The security industry has faced a variety of challenges throughout 2020. The pandemic put pressure on security and IT operations and shone a spotlight on underlying issues many organizations were facing in terms of their digital transformation and security posture. If that wasn’t enough, the threat landscape also shifted and is now more volatile than ever.
As security leaders prepare to handle what lies ahead in 2021 and beyond, there are three key trends they should pay special attention to: the increase in adoption of policy-based security models, new ransomware threats and greater utilization of artificial intelligence.
Adoption of policy-based security models
The prospect of moving an onsite workforce to a remote setting had a huge impact on many organizations, as they realized they weren’t ready for such a dramatic shift. Moving to remote work due to COVID-19 exacerbated the shortcomings of the traditional enterprise perimeter security model. This led to more organizations choosing policy-based security models, such as Zero Trust, to ensure the protection of their employees while remote work continues to be a norm.
As remote work becomes more normalized – beyond the pandemic -, rather than equating trust to a corporate network location, a Zero Trust model analyzes information about the user, data, applications and devices to contextualize security risks and dynamically adapt access rights. Successful adoption will depend on organizations fully integrating various tools within their environment, from authentication systems and network security appliances to endpoint detection and response.
Increase in data breaches and ransomware attacks
Attackers are constantly changing their methods, resulting in new and evolving risks. It is important for companies to be prepared and aware of new threats to stay ahead of them and protect their data from any potential compromise.
Looking ahead, companies should expect to see an increase in ransomware, with bad actors increasingly threatening to expose encrypted files if they refuse to pay a ransom.Organizations have begun to do a good job in building, testing and operationalizing their office backup strategies to mitigate the risk of ransomware. Unfortunately, most of these organizations have failed to mitigate the actual risks, if data has been compromised before – whether directly from the company or through third parties – threat actors will still be able to gain a foothold into the company’s assets. The focus moving forward should fall into ensuring they have robust backup and data recovery strategies that can help address the systemic weaknesses attackers are exploiting.
We’re also going to see a considerable increase in the use of illicit Auth 2.0 grants to compromise accounts. In general, organizations have created better phishing awareness programs, increased multifactor authentication, and created rules to detect anomalous logons; however, attackers have shifted to trick users into Illicit Oauth 2.0 grants. To prepare, companies should limit which applications can request OAuth 2.0 grants from end users or disallow specific OAuth 2.0 scopes from ever being granted.
Utilization of Artificial Intelligence
We will see an increased utilization of AI particularly within the IoT and OT industries, given the technology’s ability to help automate many tasks to reduce costs and improve productivity. However, as security leaders decide to adopt AI, they will need to prioritize the integrity of the data and make sure basic cyber hygiene protocols are in place.
Utilizing AI without the basics – from asset and patch management to user awareness – will only exacerbate the number of breaches we will see, as simpler exploits will be able to leverage any weak spots.
Looking ahead to 2021 and beyond, organizations need to be prepared to secure their resources no matter where they are accessed from. Leaders will need to make sure they add security-based policies to their business continuity plans as well as understand all the threats’ shifts and how to adopt new technologies to mitigate potential risks.
This blog was originally featured in VMblog.com
The Internet of Things (IoT) is fast turning into an intrinsic part of the digital transformation for industries such as utilities, transportation or manufacturing. The market is expected to reach a value of $922.62 billion by 2025, becoming one of the biggest catalysts for new emerging technologies.
Although Industrial IoT (IIoT) adoption offers benefits ranging from automating and optimizing the business to eliminating manual processes and improving overall efficiencies, security continues to be an afterthought, one that creates risk that industrial organizations are ill-equipped to manage.
The Trickle-Down Effect
The lack of mature security frameworks and the breadth of security considerations are big barriers for the improvement of IoT security. Today, there is no common approach to cybersecurity in IoT, which leaves the door open for device manufacturers to take their own approach, resulting in undeveloped or underdeveloped standards to guide adoption of IoT security measures and best practices.
