Securing IoT payments

There is a lot of discussion around IoT security, much focussed on patching, maintaining / updating etc etc.

Given the volume of discussion in this space I’ll not write something likely replicating other conversations.

 

What I am interested in is whether we can enable secure and trusted automated payments from IoT devices.  If we can solve this we can trust a lot of non payment behaviours as well.

Assuming we can improve those basics enough to make wider use of IoT devices safe (enough), payments will surely follow.  We may well see a growth in IoT driven payments before we are happy the IoT is safe enough – we are already seeing hackable cars and their associated mobile applications (http://www.theregister.co.uk/2016/11/25/tesla_car_app_hack_enables_car_theft/).  A lack of safety and security is clearly not holding back the IoT tide!

 

One of the benefits of consumer IoT devices is that they will be able to automatically order things.  Examples could be replacing themselves or components as they wear out, or restocking consumables as they run low – think of coffee machine buying coffee or fridge restocking etc.

Is it possible to simply and effectively secure (automated) payments from IoT devices? Or for that matter any device..

There are multiple potential issues including;

  • Did you authorise the payment?
  • Is the ‘thing’ really yours and acting on your behalf?
  • Where is the ‘thing’ located, and where should the goods be sent to?
  • Do you want / need what ever is being purchased?
  • How could malicious people;
    • Make money (cash out) from this?
    • Cause harm, and to what level? – from slight nuisance to real harm..

 

How can we mitigate the risk from these issues to enable secure IoT payments?

 

I’d propose that it is possible to do this, using a combination of three things;

  • Some rules and metadata about the device and what it is allowed to do
  • Certificates that link the device to you and an address
  • Something to make this data and all transactions immutable, such as a blockchain implementations

 

How would these work together?

For most consumer devices it will be relatively easy to set rules about the device in terms of what it is, and what it is allowed to do.  For a simple example, a light bulb can only order a single lightbulb to the address it is registered to.  For a slightly more complex example, a fridge could have rules around only being able to order items you have previously ordered and set as ‘replace me’, only to the registered address at agreed times, and only if there was space in the fridge for them.

As long as these rules are immutable, e.g. by being held in a blockchain, they chances of a criminal cashing out are extremely limited.  The ability to cause harm is also limited as you could potentially make a lightbulb order 1 lightbulb, or make the fridge order something you wanted replaced that would fit into the fridge..

Using an extremely scalable certificate management would allow identity and location to be stored with each device.  Consider something like a root cert and child certs model.  You are your own root cert, then all you devices get a child cert that links to you and has added information like address.  These could be managed, replaced and revoked as you would expect.  Securely managed certificates, potentially stored as part of the blockchain would enable the device (‘thing’) to be linked to the owner, location and by inference the owners payment instrument and permission to replace / order items.  The permissions associated with the device around what the owner has allowed it to do would also be stored in the blockchain.

 

By utilising relatively simples rules for each device, that the owner can set and agree, we are able to ensure it only performs sensible actions.

By using the existing certificate model, just in a massively scalable architecture we are able to link the devices to owners, locations and payment instruments.

Finally by utilising blockchain and it’s properties, we are able to immutably store these things, with clear permissions and a full audit trail for any changes and transactions.

 

I’ve obviously simplified this for the purposes of this blog post, but hopefully the idea is clear.  It would definitely be great to hear your thoughts on this.  I may write a longer more detailed overview and incorporating a wider range of inputs would definitely add value!

 

K

IoT does not equal IoT

I was at a PETRAS IoT (Internet of Things) event recently and a question I was asked at lunchtime got me thinking.

The question was;

“Do you think cloud is secure”

My response quite obviously was that the question needed a lot more context. Which cloud?  In what sense? Secure enough for what? Etc. etc.

 

We are falling into the same trap of thinking of IoT as a ‘thing’.  All IoT devices may share some traits, in the same way as the are certain traits a hosted service must have for it to be called a cloud service.

