Altabel Group's Blog

Archive for the ‘Security’ Category

By 2020, more than 24 billion internet-connected devices will be installed globally — that’s more than 4 devices for every human on earth.

The Internet of Things first reached users on PCs. Then it migrated to smartphones, tablets, smartwatches, and TVs.

This growth surely brings several benefits, as it will change the way people fulfill everyday tasks and potentially change the world. Having a smart home is undoubtedly cool and will amaze your guests, but smart lighting can also reduce overall energy consumption and lower your electric bill.

New developments would allow connected cars to link up with smart city infrastructure to create an entirely different ecosystem for the driver, who is simply used to the traditional way of getting from Point A to Point B. And there are many other examples of positive changes IoT may bring to our lifes.
But with all of these benefits comes risk, as the increase in connected devices gives hackers and cyber criminals more entry points.

Late last year, a group of hackers took down a power grid in a region of western Ukraine to cause the first blackout from a cyber attack. And this is likely just the beginning, as these hackers are looking for more ways to strike critical infrastructure, such as power grids, hydroelectric dams, chemical plants, and more.
 

 
What is already being done to Secure The IoT?

The great thing about IoT security is that previously ignored, it has now become an issue of high concern, even at the federal government level. Several measures are already being taken to gap holes and prevent security breaches at the device level, and efforts are being led to tackle major disasters before they come to pass.

Now security firms and manufacturers are joining ranks to help secure the IoT world before it spins out of control. IT giant Microsoft has started taking measures and has promised to add BitLocker encryption and Secure Boot technology to the Windows 10 IoT, their operating system for IoT devices and platforms such as the Raspberry Pi.

BitLocker is an encryption technology that can code entire disk volumes, and it has been featured in Windows operating systems since the Vista edition. This can be crucial to secure on-device data. Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer. Its implementation can prevent device hijacking.

The IoT security issue has also given rise to new alliances. A conglomeration of leading tech firms, including Vodafone, founded the Internet of Things Security Foundation, a non-profit body that will be responsible for vetting Internet-connected devices for vulnerabilities and flaws and will offer security assistance to tech providers, system adopters and end users.

Other companies are working on setting up platforms that will enable large networks of IoT devices to identify and authenticate each other in order to provide higher security and prevent data breaches.

 
What should we know to protect ourselves and minimize risks of hacking attacks?

Security must be addressed throughout the device lifecycle, from the initial design to the operational environment:

1. Secure booting: When power is first introduced to the device, the authenticity and integrity of the software on the device is verified using cryptographically generated digital signatures. In much the same way that a person signs a check or a legal document, a digital signature attached to the software image and verified by the device ensures that only the software that has been authorized to run on that device, and signed by the entity that authorized it, will be loaded. The foundation of trust has been established, but the device still needs protection from various run-time threats and malicious intentions.

2. Device authentication: When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data. Deeply embedded devices often do not have users sitting behind keyboards, waiting to input the credentials required to access the network. How, then, can we ensure that those devices are identified correctly prior to authorization? Just as user authentication allows a user to access a corporate network based on user name and password, machine authentication allows a device to access a network based on a similar set of credentials stored in a secure storage area.

3. Firewalling and IPS: The device also needs a firewall or deep packet inspection capability to control traffic that is destined to terminate at the device.

4. Updates and patches: Once the device is in operation, it will start receiving hot patches and software updates. Software updates and security patches must be delivered in a way that conserves the limited bandwidth and intermittent connectivity of an embedded device and absolutely eliminates the possibility of compromising functional safety.

What is evident is that the IoT will play an important role in our lives in the near future, and its security is one of the major issues that must be addressed via active participation by the entire global tech community. Next several years will show whether all of the innovations will revolutionize the world or will bring us to a new era of digital insecurity and chaos. Time will tell.

 

yana-khaidukova

Yana Khaidukova

Business Development Manager

E-mail: yana.khaidukova@altabel.com
Skype: yana_altabel
LI Profile: Yana Khaidukova

 

altabel

Altabel Group

Professional Software Development

E-mail: contact@altabel.com
www.altabel.com

Blacklisted apps and password protection issues remain a top security concern for organizations with a mobile workforce.

Password protection and application security are high on the list of security concerns as more organizations move to mobile first and Bring Your Own Device (BYOD) strategies.

Creating app blacklists and whitelists

File sharing apps are the most common blacklisted apps in the enterprise. The top five blacklisted apps include Dropbox, SugarSync, Box, Facebook, and Google Drive. Figure A shows the top 10 list of blacklisted iOS and Android apps amongst Fiberlink customers:

Figure A

Figure A

The top concern for most corporations is knowing that their data is safe and always in the right hands. Blacklisting can play a role, but we find that there are both right and wrong times to restrict apps. For instance, restricting an app for no reason is a quick way to get your BYOD deployment to backfire. Even corporate-owned devices with blacklisting apps can make employees unhappy.