In many cases, manufacturers designing IIoT devices are challenged to integrate effective security controls into the product design, which results in devices having little to no encryption for securing data at rest or in transit. Because security is not built into the device at the onset, users struggle with securing them after they have been implemented, constantly leaving the door open to potential cyber-attacks, which could lead to operational downtime, loss of customer data and even end-user safety hazards.
This challenge becomes compounded as users come up against other complicating factors, such as:
- Complexity of the ecosystem – an IIoT ecosystem is an amalgamation of diverse, dynamic, independent, and legacy devices that intertwine communication protocols, interfaces, and people. Such complexity hampers the ability of IT security professionals to even start with the most basic cyber hygiene, such as changing default passwords, keeping an inventory of hardware and software components on the company network or patching applications regularly.
- Intricate monitoring and management – the more complex an environment, the more likely it is that IT administrators lack visibility, access, and control over one or more of its components. Moreover, the deployment of IoT devices on legacy infrastructures and non-IP based devices also exacerbates the IT administrators’ inability to monitor and control these devices.
- Lack of IoT security awareness and knowledge – the lack of understanding of connected devices and architecture security pose a significant challenge. Most organizations don’t have a full understanding of the risk and exposures they face to protect their devices or the real impact (both positive and negative) those devices have on their security posture.
Thinking of security as an afterthought is one of the most common mistakes when building or adding new connections. IIoT can be effectively disruptive if done properly when done poorly it creates unnecessary risks.
Industrial IoT Security – Partnering for IIoT Security Success
Many organizations don’t have the skills needed to maintain, let alone build their IIoT security architecture. For that same reason, they should consider partnering with specialists when moving into this space.
Managed security service providers (MSSPs) are adapting offerings to address the needs of complex IIoT environments. As IIoT devices have different application requirements, deployment conditions and networking needs than traditional enterprise environments, MSSPs are investing in specialized capabilities to understand how to configure devices for at-scale operations and to ensure that best practices are followed for both preventative and real-time maintenance.
Businesses considering partnering with an MSSP should take into account the expertise, resources, and services their potential partner will bring to the table. They need to look for a provider that will deliver leading-edge security features such as threat intelligence and monitoring, data correlation and device management and support, while also understanding the differences between monitoring traditional networks with these unique technologies. Leadership will also need to revisit policies and procedures on risk management through an IIoT lens and use audits and assessments as enablers for the application of relevant security controls.
The influx of IoT devices has opened up new entry points into enterprise networks that cybercriminals can exploit. Whether it is in a new connection or an extension of a legacy architecture, cybersecurity must be at the core of the IIoT implementation. Organizations will need to take a defense-in-depth approach to cybersecurity if they are to be better prepared to face the threats targeting IIoT. This starts by identifying the challenges their implementations present, from the increased complexity to awareness and management. The point behind IIoT is to create a seamless connection between people, devices, and networks and drive efficiencies on an industrial scale. If this is to be achieved, cybersecurity is the one guest that cannot be late to the party.
This article was originally featured in IoT For All.
The IoT market continues to grow, with investments expected to top $1 trillion by 2020, according to IDC. With the rollout of 5G, Ericsson forecasts that the number of cellular IoT connections is expected to reach 3.5 billion by 2023, and DBS Asian Insights predicts that IoT devices and services will reach an inflection point of 18-20% adoption in 2019 alone.
Security continues to be one of the greatest barriers to IoT adopters in 2019. Insecure components, prevalent malware and shortsighted attempts to apply traditional security measures to IoT networks act as formidable challenges to these adopters. Heeding to this new zephyr, threat actors are also adapting and innovating new attack services and hacking tools that will be more complicated and more difficult to detect and respond to. In accordance, we can anticipate a substantial increase in supply chain attacks, IoT botnets, and cryptominers alike.
We predict that device manufacturers will put an increased focus on security in 2019 versus previous years, but the number and scope of attacks will continue to rise. Microsoft reports that more than 90% of consumers want manufacturers to step up their security practices, and 74% would pay more for a product with additional security built in. This demand will drive innovation and increased adoption of trusted hardware and software systems. It will also force manufacturers to adopt and adhere to industry recommendations for data management and privacy, bring about increased awareness of supply chain security management and so forth. Manufacturers will also look to include bug bounty programs and responsible disclosure programs for manufactured and deployed devices to improve the security of their products.
Alternatively, consumers will also pay heed to IoT security governance and adopt processes and technologies that assist in the governance of the IoT landscape — an amalgam of several technologies comprised of the cloud, device, mobile, edge devices and so forth. For instance, they will look for IoT monitoring systems and platforms for better visibility and management, data protection technologies for better security and privacy, cloud protection technologies and active threat detection technologies.
Moreover, consumers and manufacturers alike will invest heavily in technologies that assist them in determining the maturity of their security programs. Companies will also look to cyber-risk insurance to safeguard their business from formidable cyberattacks nonetheless.
Furthermore, as IoT security products and services innovation and adoption gains momentum, assisting technologies, such as machine learning, artificial intelligence and blockchain, will make strong and forced inroads into IoT security products, assisting in building improved trust, threat detection, identity management, and data and device management at scale. But, to a large extent, government regulations will bring about a culture of shared responsibility for protecting the IoT landscape.
This article was orginally featured in IoT Agenda.
Today, we are announcing the launch of our new Blockchain Security Center, a full-service practice that represents the culmination of decades of experience securing our clients’ businesses. The Center’s goal is to enable our clients to securely transform their enterprises using the power of blockchain and other Digital Ledger Technologies (DLT).
We believe that Kudelski Security is well-positioned to serve enterprises as they venture into the world of blockchain and DLT. Our 30 years of leadership in cryptography, data protection, and secure system design prepare us to partner with clients on their most innovative endeavors.
Why Blockchain? Why Now?
Blockchain is exiting its honeymoon phase. The unprecedented boom of 2017 followed by the Great Crypto Crash of 2018 has shifted much of the mainstream opinion from “miraculous” to “frivolous”. This opinion shift is valid to an extent; blockchain is not the solution to every problem. The bubble surrounding the boom, much like the technology bubble of the early 2000s, was destined to pop at some point. However, not all is lost. While the starry-eyed optimism of technology enthusiasts coupled with the “get rich quick mentality” of the ill-informed got us here, robust and sensible solutions for the enterprise will lead the way on.
Looking beyond cryptocurrency, we believe that enterprises are the future of blockchain. Blockchain and related DLT allow business leaders to disrupt old processes in a way that will impact bottom-line results and shape future markets. We have seen blockchain enable our clients to rethink their businesses far beyond the typical cryptocurrency scenarios, and we are confident that the long-term impact of the technology will be great enough to one day be immortalized in textbooks.
There are plenty of known scenarios where blockchain can enable disruption and thousands yet to be conceived, especially in areas where provability of source, monitoring of transport, or assertion of delivery is essential.
* Blockchain can save lives by bringing much-needed trust and transparency to the pharmaceutical industry. For decades, the industry has been beset by fraud and errors throughout its supply chain. Raw materials flow through a series of unrelated players on their way to becoming consumable remedies. Once completed, these remedies are distributed through yet another series of unrelated parties before making it to patients. Smart contracts supported by closed consortium-based or private permissioned blockchains could serve as a reliable and efficient mechanism for tracking the flow of information, financial capital and materials throughout the entire supply chain. This implementation of the technology could ultimately improve the quality of medications given it to patients around the world and slow illegal trafficking.
* Blockchain-based identity verification systems will enable trust, provide transparency and reduce friction across business ecosystems, driving huge resource savings for enterprises. These trust-based mechanisms have the potential to reduce the burden of complying with know-your-client (KYC) and anti-money laundering (AML) regulations, making onboarding new clients cheaper and less time-consuming.