However all IoT devices clearly cannot and should not be lumped into one big category.

 

As my interest is in security I’ll use that as an example.

Consider the level of security required around a simple consumer device like a lightbulb.  It may have a few capabilities like on / off / dim and potentially being able to purchase one replacement lightbulb to your address.  You may also want some features in place to prevent actually logging onto it other than to perform on / off stuff, and to prevent it from enumerating your home network.

Now consider the security required around a medical device such as a pacemaker or insulin provider for a diabetic..  A while ago someone demonstrated they could hack a Bluetooth insulin device and make it release all of it’s insulin at once.  Obviously this was done while the device was not  connected to a person!

In the above examples, as long as there are some sensible rules in place, the threat vector from the lightbulb is very limited, and the value to criminals is effectively zero.

However in the healthcare example, an security issue could lead to immediate risk to life – imagine the scenario of pay xx bit coins or I affect your insulin supply, or stop your pacemaker.. – Thus demonstrating not only risk to life, but also a clear avenue to profit for the criminal.

 

We 100% need to work to improve the security and manageability of IoT devices across the board.  However we need to start segmenting this into different sectors and levels of threat / risk / value.

 

This will allow sensible dialogue about what is appropriate for different circumstances.  It is likely this will allow faster and appropriately secure progress.

For example if a framework for security and risk management of consumer devices such as lights, fridges, toasters etc. could likely be arrived at.  This would allow progress to be made in this space to provide consumers wider benefits from IoT, but without being mired in wider conversations about what is appropriate for healthcare or transport IoT  etc.

 

So this post has two points;

  • When something is massive and wide ranging such as cloud or IoT, it is fine to use this as a concept but we need to stop talking about them as a single thing when we think about security etc. as there is not a single solution or set of requirements.
  • IoT – we need to define distinct, but not too narrow, use cases, e.g. healthcare, consumer, transport etc.  Following this we can agree sensible and appropriate frameworks and requirements for things like security, management, payments..

 

I’ve been mulling over a high level concept for securing IoT payments and the consumer space, that I’ll flesh out and share in an upcoming post.  It would be great to hear your thoughts on this and how we can best manage / secure the various types and use cases of IoT.

K

Bruce Schneier keynote from the ISF conference

I recently attended, and presented at the ISF annual congress in Berlin.  One of the highlights of the conference was the keynote talk from Bruce Schneier.

The talk focussed on some of the current developments in IT, the internet, machine learning, IoT (Internet of Things), and what these may mean for IT security and basically everyone’s safety and security.

My notes from the talk are below, they are relatively rough, but I thought worth sharing as there are some great points and things to think about!

Internet now Senses, Sees and Acts – definition of a Robot?

Does this mean we are building a world size robot?

It’s a distributed robot…

Combination of;

Mobile, cloud, persistent computing, big data, IoT

And Autonomy..

 

This means – Computer security becomes Everything security…!

That means that all the things we understand from patching and vulnerabilities to security vs. complexity to network effects become relevant to everyone / everything.

As computers become more integrated with real life – medical, cars etc.  We likely move from confidentiality being the most important part of the security ‘triad’ to safety..

How do we deal with things like;

Algorithms that choose where police go or who gets parole?

How can we allow police to safely stop a car, vs. criminals being able to stop any car?

 

Tech / security arms races;

  • Spam
  • Click jacking
  • Ad blocking
  • Credit card fraud
  • ATM fraud

 

5 trends affect this security arms race (currently, may change in the longer term);

