Connect with us

Security

THE IOT’S PERPLEXING SECURITY PROBLEMS

Published

on

Worldwide spending on the Internet of Things will total nearly US$773 billion this year, IDC has predicted.

The IoT will sustain a compound annual growth rate of 14.4 percent, and spending will hit $1.1 trillion by 2021, according to the firm’s forecast late last year.

Consumer IoT spending will total $62 billion this year, making it the fourth largest industry segment, after manufacturing, transportation and utilities. The leading consumer use cases will be related to the smart home, including home automation, security and smart appliances, IDC said.

Cross-industry IoT spending, which encompasses connected vehicles and smart buildings, will gobble up $92 billion this year, and will be among the top areas of spending for the next three years.

IoT growth will get a boost from new approaches coming from firms such as China’s Tuya Smart, for example, which combines hardware access, cloud services, and app development in a process that lets manufacturers transform standard products into smart products within one day.

Shadow IoT Devices on Enterprise Networks

One third of companies in the U.S., the UK and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a recent Infoblox survey of 1,000 IT directors across the U.S., the UK, Germany and the UAE.

The reported shadow IoT devices included the following:

  • Fitness trackers – 49 percent;
  • Digital assistants such as Amazon Alexa and Google Home – 47 percent;
  • Smart TVs – 46 percent;
  • Smart kitchen devices such as connected microwaves – 33 percent; and
  • Gaming consoles – 30 percent.

There were 1,570 identifiable Google Home assistants deployed on enterprise networks in the U.S. as of March, according to the Infoblox survey. There were 2,350 identifiable smart TVs deployed on enterprise networks in Germany, and nearly 6,000 identifiable cameras deployed on UK enterprise networks.

Shadow IoT devices are devices connected to the company network but not purchased or managed by the IT department, according to Infoblox.

“Often IoT devices are added to the network without the direct knowledge of IT,” noted Bob Noel, director of strategic relationships and marketing for Plixer.

“Companies need to pay attention to the deployment of IoT devices, which are regularly put online with default passwords, legacy code riddled with known vulnerabilities, and a lack of defined policies and procedures to monitor them, leaving companies extremely vulnerable,” he told the E-Commerce Times.

More than 80 percent of organizations surveyed said security was the top consideration in IoT purchase decisions, said Brent Iadarola, VP of mobile & wireless communications at Frost & Sullivan.

However, “the unfortunate reality today is that unknown assets and unmanaged networks continue to exist in enterprise networks and are often overlooked by vulnerability scanners and solutions that monitor network changes,” he told the E-Commerce Times.

Still, “we have started to see some movement towards integrated IoT security solutions that offer end-to-end data collection, analysis and response in a single management and operations platform,” Iadarola noted.

Security for the IoT

“IoT security is highly fragmented and many devices are vulnerable,” observed Kristen Hanich, research analyst at Parks Associates.

“There are a large number of devices out there with known weaknesses that can easily be exploited by commonly available attacks,” she told the E-Commerce Times.

Most of these devices won’t receive protective updates, Hanich said, and “as most IoT devices are put in place for years or even decades, this will lead to hundreds of millions of vulnerable devices.”

Cybercriminals have been launching newer and more creative attacks on IoT devices, either to compromise them or to leverage them in botnets.

For example, Wicked — the latest version of the Mirai botnet malware, originally released in 2016 — leverages at least three new exploits.

A new version of the “Hide-and-Seek” botnet, which controls more than 32,000 IoT devices, uses custom-built peer-to-peer communication and multiple anti-tampering techniques, according to BitDefender.

“We should be preparing ourselves for many years of attacks powered by IoT botnets,” Sean Newman, director of product management for Corero Security, told the E-Commerce Times.

Cost is a problem with IoT security, Parks Associates’ Hanich noted. “Security must be built-in from the onset, which takes time and effort. It also requires regular maintenance and updates after selling the devices, potentially for many years.”

Many device makers are skipping security to keep their prices down, she pointed out, as security “does not drive unit sales of their products.”

Medical Devices and IoT Security

The IoT’s healthcare component includes connected medical devices and consumer wearables such as smartwatches and fitness trackers.

Medical device manufacturers increasingly have been incorporating connectivity to the Internet, but 53 percent of healthcare providers and 43 percent of medical device manufacturers don’t test their medical devices for security, noted Siddharth Shah, a healthcare industry analyst at Frost & Sullivan.

Few have taken significant steps to avoid being hacked, he told the E-Commerce Times.

Network-connected medical devices “promise an entirely new level of value for patients and doctors,” said Frost & Sullivan healthcare industry analyst Kamaljit Behera.

