Irvine, a member of the National Cyber Security Partnership (NCSP), a “public-private partnership ... established to develop strategies and programs to improve safety and improve critical information infrastructure of the United States shared " says his experience is computer security and general communication system. Has the certifications to prove it. The curriculum includes Prescient CIOs CISM, CISA, CISSP, MCSE, CCNA, CCNP, CCDA, CCDP, CNE, CBCP, CASP, CIPP / IT, IAPP / IT, ITIL, CGEIT, and Cisco Wireless Professional certifications.
"Any cert value out there, if you do not, if you find one, let me know, and I'll take," said Irvine CIO.com Senior Editor Al Sacco.
Irvine spoke of the related IO Sacco and home security, as well as how consumers and businesses can prepare for the coming flood device - and protect yourself from hackers seeking to exploit the IO to steal personal or confidential information company.
Al Sacco: What exactly does the term "Internet of Things" mean to you?
Jerry Irvine: It means the interconnectivity of things. It's not just the Internet in general, but the ability for devices, all types of devices, to communicate. They communicate across a publicly-accessible, unsecure Internet. Basically everything we have today is being configured for us to remotely control and manage it. And the infrastructure is the Internet.What do you think of first when you consider IoT?
In fact, it's scary as hell. The Internet itself is a highly uncertain and risky. It’s like walking in an alley at night without proper safety measures.The first devices were remote devices, heating and air conditioning, things like that. They were not very smart. They were simply a means to gather information and provide remote connectivity to equipment manufacturing engineers can manage multiple devices and alerts you when something was wrong.
I have never been initiated security measures. The manufacturers of these devices home “Internetable " are doing what the production companies did years ago, and they are doing these pieces , no unsafe equipment intelligent designed to do one or two things , with very few safety measures instead . They may have a user ID and one password, but there is very little they do for safety. So, when you start it “internetting “all this equipment, you're really susceptible to yourself.
When many consumers think of the IoT, they think of the connected home, connected appliances. Have you heard of any specific threats targeting consumers via these kinds of devices?
I have not heard of a specific example that occurred. [How a hacker], I do not really use the alarm system or your heating, air conditioning that I can see it sitting on your Wi-Fi network, as I sit outside on the patio, affect these systems. Can I implement a virus that enters the network and now hit the net, and are able to grab the user ID and password, and get your financial information to go on?It's just that all these things are on the internet and not guaranteed. They do not have antivirus available for them. They have no other means to secure them. They are the weakest link in the network. Hackers can get into them, can be treated with malicious applications to infect PCs, and now receive financial and identity information.
People are excited about the IoT, and there's clearly a lot of promise and potential there. Security concerns aside, what excites you most about IoT?
I do really appreciate the idea of having an alarm system that will remotely allow me to check my environments. You hear about people on vacation, they get an alert, they see somebody robbing their house, and they're able to call the police.That's exciting. That's a real opportunity for individuals to protect themselves. The problem is doing it in an insecure manner.
How would a hacker gain access to consumer IoT devices? Is the commonly used Wi-Fi security, WPS or WPA, good enough to protect the average user's home wireless network?
Most likely [hackers] are going to steal your information the same way they're stealing everything else, with a virus or malicious application that you download from the Internet. Your PC is going to be breached, it's going to gather all your information, send it out in a script to somebody, and now they're going to have all your information. Antivirus solutions only protect you against 30 percent of known viruses and malware.There's the potential of people sitting outside in the front yard, seeing all of your devices and going from there. WEP is a very insecure wireless security protocol which is still in use. WPA is more secure, but most individuals still leave their wireless network to broadcast, so I can see all the traffic going across it, I know there's a network there, I know the SSID.
Are there specific types of IoT devices that are more risky than others? Should consumers be more wary of one connected-home gadget than another?
They're pretty much all of the same risk type. There are a couple companies out there that are doing connected smoke alarms and thermostats and the alerting-type systems, which are fairly unique in that they will ride on your existing Wi-Fi network; however, if you don't have a Wi-Fi network, or if you choose not to use it, they will create their own Wi-Fi segment [using Wi-Fi Direct] so they can communicate with each other and provide access through a single keypad. Those are really nice because they mitigate risk by segmenting them from your Wi-Fi network.Do you personally use any of these gadgets and services we discussed?