  1. Attack is easier than defence
    1. For a bunch of reasons, like complexity
  2. New vulnerabilities in the interconnections
    1. The more you connect things, the more vulnerabilities in one thing can affect another
    2. E.g. recent massive DDoS – was from cameras etc. – so vulnerabilities in these led to massive impacts elsewhere
  3. More critical systems mean more power to attackers
    1. Internet allows criminals to scale
    2. Allows attacks from anywhere / everywhere – e.g. I live in the UK, so don’t care about burglars living in Germany.  But with connected systems I can be attacked from anywhere.
    3. You don’t have to worry about the average attacker, you always have to worry about the best, as the best guy will be the one writing the tools..
  4. The economics of computer security don’t trickle down to the Internet of Things
    1. E.g. how do we secure and patch the billions of very low value devices
    2. Computers and phones – updated all the time, staff at MS etc employed just to patch
    3. Low cost embedded systems – written somewhere, dev / company moves on.  Some can’t even be patched.  So the only way to patch is to throw away and replace.  Is this a viable patch strategy?
    4. We also regularly replace things like phones and computers – this provides improved security and ensures updates.
    5. IoT stuff isn’t like this.  How often do you replace your DVR, your home thermostat etc?? 5 years, 10 years? Never??
    6. Owner and producer of these devices don’t care about the issues.
  5. Copy write laws, make it very hard to do security research on these devices
    1. It can be illegal to circumvent the security of these devices, even for research.
    2. Criminals don’t care, obviously.
    3. Criminals will do the ‘research’ and will hack the devices.
    4. Researchers likely will not do the work if they will be threatened and unable to publish the research..
    5. How will we ever improve?

How to fix this;

  • Do it right in the first place
  • Agile security- rapid prototyping, fix failures fast

 

Doesn’t work – Chrysler recalled >1M cars to update software

Does work – Tesla – remotely updated software of all cars

 

Technology and Law must work together or both will fail

Example – Snowden papers showed that technology could circumvent the law, as well as the other way round

Need clear government policies on this

Do we need a new regulator for this stuff?

What regulations do we need?

Does this need to be international, not national?

Governments will get involved, can we lead this to help drive sensible and usable regulations?

 

Main points

  • IoT changes everything – computers impacting the world in a physical manner
    • Less off switches
    • Not designed just growing
  • Threats getting worse in several dimensions
  • This is all coming, fast.  Government involvement is coming
  • We need to get ahead of this – we need to start making serious choices.  We need relevant, workable laws.  We have moral and ethical choices to make.
    • We need to change how we code.
      • When software didn’t matter we let developers code how they wanted and how they saw the world..  Bugs just get fixed later.
      • Now when lives more and more st stake we need society to decide what is OK, and hold developers to account.
  • We need to bring together policy makers and technologists!

 

Government response will be fast and likely unplanned – e.g. ransomware against cars – millions of people cant get into cars.  OR power plant goes offline.

This will lead to very fast and possibly badly thought out action, and regulations

Hence the need for us to get ahead of this!

We wont get to choose – once lives at stake you don’t get to decide if you’re regulated.  Airlines, drug companies etc.  Don’t get to say hay don’t regulate us..  Once internet / IoT etc as important as drug companies it will have now choice but to be regulated.

 

Do we really need to connect everything together?

E.g. could some systems (SCADA for example) connect to a SCADA only network?  Not a new internet, just secure / controlled networks for some systems?

Does believe we will solve this, but it is challenging 🙂  He is actually optimistic about this!

 

I’m sure you will agree, some great thinking points.  We live in very interesting times, IT security is going to become increasingly critical as more and more systems that genuinely and immediately affect life become connected to the same internet as everything else.

What are your thoughts?  Can we safely and securely enable all of these interconnected systems?

K

 

 

Low friction, secure online payments

Online payments whether made from a traditional PC or any mobile device must be secure, strongly resistant to fraud, and convenient.

Currently online payments suffer from a couple of key issues relating to ease of use and security;

·         Extra security features such as 3DS (3D Secure) provide a frustrating consumer experience.  This leads to consumers abandoning shopping carts and merchants disabling the feature where they are provided the option to do so.

·         False rejections of payments by the issuers, again this provides a terrible user experience and shopping cart abandonment.

 

Both of the above issues lead to frustrating situations.  Examples of these are when people forget their 3DS credentials, or when you call your bank to be told the rejection was because of the merchant, then the merchant says it was the bank!

