the TSR and to meet the required evidentiary standards in a trade secret misappropriation lawsuit.</p><p>Another necessary step is trade secret asset classification, the foundation of a successful trade secret asset management program. Asset classification allows trade secret assets to be identified and ranked, so that the level of security matches the level of importance of the trade secret asset. There are now automated trade secret asset management tools available to assist companies with the classification and ranking of trade secret assets.</p><p>Security, without identification and classification, is doomed to fail. In contrast, securing data after identification and classification of the trade secret assets makes it much easier for the internal security ecosystem to enforce trade secret protection policies and to prohibit unauthorized access, disclosure, or use.</p><p>Today, software tools can protect the company from mistakes that lead to the forfeiture of classified trade secret assets. If a user attempts to email a trade secret document to unauthorized recipients, the software program will immediately alert the user so the mistake can be corrected. Further, classified trade secret assets can be monitored. Administrators can track abnormal or risky behavior that otherwise cannot be tracked until the trade secret is compromised.</p><p>Developing a trade secret incident response plan (TSIRP) is another critical requirement. The flow of trade secret assets throughout the corporate enterprise should be tracked with built-in red flags, designed to trigger the TSIRP and notify outside counsel to proceed immediately to the courthouse to seek a DTSA ex parte seizure order before the bad actors can destroy the evidence or transfer the stolen trade secret assets outside the court’s jurisdiction.​</p><h4>Employee Management</h4><p>There are other best practices for trade secret assets now that companies are focusing on the various stages of identification, classification, protection, and valuation.</p><p>Building a trade secret culture from the top down, with required training and compliance with TSCC policies, practices, and procedures, is at the top of the list. Companies must promote a trade secret culture by prompting employees and users to stop, think, and consider the business value of proprietary, internal information they are creating, handling, and reviewing.</p><p>The new employee hiring process should include an investigation and certification by the new employee that no proprietary trade secret information of any previous employer is being brought to the company or is being stored electronically in his or her personal email system or other electronic storage locations.</p><p>The prospective new employee should sign an employment agreement with patent and trade secret assignment provisions. He or she should also receive and review the company’s required trade secret policies and procedures.</p><p>When an employee leaves the company, off-boarding procedures should include a mandatory trade secret exit interview. The interview should be conducted under strict procedures adopted by the TSCC, including execution of a trade secret acknowledgement at the conclusion of the interview certifying that all company devices, documents, and materials, including electronic copies, paper copies, and physical embodiments have been returned. It should also certify that all proprietary and confidential information, stored on any personal computer or mobile device, has been identified and preserved, returned, or deleted under the company’s instructions.</p><p>The enactment of the DTSA will usher in a new era. It requires trade secret owners to identify, classify, and protect trade secret assets as property assets. In time, the DTSA will become a precursor for new accounting systems that will provide valuations for trade secret property assets.  </p><p>--<br></p><p><em><strong>R. Mark Halligan</strong>, partner at FisherBroyles LLP, is recognized as one of the leading lawyers in trade secrets litigation in the United States by Legal 500 and Chambers USA: America’s Leading Lawyers for Business. He is also the lead author of the Defend Trade Secrets Act of 2016 Handbook and coauthor of Trade Secret Asset Management 2016: A Guide to Information Asset Management Including the Defend Trade Secrets Act of 2016.  ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Rise-of-the-IoT-Botnets.aspxRise of the IoT Botnets<p>​There are many doomsday cyber scenarios that keep security professionals awake at night. Vint Cerf, one of the fathers of the Internet and current vice president and chief Internet evangelist for Google, speaking at an event in Washington, D.C., in 2015, shared his: waking up to the headline that 1,000 smart refrigerators were used to conduct a distributed denial of service (DDoS) attack to take down a critical piece of U.S. infrastructure.</p><p>Cerf’s nightmare scenario hasn’t happened, yet. But in 2016 thousands of compromised surveillance cameras and DVRs were used in a DDoS attack against domain name server provider Dyn to take down major websites on the East Coast of the United States. It was a massive Internet outage and, for many, a true wake-up call.</p><p> At approximately 7:00 a.m. on October 21, Dyn was hit by a DDoS attack, and it quickly became clear that this attack was different from the DDoS attacks the company had seen before. </p><p>It was targeting all of Dyn’s 18 data centers throughout the world, disrupting tens of millions of Internet Protocol (IP) addresses, and resulting in outages to millions of brand-name Internet services, including Twitter, Amazon, Spotify, and Netflix.