I do not personally use them, because I don't trust them.What's the most important advice you can give consumers who are diving into the IoT?
There would be two things: Put [IO Device] in a separate, in a VLAN, and only communicate to them with a VPN. Do not allow unencrypted traffic to communicate with them. This segment and present them with a VPN. Use different user ID and password. And the use of strong passwords. Alphanumeric, upper case, lower case, special characters. Not only "12345" for a password. Passwords.Protect your environment. And have your alarm system, heating and air conditioning, in the same internal network PC. If you are easily hacked - and are - and attacked not want them to be exactly the same network.
You can put it in a virtual network with all switches and consumer -based systems that are available in retail stores. Configure a virtual local area network (VLAN) to protect the environment.
The average consumer is not particularly security expert. It's probably not going to use a VPN or VLAN, or disable the transmission of your router WI - Fi. With this in mind, which suggests that consumers avoid or IO devices connected home devices, completely at this point? It is the risk too high to justify the potential benefits?
That or hire a professional to install security measures for you. Let's say you do. I have my security system for your home, I pushed my WI - Fi and all. As you said, the average consumer is not aware of security. They pay someone to do it for them.
Then drop your phone somewhere and you do not have a PIN on it. They have cell phone applications that allow them to control all the IO devices. We must begin to ensure that our mobile devices, even more critical, because all applications are there to check out all of our lives. Yet, statistics show that more than 80 per cent of people did not even put a PIN on the phone. I was at a meeting of about 25 accounts CFO of several million dollars, just this week. I wondered how many of them had PIN on their phones, and less than half a dozen had PIN.
His advice is not much different from what the computer security experts have been saying for years.
This is true. It’s just the risk is even greater. Now they [pirates] are looking not only at single PC, you are seeing all your personal property.
This is not necessarily to take control of their IO devices, your homes heating, alarm system?
No. This was a real change of attitude in information security in the last three or four years. It is no longer discomfort. It is no longer denial of service attacks that are occurring. It is 100 percent based on profit. Now everything is to get your identity to obtain financial information and steal your identity to get more money. It is a field of thousands of billions of dollars today.
What does the ' IoT for companies to CIOs and other security personnel of the company? They have to think about how to influence their organizations IO?
It is definitely a problem in society, in the same way as BYOD is a business problem. Today everyone has access to your corporate environment through their systems of consumption. I'll have my phone , my phone , my tablet , my laptop computer in my house , in my network that can be easily violated. As a target has been breached with your HVAC Company, someone else can get the user's environment and business data. So absolutely, CIOs must always look for the weakest link.
What CIOs can do to protect themselves and their organizations?
Proactive segmentation based on the consumption of the devices in your company is the principal means. You do it by implementing MDM solutions, data management or MAM, mobile applications, solutions that partition the user's device, so you can segment your applications and data, and access to the network, to allow consumer segments only mobile solution authorized users. Development of VPN configurations, pressing down, and instead focus on perimeter security, focus on application security. A stronger focus on applications, application firewall, scan.
He drops the IOC and to educate users about the risks of these new and IO devices in the home?
Yes, the number one resource to secure any type of media environment is through user training and education. Not only do you need to do, but why do that, to understand the risk.
Many of these things, once again, that is in fact to the overall security of the mobile device. They are not necessarily specific to the IO. It does not sound like a company that is aware of the value that really need to do something different and to deal with the IO.
That is correct. The problem is the threat simply footprint continues to grow. I can no longer focus on individual cell phone users. I have to focus on phones, tablets, PCs in your WI - Fi network at home, the firewall at home, in their consumer-level regulators, these devices “Internetable.”
In fact, what we should do to the application of least privilege security, where no one has any rights unless you explicitly give their type. The new BYOD environment today, it is really set up for everyone to have all the rights I say no. We need to get to the limitation of the only people who have access are the people giving you. A concentration in the fewest privileges.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.