However, “they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk,” he told the E-Commerce Times.

“The perceived risk from connected medical devices within the hospital is high, but steps are now being taken to prevent attacks,” said Frost’s Shah. “Still, there’s lots to be done.”

The risk to enterprise networks of being hacked through consumer healthcare-related devices “isn’t a big issue,” according to Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.

“Personal devices are not commonly connected to private corporate networks other than healthcare IT vendors,” he told the E-Commerce Times.

Google and Apple have been leading the charge of smart devices into the healthcare realm, with other companies, such as fitness device manufacturers, following suit.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Microsoft is bringing its Defender antivirus software to the Mac

Published

on

By

Microsoft is bringing its Windows Defender antivirus software to macOS today. The software giant is renaming Windows Defender Advanced Threat Protection (ATP) to Microsoft Defender Advanced Threat Protection (ATP) as a result. Microsoft has created a dedicated Defender ATP client for Mac, and it offers full virus and threat protection mixed with the usual ability to perform quick or full scans.

A limited preview will be available for businesses to try out the antivirus protection in environments that have a mix of both Windows PCs and Macs. Microsoft is using its AutoUpdate software on macOS to keep the client up to date, and it will be available on devices running macOS Mojave, macOS High Sierra, or macOS Sierra.

As ATP is limited to businesses, it’s not clear if Microsoft is also planning to bring a consumer version of Microsoft Defender over to the Mac. Defender is currently built into Windows 10, offering antivirus protection by default. Either way, Microsoft is offering a limited preview to Microsoft Defender ATP customers, and you can sign up here.

Continue Reading

Internet

The number of mobile malware attacks doubles in 2018, as cybercriminals sharpen their distribution strategies

Published

on

By

Four African countries made the list in terms of top 10 countries by share of users attacked by mobile malware; Nigeria climbs from fifth place in 2017 to third in 2018.

Kaspersky Lab (www.Kaspersky.co.za) researchers have seen the number of attacks using malicious mobile software nearly double in just a year. In 2018 there were 116.5 million attacks, compared to 66.4 million in 2017, with a significant increase in unique users being affected. Despite more devices being attacked, the number of malware files has decreased, leading researchers to conclude that the quality of mobile malware has become more impactful and precise. These and other findings are unveiled in Kaspersky Lab’s report Mobile malware evolution 2018.

As the world becomes more mobile, the role of smartphones in business processes and day to day life is growing rapidly. In response, cybercriminals are paying more attention to how they are distributing malware and the attack vectors used. The channels through which malware is delivered to users and infects their devices is a key part of the success of a malicious campaign today, taking advantage of those users who do not have any security solutions installed on their phones.

The success of the distribution strategies is demonstrated not only by the increase in attacks, but also the number of unique users that have encountered malware. In 2018 this figure rose by 774,000 on the previous year, to 9,895,774 affected users. Among the threats encountered, the most significant growth was in the use of Trojan-Droppers, whose share almost doubled from 8.63% to 17.21%. This type of malware is designed to bypass system protection and deliver there all sorts of malware, from banking Trojans to ransomware.

“In 2018, mobile device users faced what could have been the fiercest cybercriminal onslaught ever seen. Over the course of the year, we observed both new mobile device infection techniques, such as DNS hijacking (http://bit.do/eKudD), along with an increased focus on enhanced distribution schemes, like SMS spam. This trend demonstrates the growing need for mobile security solutions to be installed on smartphones – to protect users from device infection attempts, regardless of the source,” said Viсtor Chebyshev, security expert at Kaspersky Lab.

Four African countries made the list in terms of top 10 countries by share of users attacked by mobile malware – Nigeria in 3rd place at 37.72%, Algeria in 5th place (35.06%), Tanzania in 8th place (31.34%) and Kenya in 9th place with 29.72%.

Other findings in the mobile malware evolution 2018 report include:

  • In 2018 Kaspersky Lab products protected 80,638 users in 150 countries against mobile ransomware, with 60,176 mobile ransomware Trojans samples detected
  • In 2018, a fivefold increase in attacks using mobile malicious crypto currency miners was observed
  • In 2018, 151,359 installation packages for mobile banking Trojans were detected, which is 1.6 times more than in the previous year

In order to protect your devices, Kaspersky Lab security experts advise the following:

  • Only install mobile applications from official app stores, such as Google Play on Android devices or the App Store on iOS
  • Block the installation of programmes from unknown sources in your smartphone’s settings
  • Do not bypass device restrictions as this might provide cybercriminals with limitless capabilities to carry out their attacks
  • Install system and application updates as soon as they are available — they patch vulnerabilities and keep devices protected. Note that the mobile OS system updates should never be downloaded from external resources (unless you are participating in official beta-testing). Application updates can only be installed through official app stores
  • Use reliable security solutions for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud(http://bit.do/eKurx)

To learn more about threats to mobile devices, please read the blog post available at Securelist.com. (http://bit.do/eKuiq)

Distributed by APO Group on behalf of Kaspersky.