 

In addition to this the upcoming EU rules on electronic payments authentication, how we verify that the person who is paying is the right person, are likely to add to this complexity.

 

These regulations are the Revised Payment Services Directive (PSD2).  They have three objectives: harmonization, innovation and security.

On security, PSD2 requires ‘strong customer authentication’ to be applied for all electronic payments in Europe.  Strong authentication in this case refers to using at least two of these three factors;

·         something you know such as a password,

·         something you have such as a card

·         something you are, for example, a biometric.

 

The EBA (European Banking Authority)  is responsible for the regulatory technical standards to deliver strong customer authentication.

 

The above issues and potentially increasing complexity leads to a poor experience and shopping baskets being abandoned.  This is due to either friction in the process or false rejections of payments by the issuers.

 

So how can this situation be improved upon? We need a solution that meets the needs of consumers, merchants and issuers as well as the intent of the proposed PSD2 regulations?

Breaking these down;

 

Consumers want a safe, seamless and reliable payments ecosystem.

Merchants want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.

Issuers want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.

The EU and EBA want a safe, seamless and reliable payments ecosystem that maximises consumer spending and minimises fraud.  Additionally they specify through PSD2 that we must verify that the payer is the correct person using ‘strong authentication’.

 

As you can see the needs of the majority of people in the payments ecosystem are basically the same, safe, seamless and reliable payments!

 

Can we solve this and provide a solution that will minimise fraud, improve acceptance rates while maintaining or improving the customer experience.  The short answer is YES.

 

By combining advanced authentication solutions with card details it is possible to provide strong assurance that a user and card are correctly linked and that a payment is genuine.

 

Utilising relatively simple code and an authentication solution fast enough to be in the online transaction flow enables us to reliably link a card to a device.  Note when I say device I include laptops / desktops as well as phones and tablets etc.

 

By doing this we can immediately identify multiple attributes about the card, device and behaviour such as;

  •  Have we seen this device and card combination successfully used before?
  • Have we seen the same name on a different card from this device before?
  • Does this behaviour align with previous successful payments from this combination such as volume, velocity, amounts etc?
  • Where were these payments made from?

 

This is in addition to all the traditional fraud analytics applied to the card behaviour alone.

 

3DS can still be incorporated if required, even with all this additional information.  However its use can be minimised by asking questions such as; 

  • Have we seen successful 3DS from this device and card combination within a predefined period? 
  • have we seen the same name on a different card from this device successfully authenticate with 3DS?

If so then trust this as if it was a 3DS payment.  This would enable the ability to provide the assurance of 3DS, while minimising it’s adverse impact.

 

This requires some innovation and for the issuers, schemes and processors to work together, along with the EBA recognising that this meets the intent of their proposed regulations.

What are the next steps?

Schemes and issuers, work with the processors to enable these benefits.  Accept greater assurances and risk based decisions from processors.  A higher payment acceptance rate and lower fraud, all with minimal effort clearly benefits everyone.

To the EU, EBA and those writing PSD2, engage in the discussion and realise there are ways to meet your intent without adversely affecting the payments ecosystem.  Intelligence and innovation can provide ‘strong authentication’ without the need for any extra complexity in the payments process. We can in fact reduce the friction while improving the security.

 

Everyone involved in the payments ecosystem wants pretty much the same things, let’s be innovative and achieve these in ways that improve the experience for merchants and consumers.  This ultimately improves things for everyone!

 

Feel free to contact me via this blog, or find me on LinkedIn to discuss further and if you’d like to know some more details around how this really can work in practice.

K

Gartner Security and Risk Summit; Cool Vendors

 

Hi All,

I know I promised a post on the insider threat and how to best manage the risk.. That is on it’s way, it’s a big topic!

In the mean time I attended the first day of the recent Gartner Security and Risk Management Summit earlier this week.