</p><p>Two hours later, Dyn’s Network Operations Center (NOC) team mitigated the attack and restored service to its customers. </p><p>“Unfortunately, during that time, Internet users directed to Dyn servers on the East Coast of the United States were unable to reach some of our customers’ sites, including some of the marquee brands of the Internet,” Dyn Chief Strategy Officer Kyle York wrote in a statement for the company. </p><p>A second attack then hit Dyn several hours later. Dyn mitigated the attack in just over an hour, and some customers experienced extended latency delays during that time. A third wave of attacks hit Dyn, but it successfully mitigated the attack without affecting customers.</p><p>“Dyn’s operations and security teams initiated our mitigation and customer communications process through our incident management system,” York explained. “We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like this.”</p><p>The attacks caused an estimated lost revenue and sales of up to $110 million, according to a letter by U.S. Representative Bennie G. Thompson (D-MS) sent to former U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson.</p><p>“While DDoS attacks are not uncommon, these attacks were unprecedented not only insofar as they appear to have been executed through malware exploiting tens of thousands of Internet of Things (IoT) devices, but also because they were carried out against a firm that provides services that, by all accounts, are essential to the operation of the Internet,” the letter explained.</p><p>These devices were part of the Mirai botnet, which is made up of at least 500,000 IoT devices, including DVRs and surveillance cameras, that are known to be in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain, among other nations.</p><p>The botnet, which was created in 2016, has been used to conduct high-profile, high-impact DDoS attacks, including the attack on security researcher Brian Krebs’ website, Krebs on Security—one of the largest DDoS attacks known to date. </p><p>“Mirai serves as the basis of an ongoing DDoS-for-hire…service, which allows attackers to launch DDoS attacks against the targets of their choice in exchange for monetary compensation, generally in the form of Bitcoin payments,” according to Arbor Networks’s Security Engineering and Response Team (ASERT) threat intelligence report on Mirai. “While the original Mirai botnet is still in active use as of this writing, multiple threat actors have been observed customizing and improving the attack capabilities of the original botnet code, and additional Mirai-based DDoS botnets have been observed in the wild.”</p><p>This is because shortly after the Dyn attack, Mirai’s source code was published on the Internet, and “everyone and their dog tried to get their hands on it and run it in some form or another,” says Javvad Malik, a security advocate at AlienVault, a cybersecurity management provider.</p><p>Mirai is “out there and the problem is, there isn’t any easy mitigation against it,” Malik explains. “A camera or a webcam, there’s no real, easy way to patch it or update it, or there’s no non-technical way your average user could patch it. And most users aren’t even aware that their device was part of the attack.”</p><p>There are more than 25 billion connected devices in use worldwide now, and that amount is expected to increase to 50 billion by 2020 as consumer goods companies, auto manufacturers, healthcare providers, and other businesses invest in IoT devices, according to the U.S. Federal Trade Commission.</p><p>But many of the devices already on the market are not designed with security in mind. Many do not allow consumers to change default passwords on the devices or patch them to prevent vulnerabilities.</p><p>The Mirai botnet—and others like it—take advantage of these insecurities in IoT devices. Mirai constantly scans devices for vulnerabilities and then introduces malware to compromise them. Once compromised, those devices scan others and the cycle continues. These devices can then be used by an attacker to launch DDoS attacks, like the one on Dyn.</p><p>Some manufacturers have sought to remedy vulnerabilities in their devices by issuing voluntary recalls when they discover that they’ve been used in a botnet attack. But for many other manufacturers, there’s not enough incentive to address the problem and most consumers are unaware of the issue, says Gary Sockrider, principal security technologist at Arbor Networks.</p><p>“Consumers are largely unaware. Their devices may be compromised and taking part in a botnet, and most consumers are completely oblivious to that,” he explains. “They don’t even know how to go about checking to see if they have a problem, nor do they have a lot of motivation unless it’s affecting their Internet connection.”</p><p>DHS and the U.S. National Institute of Standards and Technology (NIST) both recently released guidance on developing IoT devices and systems with security built in. In fact, NIST accelerated the release of its guidance—Special Publication 800-160—in response to the Dyn attack.</p><p>But some experts say more than guidance is needed. Instead, they say that regulations are needed to require IoT devices to allow default passwords to be changed, to be patchable, and to have support from their manufacturers through a designated end-of-life time period.</p><p>“The market can’t fix this,” said Bruce Schneier, fellow of the Berkman Klein Center at Harvard University, in a congressional hearing on the Dyn attack. “The buyer and seller don’t care…so I argue that government needs to get involved. That this is a market failure. And what I need are some good regulations.”</p><p>However, regulations may not solve the problem. If the United States, for instance, issues regulations, they would apply only to future devices that are made and sold in the United States. And regulations can have other impacts, Sockrider cautions.</p><p>“It’s difficult to craft legislation that can foresee potential problems or vulnerabilities,” he explains. “If you make it vague enough, it’s hard to enforce compliance. And if you make it too specific, then it may not have the desired effect.”</p><p>Regulations can also drive up cost and hinder development if they are not designed to foster innovation. “Compliance does not equal security, necessarily,” Sockrider says. “Part of compliance may mean doing things to secure your products and services and networks, but there could always be vulnerabilities that aren’t covered…. You’ve got to be careful that you’re covering beyond just compliance and getting to true security as much as possible.” </p><p>So, what steps should organizations take in the meantime to reduce the risk of their devices being compromised and used to launch attacks on innocent parties?</p><p>If a company already has IoT devices, such as security cameras or access control card readers, in its facilities, the first step is segmentation, says Morey Haber, vice president of technology for security vendor BeyondTrust. </p><p>“Get them off your main network,” he adds. “Keep them on a completely isolated network and control access to them; that’s the best recourse.”</p><p>If the organization can’t do that and it’s in a highly regulated environment, such as a financial firm subject to PCI compliance, it should replace the devices and reinstall them on a segmented network, Haber says.</p><p>Organizations should also change all default user accounts and passwords for IoT devices, Sockrider says. “Disable them if possible. If you can’t, then change them. If you can’t change them, then block them.”</p><p>For organizations that are looking to install IoT devices, Haber says they should plan to install them on a segmented network and ask integrators about the security of the devices. </p><p>Sample questions include: Do they maintain a service level agreement for critical vulnerabilities? What is the lifespan of the device? How often will patches be released? </p><p>“And the last thing that becomes even more critical: What is the procedure for updating?” Haber says. “Because if you have to physically go to each one and stick an SD card in with a binary to do the upload, that’s unfeasible if you’re buying thousands of cameras to distribute to your retail stores worldwide. There’s no way of doing that.”</p><p>Organizations should also look at their policies around allowing employees to bring in their own devices to the workplace and allowing them to connect to the network. </p><p>For instance, employers should be wary when an employee who brings in a new toaster connects it to the company Wi-Fi without anyone else’s knowledge. “That type of Shadow IT using IoT devices is where the high risk comes from,” Haber explains. </p><p>And organizations should also look to see what they can do to block inside traffic from their network getting out. </p><p>“Think about it in the reverse; normally we’re trying to keep bad stuff out of our network, but in this case, we want to keep the bad stuff from leaving our network,” Sockrider says. “Because in this case, if an IoT device on your network is compromised, it’s not necessarily trying to attack you, it’s trying to attack someone else and you can be a good citizen by blocking that outbound traffic and preventing it from doing so.”</p><p>While companies can take steps to reduce the likelihood that their devices will be compromised by a botnet and used to attack others, attacks—like the Dyn attack—are likely to continue, Malik says.</p><p>“We’ll probably only see more creative ways of these attacks going forward,” he explains. “At the moment, it’s primarily the webcams and DVRs, but you’re probably going to see different attacks that are more tailored towards specific devices and maybe even a change of tactics. Instead of going after Dyn…taking down a smaller competitor.”</p><p>Malik also says he anticipates that cyber criminals will conduct these more creative attacks through purchasing DDoS as a service, a growing industry over the past few years. </p><p>“Some providers are just as good, if not better than, professional legitimate services,” Malik says. “It’s very easy; they offer support. You just go there, you click buy, send the Bitcoins, enter your target, and job done. You don’t even need any technical expertise to do this. It’s very, very convenient.”   ​ ​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Security-Spotlight---Internet-of-Things.aspxSecurity Spotlight: Internet of Things<p><span style="line-height:15px;">For security professionals, the Internet of Things (IoT) raises basic questions: who will be responsible, what will be collected, where will the data be stored, when will security be involved in decision making, why are new devices being added, and how will they affect the daily functions and outcomes of the security department.</span></p><p><span style="line-height:15px;"><a href="https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Internet-of-Things.aspx" target="_blank">The following resources</a>, ASIS International Seminar and Exhibits education sessions, <em>Security Management </em>articles, and Council white papers, address these questions and offer practical responses and thoughts for t​he future marriage of IoT and security.</span></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465