Cybersecurity for #SmartCities

Cyber Security Talk

Where are we now, and where are we going?

Mirko Ross from asvin.io hosted a lively discussion on securely building smart cities with:

  • Me
  • Antonio Skarmeta: Researcher IoT Crawler, University Murcia
  • Giuliano Liguori: CEO & Cybersecurity Expert, glweb.eu

12 Steps to Stop the Next IoT Attack in its Tracks

IoT Attack

Distributed denial-of-service (DDoS) #IoT attack against DNS are a wake up call to how fragile the #Internet can be.

The IoT attack against Domain Name Servers from a botnet of thousands of devices means it’s way past time to take IoT security seriously. The bad actors around the world who previously used PCs, servers and smartphones to carry out attacks have now set their sights on the growing tidal wave of IoT devices. It’s time for consumers and enterprises to protect themselves and others by locking down their devices, gateways and platforms. While staying secure is a never-ending journey, here’s a list of twelve actions you can take to get started:

  1. Change the default usernames and passwords on your IoT devices and edge gateways to something strong.
  2. Device telemetry connections must be outbound-only. Never listen for incoming commands or you’ll get hacked.
  3. Devices should support secure boot with cryptographically signed code by the manufacturer to ensure firmware is unaltered.
  4. Devices must have enough compute power and RAM to create a transport layer security (TLS) tunnel to secure data in transit.
  5. Use devices and edge gateways that include a Trusted Platform Module (TPM) chip to securely store keys, connection strings and passwords in hardware.
  6. IoT platforms must maintain a list of authorized devices, edge gateways, associated keys and expiration dates/times to authenticate each device.
  7. The telemetry ingestion component of IoT platforms must limit IP address ranges to just those used by managed devices and edge gateways.
  8. Since embedded IoT devices and edge gateways are only secure at a single point in time, IoT platforms must be able to remotely update their firmware to keep them secure.
  9. When telemetry arrives in an IoT platform, the queue, bus or storage where data comes to rest must be encrypted.
  10. Devices and edge gateways managed by an IoT platform must update/rotate their security access tokens prior to expiration.
  11. Field gateways in the fog layer must authenticate connected IoT devices, encrypt their data at rest and then authenticate with upstream IoT platforms.
  12. IoT platforms must authenticate each device sending telemetry and blacklist compromised devices to prevent attacks.

Keeping the various components that make up the IoT value chain secure requires constant vigilance. In addition to doing your part, it’s important to hold the vendors of the IoT devices, gateways and platforms accountable for delivering technology that’s secure today and in the future.

Reduce Business Risk by Migrating your Legacy Software to Modern, Secure Platforms and Programming Languages

Book Cover

Businesses drag their feet when mobilizing line of business #apps via legacy #software migration thinking it’s cheaper to maintain a codebase than to rewrite for #mobile.

I get it. Migrating all those apps to mobile seems like eating the proverbial elephant. They cost a lot of money to build, the highly-skilled developers needed to rewrite the code are harder to find than ever, the code isn’t commented and there aren’t any docs. This often leads to IT decision makers putting off these projects, perhaps until it’s not their problem anymore. So why do it?

For starters, your employees will be significantly more productive running your apps on the mobile devices they actually use. Since work is not a place to go but a thing to do, employees can get their jobs done from anywhere. Millennials won’t be chained to a desk and they’re going to use the devices they like best. Face it, those Win32 apps are never going to run on someone’s iPhone and your new generation of employees haven’t ever heard of Windows 95. Not changing is a non-starter as you’ll just miss out on younger talent entirely.

Another good reason migrate all these apps and systems is because they’re running on outdated hardware and software. It goes without saying that this infrastructure has far surpassed its end of life (EOL) and there is absolutely no support coming from the original vendors of the computers, operating systems, software and development tools. I’m actually not 100% correct on this point. There are some giant technology vendors that charge tens of millions of dollars per year to support old systems that reached EOL without migrating. In the end, migrating is significantly cheaper and it rescues your valuable intellectual property from fragile, unsupported, failing systems.

There’s a more ominous reason to migrate your apps. Most data breaches are due to running unpatched, out-of-date, and therefore unprotected software. This includes:

  • Software written before PCs were pervasively open to Internet attacks.
  • Apps that don’t require authentication.
  • Apps that don’t encrypt data at-rest or data in-transit.
  • Apps written before established secure development lifecycle procedures.
  • Un-patched software.
  • Software oblivious to buffer overflows or SQL injection attacks.
  • Software and services built with the assumption that they would always be “inside the firewall” and therefore protected.
  • Apps that don’t follow “least privilege” principles.
  • Apps that don’t work with modern sandboxed operating systems.

This older and often unattended software is putting your company at risk. Individual and state-sponsored hackers are attacking the software of companies all over the world. Valuable intellectual property and sensitive customer data is being stolen daily. Company executives are getting fired. You absolutely don’t want this to be your priceless intellectual property or your customer data. This is a fast ticket to losing your competitive advantage as well as the trust of your customers. Oh, and you might be looking for a new CEO and CIO.

So what’s the game plan?

  • Catalog all your Win32 and Web 1.0 apps and assemble a v-team to take ownership of them.
  • Send out surveys to all your employees to find out who’s still using which apps.
  • Utilize asset management discovery software that scans the company network searching for apps running on Windows, Macs and servers.
  • Pull the plug on apps that don’t show up in a survey or via asset management scanning.
  • Listen carefully for screaming employees and turn those apps back on. I expect you’ll find a good percentage of those apps aren’t used anymore.
  • Eliminate the next chunk of apps by seeing if employees can use a new or different process to accomplish certain tasks. Your business and processes may have changed so much over the years that some of these apps aren’t relevant.

When rewriting the remaining apps, focus less on the code and more on data sources, workflows, user interfaces, performance and latency. I’ll talk later about new ways to connect to data and build new apps. It’s more important to reverse-engineer the way employees perceive these apps to work than how the existing code actually makes them work. This provides a good opportunity to stealthily update business cases.

Reduce risk to your company by migrating unsafe, unsupported, end of life software to modern, secure platforms and programming languages. How rapidly is your company de-risking its exposure to legacy business applications?

Learn how to digitally transform your company in my newest book, “Mobile Strategies for Business: 50 Actionable Insights to Digitally Transform your Business.”

Book Cover

Click here to purchase a copy of my book today and start transforming your business!