While not deeply technical or focussed on a specific risk topic, the presentation on their top 10 ‘cool vendors’ was quite interesting.  In a similar way to my recent ‘Innovative End User Technology Security’ post, this one will hopefully give you some new vendors to consider when solving issues for your business.

The Gartner definition of ‘Cool Vendors’ is that they are;

  • Technologies that help security leaders embrace;
    • New approaches to business enablement
    • New approaches to threat prevention
    • New responsibilities for IoT, OT and embedded systems
  • On the left of their own ‘hype cycle’

They must however be real vendors with solutions that are available today, not vapourware or soon to be released.

The recommendation is that action, even if it is just investigation and understanding, is needed today.  This is to help ensure the security of your organisation today and tomorrow.

Things you should be asking when looking at your organisations security architecture and defence in depth / diversity strategy;

What technology areas should information security invest in, to;

  • Protect digital assets from advanced and targeted threats?
  • More rapidly adapt to changing digital business requirements?
  • Support building a next-generation intelligent SOC capability?

Which interesting vendors and solutions should be investigated in order to achieve these goals?

The presentation split the ‘cool vendors’ into 10 categories across 3 groups;

  1. Threat Facing
  2. Enablement and Access Facing
  3. Intelligence-Driven SOC

 

  1. Threat Facing

These are technologies primarily aimed at detecting or preventing malware and attackers.

EDR – Endpoint Detection and Response

New solutions that aim to respond to advanced attacks that evade traditional endpoint protection solutions.  If you know compromise is inevitable and are looking at ways to improve your end point protection companies in this space should be considered.

Example players in this space include;

  • Tanium
  • CounterTack
  • Carbon Black
  • Cisco
  • FireEye
  • Cybereason
  • CrowdStrike
  • RSA
  • Ziften
  • Triumfant
  • Confer
  • Bromium
  • Invincea
  • Symantec
  • Intel
  • Trend Micro

Non Signature Approaches for Endpoint Prevention

Solutions that use technologies such as machine learning, exploit prevention and memory injection prevention.  The aim of these is to supplement or replace traditional signature based / ‘heuristic’ anti malware solutions.  Another possible application is where project to implement timely patching and maintenance of systems have stalled and compensating controls are required.

Example players in this space include;

  • Cylance
  • Palo Alto Networks
  • SentinelOne
  • Morphisec
  • Bromium
  • Deep Instinct
  • Invincea

Remote Browser

These are solutions that separate the browser function from the local desktop.  The premise being that a lot of attacks originate from malicious or compromised sites on the internet.  If you can separate the browser into a secure environment and effectively just send a video and audio stream to the desktop you can prevent these attacks.  This is the category that the Garrison solution I previously wrote about fits into.

Example players in this space include;

  • Spikes Security
  • Menlo Security
  • Light Point Security
  • Authentic8
  • Fireglass

Microsegmentation and Flow Visibility

These solutions can provide visibility can control of east-west traffic flows across the enterprise.  The aim of this is to detect and prevent lateral movement of attackers or malicious users across the network.

Example players in this space include;

  • VMware
  • Cisco
  • Illumio
  • vArmour
  • Trend Micro
  • Catbird
  • CloudPassage
  • GuardiCore

Deception

Technologies designed to device attackers into thinking closely monitored security systems are real business systems hosting data they would want to access.  These have been around for a long time and are often referred to as ‘honeypots’ or ‘honey nets’.  Recently some technologies have become a lot more mature and realistically deployable.  Businesses are also increasingly understanding the need for more advanced security solutions.

Example players in this space include;

  • Attivo Networks
  • TrapX Security
  • Cymmetria
  • GuardiCore
  • illusive networks
  • Javelin Networks

 

2. Enablement and Access Facing

Cloud Access Security Brokers (CASB)

The aim of these solutions is to provide a single point of control for cloud use in the organisation.  These can detect, control and apply various security functions such as access control lists and encryption to cloud use.