Right now, blacklisting occurs on 10% of the devices, prohibiting a specific app or apps from running. This means that IT is trying to ensure the intended use of the device and prevent the loss of corporate data, which is considered a major security risk.  It’s recommended blacklisting and even whitelisting where appropriate.

Figure B shows the top 10 list of whitelisted iOS and Android apps:

Figure B

Figure B

First, define the purpose for creating the blacklist. Many assume that blacklisting is a practice predominantly utilized for security purposes, but businesses also blacklist time-wasting applications — such as Angry Birds — to manage employee productivity. Blacklisting can also help with those apps that dramatically increase data-transfer demands on the network, such as Netflix.

Second, create a rubric for scoring apps or criteria for deciding which apps should be blacklisted. Once it has been decided whether the focus is to compliment security or to decrease distraction among employees, define success criteria and establish the rubric. For example, if the concern is employee productivity, one may want to allow (not blacklist) file-transfer apps similar to Dropbox. But if security is the key driver, Dropbox would typically be blacklisted.

Third, consider whitelisting instead of blacklisting. If security is the main concern, whitelisting is the better option, as it allows businesses to have absolute control over which apps employees are approved to use. With blacklisting, all apps are allowed, except a few that are specifically forbidden — thus, there is more room for employees to work around restrictions and simply utilize apps that aren’t on the blacklist. In that sense, blacklisting is the Maginot line of app security. With whitelisting, on the other hand, only approved apps are allowed to be used and all others are forbidden, which makes for a more secure position, but can be politically difficult to manage in the enterprise.

It is also recommended that the policies must be communicated to the enterprise. In particular, employees need to know why the restrictions have been put in place and how they will benefit the company. Clearly communicating these policies is key to making employees feel comfortable with the restrictions.

Improving password protection over mobile devices

Bellow your may find the following best practices for employee passwords:

  • Require employees to create passwords that are at least 10 characters in length and to use the widest character set possible, including alphabetic (upper and lower case), numeric, and special characters (punctuation)
  • Mandate that employee passwords not include words or names, because anything that can be found in a dictionary can be cracked in minutes (even when the word is part of the password — like “James123” — it’s easily discovered with modern computing power)

Manage and protect passwords by employing salted password hashing. Hash algorithms are one-way functions that turn passwords into irreversible, randomized letter combinations. The passwords are stored in a form, which is impossible to reverse. When employees create an account and a password, the password is hashed, the hashed result is stored, and the original plain text version of the password is never stored in the system.

When the employee tries to login, the hash of the password they entered is compared to the hash of their password in the database. To further protect the password, the hash is salted. Salt is additional complexity added to the hashing process, so that if two people have created the same password, the two hashed versions stored in the database will be different. With salting, if a hacker figures out one employees’ password, they can’t determine other passwords by looking for matches in the database. Salting also makes the process of reversing a hash much more complicated and time consuming for hackers.

Here are some of best practices for passwords on employee mobile devices:

  • Limit the amount of time an employees’ password can exist
  • Require users to have different passwords on different devices, accounts, or systems
  • Create and enforce a corporate policy that sanctions employees for sharing their passwords with others

Here are best practices for governing passwords:

  • Encourage employees to have device-level passcodes. Even if this is for personal benefit and not mandated by IT, employees should have some protection for the personal information on their devices. On some operating systems, creating a passcode also enables encryption.
  • Require a passcode to access corporate information, such as corporate e-mail and documents. These passcodes can be more complex than the basic four-digit pin at the device level.
  • Enforce advanced passwords when accessing very important information. If an employee is accessing a network resource, like SharePoint or their network folder to access a Word document, you should prompt them for their Active Directory credentials. This goes beyond the security level of a four-digit pin.
  • The combined approach of these passcodes and passwords will help ensure the device, data, and apps are protected without being overbearing to the employees.

Conclusion

Hope here you’ve found some good, actionable advice for enterprises of all sizes about implementing application blacklists and whitelists, plus improving password protection over corporate and BYOD mobile devices.

Does your organization have a passcode requirement, or has it implemented mobile app blacklists and whitelists? Describe your experience in the discussion thread below.
 

Kristina Kozlova

Marketing Manager

 

altabel

Altabel Group

Professional Software Development

E-mail: contact@altabel.com
www.altabel.com


%d bloggers like this: