Cybersecurity for #SmartCities

Cyber Security Talk

Where are we now, and where are we going?

Mirko Ross from asvin.io hosted a lively discussion on securely building smart cities with:

  • Me
  • Antonio Skarmeta: Researcher IoT Crawler, University Murcia
  • Giuliano Liguori: CEO & Cybersecurity Expert, glweb.eu

Mobile Apps Must be their own Fortress to Withstand Attacks from Hackers

Book Cover

A #mobile app must be its own fortress and never assume platforms are encrypted, authenticated, use VPN or require a PIN for #security.

I guess developers can’t count on anything these days. How you deal with security is what separates consumer app developers from enterprise app developers. The best apps assume an insecure, unencrypted and completely compromised mobile platform. In a world of bring your own app (BYOA), this will differentiate consumer app developers from trusted enterprise app developers. Imagine the scenario where a logged-in device is left behind in a taxi and is stolen before device security kicks-in to log the device out. A window of time ranging from five to fifteen minutes of exposure is realistic.

So how does a mobile app take charge of its own security? On launch, it must prompt for enterprise credentials like a password, PIN, face or fingerprint before allowing a user inside the app. Eliminate the use of cached credentials and tokens or keep expiration times to a minimum. Next, the app must provide its own encryption for data at rest. This is accomplished through the use of a mobile platform’s crypto APIs. Oftentimes you can reuse login credentials as a password and salt value. Use this to encrypt all downloaded and user-entered data before saving to local storage. The app must use TLS or per-app VPN tunnels for all remote communication to secure data in transit. Lastly, trustworthy apps should never take dependencies on platform capabilities they don’t actually require.

Reduce risk to your business by insisting every enterprise app you build or buy provides its own comprehensive security capabilities. Is your company making app security a top priority?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click here to purchase a copy of my book today and start transforming your business!

Reduce Business Risk by Migrating your Legacy Software to Modern, Secure Platforms and Programming Languages

Book Cover

Businesses drag their feet when mobilizing line of business #apps via legacy #software migration thinking it’s cheaper to maintain a codebase than to rewrite for #mobile.

I get it. Migrating all those apps to mobile seems like eating the proverbial elephant. They cost a lot of money to build, the highly-skilled developers needed to rewrite the code are harder to find than ever, the code isn’t commented and there aren’t any docs. This often leads to IT decision makers putting off these projects, perhaps until it’s not their problem anymore. So why do it?

For starters, your employees will be significantly more productive running your apps on the mobile devices they actually use. Since work is not a place to go but a thing to do, employees can get their jobs done from anywhere. Millennials won’t be chained to a desk and they’re going to use the devices they like best. Face it, those Win32 apps are never going to run on someone’s iPhone and your new generation of employees haven’t ever heard of Windows 95. Not changing is a non-starter as you’ll just miss out on younger talent entirely.

Another good reason migrate all these apps and systems is because they’re running on outdated hardware and software. It goes without saying that this infrastructure has far surpassed its end of life (EOL) and there is absolutely no support coming from the original vendors of the computers, operating systems, software and development tools. I’m actually not 100% correct on this point. There are some giant technology vendors that charge tens of millions of dollars per year to support old systems that reached EOL without migrating. In the end, migrating is significantly cheaper and it rescues your valuable intellectual property from fragile, unsupported, failing systems.

There’s a more ominous reason to migrate your apps. Most data breaches are due to running unpatched, out-of-date, and therefore unprotected software. This includes:

  • Software written before PCs were pervasively open to Internet attacks.
  • Apps that don’t require authentication.
  • Apps that don’t encrypt data at-rest or data in-transit.
  • Apps written before established secure development lifecycle procedures.
  • Un-patched software.
  • Software oblivious to buffer overflows or SQL injection attacks.
  • Software and services built with the assumption that they would always be “inside the firewall” and therefore protected.
  • Apps that don’t follow “least privilege” principles.
  • Apps that don’t work with modern sandboxed operating systems.

This older and often unattended software is putting your company at risk. Individual and state-sponsored hackers are attacking the software of companies all over the world. Valuable intellectual property and sensitive customer data is being stolen daily. Company executives are getting fired. You absolutely don’t want this to be your priceless intellectual property or your customer data. This is a fast ticket to losing your competitive advantage as well as the trust of your customers. Oh, and you might be looking for a new CEO and CIO.

So what’s the game plan?

  • Catalog all your Win32 and Web 1.0 apps and assemble a v-team to take ownership of them.
  • Send out surveys to all your employees to find out who’s still using which apps.
  • Utilize asset management discovery software that scans the company network searching for apps running on Windows, Macs and servers.
  • Pull the plug on apps that don’t show up in a survey or via asset management scanning.
  • Listen carefully for screaming employees and turn those apps back on. I expect you’ll find a good percentage of those apps aren’t used anymore.
  • Eliminate the next chunk of apps by seeing if employees can use a new or different process to accomplish certain tasks. Your business and processes may have changed so much over the years that some of these apps aren’t relevant.

When rewriting the remaining apps, focus less on the code and more on data sources, workflows, user interfaces, performance and latency. I’ll talk later about new ways to connect to data and build new apps. It’s more important to reverse-engineer the way employees perceive these apps to work than how the existing code actually makes them work. This provides a good opportunity to stealthily update business cases.

Reduce risk to your company by migrating unsafe, unsupported, end of life software to modern, secure platforms and programming languages. How rapidly is your company de-risking its exposure to legacy business applications?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click here to purchase a copy of my book today and start transforming your business!

Reduce Business Risk by Enforcing Security Policies on Data with Digital Rights Management

Book Cover

To enforce #mobile data #security policies directly, get an #EMM solution with #digital rights management to protect #data where it flows & rests.

So far, our EMM journey to secure corporate data has dealt with the issue by broadly securing the entire device via MDM or more narrowly securing the apps that deliver the data using various MAM techniques. The application of security can get narrower still.

The use of digital rights management (DRM) allows IT departments to apply policies directly to documents keeping data secure no matter where it flows or resides. Sometimes DRM is clumped-in with the broader mobile content management (MCM) component of EMM. This security applied directly to data is an effective method of DLP using a combination of enterprise directory services, encryption, user identity along with server and client software to keep information in sensitive files from being viewed by the wrong people or systems.

Imagine the scenario where a confidential business document is uploaded to an Internet file sharing provider or emailed to a competitor. Traditional corporate security mechanisms like firewalls or file server access controls lists won’t save you in this situation. If DRM encryption and security policies were previously applied to this document, it would be unreadable by anyone who tried to open it. This is arguably the most difficult of the EMM security components so not many vendors will offer this.

Reduce risk to your organization by keeping sensitive data secure no matter where it travels or where it rests. What is your company doing to protect its critical data?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click here to purchase a copy of my book today and start transforming your business!

Reduce Company Expenses and Enforce Mobile Security with Exchange Active Sync

Book Cover

If you don’t have an Enterprise Mobility Management #EMM solution, start with Exchange Active Sync to enforce #mobile device policies and #security.

Baby steps. While you might not say Microsoft Exchange Server in the same breath as enterprise mobility management, this product has managed more devices than any other system over the last decade. Since most enterprises already use Active Directory for identity coupled with Exchange Server on-premises or via Office 365 in the cloud for email, calendar and contacts, this is a simple way to get started. A protocol called Exchange ActiveSync (EAS) that dates back to the Pocket PC and is used by virtually every mobile operating system to allow the magic to happen.

So what does this have to do with managing devices? Well, EAS helps secure smartphones and tablets via policy enforcement. This allows you to require PINs and passwords, device and storage card encryption, remote wipe for lost or stolen phones, and S/MIME email encryption, to name a few. It also lets you disable features like a phone’s camera, removable storage, Wi-Fi, Bluetooth, SMS and others. If you’ve worked in the public sector, this probably rings a bell.

If you think managing your mobile devices via Exchange ActiveSync is unorthodox, remember this was the only way to manage iPhones until iOS 4 and Android until version 2.2 was released. I think EAS facilitated the BYOD movement more than any other factor.

Reduce expenses and risk to your company by enforcing security policies on your mobile devices using the capabilities found in an email server you probably already own. What basic steps has your organization taken to enforce mobile security on smartphones and tablets?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click here to purchase a copy of my book today and start transforming your business!