Example players in this space include;

  • Skyhigh Networks
  • Netskope
  • CipherCloud
  • Microsoft (Adallom)
  • CloudLock
  • Blue Coat (Elastica, Perspecsys)
  • FireLayers
  • Palerra

User and Entity Behavioural Analytics

No presentation this year would be complete without a mention of behavioural analytics of some sort!

The aim or user and entity behavioural analytics is to analyse and correlate user behaviour across systems and networks for indications or malicious behaviour.  This is in order to detect things like compromised accounts or malicious insiders.

Example players in this space include;

  • Securonix
  • Gurucul
  • Fortscale
  • Splunk
  • Niara
  • Interset
  • E8 Security
  • LightCyber
  • Microsoft
  • Rapid7
  • Exabeam
  • Forcepoint
  • Bay Dynamics
  • BottomlineTechnologies
  • CynetSystems
  • DtexSystems

Pervasive Trust Services

This is a particularly interesting area.  These are trust services that are designed to scale to cover billions of devices, including IoT devices that may have limited processing capability.

This requires a fundamental paradigm shift to the web of trust model with distributed consensus.  We must realise trust is shades of grey, not the traditional yes / no authentication.  If the trust is higher than the risk, proceed.

This is another area I’m likely to write up in more detail as it is an exciting space.  Likely to become a lot more relevant as IoT grows, and also as regulations like PSD2 / GDPR come into play that require more identification and authentication for every payment.

Example players in this space include;

  • Certes Networks
  • CSS
  • ForgeRock
  • ARM Holdings (Sansa Security)
  • Guardtime
  • HyperledgerProject
  • Tyfone

Security Testing for DevOps

Tools and solutions that enable the integration of security testing into the automated DevOps workflow.  This enables secure development and applications, without adversely impacting delivery timelines.

Example players in this space include;

  • Hewlett Packard Enterprise(HPE)
  • IBM
  • Veracode
  • Amazon
  • Contrast Security
  • Synopsys (Quotium)
  • Immunio
  • SecuPi
  • Sonatype
  • Black Duck

3. Intelligence-Driven SOC

These are solutions that aim to provide greater intelligence and orchestration to the SOC (Security Operations Centre) in order that it can scale and spot the key security events.  These tools also enable greater use of threat intelligence feeds to support the SOC.

Example players in this space include;

  • CyberSponse
  • Hexadite
  • I.D. Systems
  • Phantom Cyber
  • Swimlane
  • IBM (Resilient Systems)
  • FireEye (Invotas)

 

I hope this has provided a useful overview of some key areas you should be thinking about in your security strategy.  The companies to look into are a mix or new players and more established companies trying to get into new areas either via development or acquisition – as always interesting times in the security space!

Many of these, especially areas like behaviour analytics and trust are getting a lot of hype, so be prepared for questions from your more security aware board members!

Feel free to ask any questions you have.

K

 

 

Innovative End User Technology Security

Back to something more ‘exciting’ than getting the basics right (which is and always will be critical).

Everyone knows how important it is to apply the myriad of ‘standard’ controls to end user environments such as patching, anti-malware, host IPS, DLP (Data Leakage Prevention), running with minimum permissions and proxying all external access.

However the end user environment still poses the greatest threat to many organisations. This is through a combination of the challenges faced in securing these environments, and the fact that people are often the weakest link in security either due to error, manipulation or malicious activity.

How many end user environments really have all the controls, applied appropriately and consistently to all devices and all users?  This becomes especially true when you consider how broad the end user environment is in many companies in terms of both locations and devices.

How many companies really have a full appreciation of and appropriate control of the ‘insider threat’.  When I say insider threat I don’t just mean malicious insiders, I’m referring to all ways insiders can be a threat to your systems and data, from breaching the rues with the best intention through accidental error to clicking the phishing link, to coerced all the way to the genuinely malicious people.

I’ll be writing a post on the insider threat and how to mitigate it in the near future, keep your eyes peeled!