* The fine foods industry is ripe for disruption from blockchain, as counterfeit goods dilute brands, endanger consumers, and ultimately strain profits. Often these fine foods are traded
between unrelated parties on a low-trust basis. By the time the products make it to the shelves, consumers are left guessing about the legitimacy of the food they intend to purchase. Tracking the movement of these goods on an immutable ledger allows the entire value chain to justify higher prices by restoring the product’s credibility to the end consumer.
The Blockchain Security Center: Up Close
The Blockchain Security Center will deliver advisory, design, and development services for enterprises internationally and later on in 2019, we anticipate launching a suite of enterprise-focused solutions. Through our experience over the past several years we have noted that the most vulnerable point of most blockchain applications is on their periphery. Though the blockchains themselves may be secure, the architecture around them is typically susceptible to intrusion. The secure-by-design mentality of blockchain must transcend the ledger itself into the development of the full stack.
For the past two years, we have assisted start-ups and enterprises in their quest to validate their blockchain applications, build ecosystems around their existing blockchains, and craft their business models based on the promise of blockchain. Taking our program forward is Scott J. Carlson, the Head of Blockchain Security. Scott will be leading the new Center, bringing decades of experience in emerging technologies, enterprise architecture, and, most recently, blockchain security for the enterprise.
We look forward to working with you.
The fourth Industrial Revolution, or Industry 4.0, is well underway. Emerging technologies such as artificial intelligence, augmented and virtual reality, wearables and autonomous vehicles are making sizeable advancements and becoming a part of everyday lives and business.
These emerging technologies all create a lot of data, data that needs to be protected. Connected medical devices transmit sensitive patient information and are also responsible for keeping people healthy and alive. Connected power plants and other critical infrastructure transmit sensitive information and are also vulnerable to attacks. The list goes on. Not only are these technologies creating large amounts of data that require protection, they also require protection for the intellectual property (IP) fueling them. Augmented and virtual reality companies are creating helmets and goggles for civil and construction employees straight out of Iron Man. And there are states out there that are not above stealing this kind of IP, which raises the stakes as many of the world’s electronic components come from those states, adding extra pressure to manufacturers to keep devices secure.
This creates two situations where data, whose value is exponential to criminals, needs to be given extra precaution when securing both it and the devices producing and transmitting it, as well as protecting the intellectual property making them work. Data in transit and data at rest in these situations require heightened security through greater encryption and IoT security as well as high-assurance data protection environments to secure it when not in use.
IoT security efforts should focus on developing a dedicated plan to secure the IoT devices, especially given how an IoT architecture — with its disparate protocols, software and hardware — differs from the traditional enterprise network. Integrating IoT devices into enterprise networks will require new risk management strategies and updated operational security strategies with the level of protection for a given asset greatly depending on its use case and the criticality of the application it supports.
It is therefore essential for enterprises to establish a clear vision of the business need for IoT devices, validate the technologies with stakeholders (including security professionals), assess the risks, deepen their technical understanding of how the IoT system really works, and validate system operations and feasibility.
To be most effective, IoT security has to be a shared responsibility. Many security incidents could be avoided if developers and manufacturers were aware of the risks they face on a daily basis, considering not just those that affect IoT devices, but also those that affect the IoT environment as a whole and develop products accordingly. But connected devices are typically designed to be low-cost and built for a single purpose — not with security at the forefront. They often have limited memory and computing power, which means they can’t be protected by traditional endpoint security. Therefore, enterprises must fully vet new IoT devices to understand how much security is built in. For example, the device may have strong embedded encryption, or it may have a USB port. The administrative password might be “password,” providing an open invitation for misuse and abuse.
Finally, it should be noted that is impossible for every IoT system to behave securely at all times within every context. A good rule of thumb and a sound approach for enterprises is to always adopt an evolving security posture.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.