In light of this I have recently been looking at how to best secure the end user environment, with a view to newer, more innovative solutions.  There are some very interesting innovations occurring in this space at the moment that provide additional / complementary or better protection than the more traditional solutions.

Four of the most interesting solutions I have looked into recently are;

  1. Garrison Technology – http://www.garrison.com/ – providing safe browsing
  2. ReSec – http://www.re-sec.com/ – ensures all the files that get to your end user environment are safe creates replica files with no harmful content
  3. Hypori – http://www.hypori.com/ – virtual mobile infrastructure
  4. Ionic Security – https://www.ionic.com/-  ACL based encryption, anywhere

What do these companies do, and why do I think they are worth highlighting?

Garrison;

The risks associated with web browsing are well known and documented, whether from accessing malicious sites, or accessing ‘trusted’ site that have been compromised.  There are various software solutions that claim to segregate / isolate your browser or it’s tabs from the rest of the O/S, such as Bromium.  If you have concerns with relying on software based security and the fact that the isolation solution could itself be compromised or circumvented by malware on the O/S then there are few choices to provide a good user experience and security when browsing the web.

One relatively new company that is just coming out more publicly that has a great solution to the problem is Garrison Technology.  They provide a hardware solution using ARM chips in a server platform.  These are configured in pairs to provide a solution where the end user device effectively watches a ‘video’ of the internet sites they are browsing.  Even if there is malicious content, all the end user device sees is an image of the content, not the content itself.  I can’t go into too much detail here yet, but the solution appears very complete, allowing images, video, audio etc to be seamlessly viewed in the browser, and also permitting keyboard and mouse data to be sent to the site, so you can browse as normal.  All while effectively having genuine physical isolation from the internet!

There are definitely some great use cases here, fan example would be protecting your users with access to the most sensitive data.

ReSec;

Malicious files reaching the end user environment are a huge risk, whether as email attachments or downloaded files.  For many years the anti malware industry has been playing catch up with increasingly complex solutions comprising traditional AV, heuristics engines, virtual execution environments etc.

How much safer would you be if the files reaching the end user environment were guaranteed to be safe and free from malware?

This is now possible, ReSec offer a solution that will decompose files like pdfs and office documents, then rebuild the content into known good templates that contain no malicious content.  They call this Disarm and Reconstruction.  Using this technology any potential malicious content isn’t just blocked or stripped out, the whole file is recreated containing only known good content.

This capability is obviously starting to get noticed as I have seen some similar capabilities in Checkpoint literature, so it may be becoming more mainstream in the near future.

Hypori;

This is a very interesting one, they offer cloud based mobile phone capabilities.  The idea here is that mobile devices are holding more and more data, and are being permitted to access more of our environments.  As such they are becoming an increasingly attractive attack vector.  Mobile devices can also be notoriously hard to control, especially when you need to balance control with usability expectations.

What if you could move all of your phones capabilities to a secure, managed cloud based virtual ‘phone’, effectively turning your smartphone into a glorified terminal?

Hypori offer just such a solution with the capability to support calls, SMS, applications, video calls, in short pretty much everything your phone can do locally.  The key benefit here is that there is never sensitive data on the phone, it is all on the virtual device in the cloud.  So if your phone is hacked or lost, there is no risk to your data.

If you are working on your mobile strategy or have an upcoming mobile refresh I’d highly recommend investigating this or similar solutions.  Like the Garrison solution above, executives and key users with access to sensitive systems and data would be great initial use cases.  Depending where you work geographically, but I can think of a few countries where providing this solution to your teams would definitely benefit your security posture!

Ionic Security;

Encryption, encryption, encryption!  This is definitely one of the topics of the moment.  Many organisations are getting pretty good ad encryption of data at rest, and basic encryption of data in transit.  But how do we ensure our data stays encrypted where ever it is, whatever device it is on?

With most solutions, once a permitted user has access to the data they can then save it or forward it on unencrypted.  This is to me a pretty large hole in most companies data security strategies.

Ionic have a solution that plugs into various applications such as office tools and embeds itself into each file that is created. Using uniquely generated key pairs for each file, or element in the file, Ionic encrypts the data based on ACLs.

Then no matter where the file is sent or what device it is on you can only open the file or see the redacted elements if you have the Ionic solution and are listed in the ACLs.

It has a pretty decent user experience with a ‘splash’ page being shown if you can’t access the file informing you what you need to do, and all the key management is internal to the solution with the capability to scale to trillions of key pairs.

Having seen a demo of this I can agree it is easy to use and appears to work pretty seamlessly.  There are some excellent use cases outside of the obvious one of all your files always being encrypted and no one being able to access them who is not permitted to.  Think for example of a legal document where some of there content is public, but certain elements such a company names or monetary amounts may be highly confidential.  In this example you can encrypt just those ‘elements’ that need to be confidential so only the valid users can see those and for everyone else they are redacted.  You can also have different permissions, e.g. some people can view and some can edit a document or element within the document.

I hope you have found this interesting, I’ll write up some more details on these and other solutions as we progress our investigations.  What solutions and capabilities are you currently looking at to secure your end user environments?

K

Justifying Security Spend

Given that  this often relates to proving a negative, justifying security spend can be extremely challenging.  Before we continue, I’ll freely admit I don’t have all the answers here, but wanted to share some of the things I’ve been thinking about and discussing recently about just how hard this is, and possible ways to help.

We weren’t hacked therefore we spent enough..  Did we spend too much?  Could we spend less and still ‘not be hacked’?

We suffered a data leak, did we not spend enough?  Did we spend on the wrong things?

 

One example I am using to demonstrate how hard it could be to justify seemingly obvious security spend is around DDoS.

Take the following scenario;

Your organisation has suffered some DDoS incidents, these were volumetric attacks and the board urgently wants protection from these types of attacks in place.  You duly implement a premium cloud service, and provide them with an overview of the service and how it protects against volumetric attacks.  Over the next few months the service proves it’s worth and protects the business from any further attacks.

The next year, gaining approval for spend on this service is easy, everyone knows what it does and that it is needed.

Over time volumetric attacks against your business cease to occur, and a couple of years later the board are challenging the need for a large spend on protection from these attacks.

However the question clearly is; did the attacks cease because you are no longer a target of this type of attack, or because it is common knowledge you have very effective protection so there is no point in launching these attacks against you?

 

From this example you can see that justifying spend on something as seemingly obvious as DDoS protection could be challenging as how do you go about proving why the malicious actors have not done something?

 

Taking another example I read in the most recent issue of the ISACA magazine;

Before the Best Buy breach, what were the chances that they would be a target and suffer a breach?  After the Best Buy breach, what are the odds they will be breached again?

 

We have models for things we think we can predict from sporting events to the weather that have varying degrees of accuracy.  However the various malicious actors that could be targeting your organisation do not act in ways we can easily predict and quantify.

So given this how do we clearly state to the wider business the actual likelihood of an event, and the impact?

I’ll leave the impact discussion for now, but while it many seem more obvious, consider the wide range of impacts and how hard they can be to accurately quantify.  It is relatively easy to state how much you loose for a given amount of downtime, but how long does reputational damage last? How many sales are lost over the next year with downtime or a breach being factors in the customers decision? etc.

 

Some key things to help this situation include;

  • Moving the security discussion from IT to the ‘business’, all security risks are actually business risks, or translate directly to business risks.
  • Running scenario based exercises with the board to understand their risk appetite and educate them around what can happen and the impacts it would cause.
  • Gathering industry information on the prevalence of attacks and breaches against what are considered ‘peer’ organisations to understand the threat landscape you are operating in.

What are your thoughts?

How are you ensuring the  executive board and the wider business understand the need for the security spend and how you are managing risk?

 

Thanks!

 

K