About Kaspersky Lab:
Kaspersky Lab (www.Kaspersky.co.za) is a global cybersecurity company which has been operating in the market for 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.Kaspersky.co.za.

source: Africanews

Continue Reading

Security

The Ultimate Beginners Guide to GDPR Compliance in 2019

Published

on

By

What is GDPR?

By now you’ve probably all heard the term GDPR. Up until 25th May 2018 the guidelines surrounding personal information, in relation to privacy, were a bit wishy-washy. The Data Protection Directive (1995) did provide some basic guidelines but it simply wasn’t good enough.

We’ve always taken a keen interest in GDPR as many VPN’s have had to make serious changes to the way they operate inc some of the major players like Avast and NordVPN.

The monitoring and sharing of information is now covered under the General Data Protection Regulation (GDPR). This aims to ensure that information is handled responsibly, by any company that deals with personal information and privacy.

According to ICO, there are 7 key principles that GDPR sets out. These are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

The principles outlined aren’t rules as such, but more so an outline of fundamentals that should be followed when creating good data protection practice. If individuals or companies fail to comply with the principles, they could be fined up to €20 million, or 4% of your total worldwide annual turnover (whichever is higher).

What was before GDPR?

GDPR is applied throughout Europe, with each country having it’s own amount of control regarding certain aspects of the regulation. The U.K. has implemented the Data Protection Act (2018) which replaces the 1998 Data Protection Act.

The new act was passed through the House of Commons and House of Lords shortly before GDPR came into force.

Impact on businesses

Whether you’re an individual, organisation or company, you may be branded as a ‘controller’ or ‘processor’ of personal data. The Information Commissioners Officer (ICO) outlines exactly what the difference is between controllers and processors.

Businesses who monitor or obtain personal information on a large scale should employ a Data Protection Officer (DPO). The officer’s role should ensure that the company in question complies with GDPR. Any questions or queries regarding data protection should be directed to them.

GDPR applies to businesses that process personal data of EU citizens. This is the case even with businesses who employ less than 250 employees. As previously mentioned, any breach which could impact the rights of data subjects should be reported to the Information Commissioner’s Office (ICO).

If possible, a breach should be logged and reported within a 24 hour period, or 72 hours at the most. Details of the breach and how it is going to be contained and resolved must be outlined to the ICO.

GDPR will give individuals control on how businesses use their data. This also applies to businesses that already have your data. For example, individuals will have the ‘right to be forgotten’. So, if you’re a customer and no longer want a business to hold your personal data, you have a legal right to retract your data.

Helpful checklist for small businesses

GDPR is undoubtedly confusing, and understandably quite stressful! I thought it would be pertinent to put together a checklist for UK small businesses so you know what to expect, and what’s expected of you.

Your small business GDPR checklist should consider past and present employees, suppliers, and customers. It should also consider anyone’s data that you’re processing, collecting, storing, or recording, and using by any means.

1| Understand your data

You will need to understand and demonstrate your understanding of the types of personal data you and/or your business holds. For example, names, addresses, IP addresses, bank details, etc. This also includes sensitive data like religious views and health details. You’ll need to demonstrate that you understand where they come from and how you will be using such data.

2| Think about consent

Does your business require consent to process personal data? Some marketing techniques require consent which makes things much more difficult under GDPR. Consent must be extremely clear and specific, so unless you 100% know what you’re doing tt may be worth avoiding the need to rely on consent unless it’s crucial to your business model.

3| Consider security measures

Your security measures and policies that are in place must be updated to be GDPR compliant. What’s more, if you don’t have any in place already, you should get them pretty quickly! Although there are more specific demands regarding security, as a broad precaution, you could use encryption.

4| Subject access rights

Individuals have the right to access their personal data. You’ll need to ensure that your business is ready to provide this information within a short timeframe if necessary. Individuals may wish to obtain their personal data in order to rectify any issues, simply to have it, or they may wish to erase it altogether. All requests carry a timeframe of one month.

5| Train employees

Employees within your business should be trained in personal data. They will need to understand what constitutes personal data, as well as processes to identify any data breaches. Employees should be aware of who your Data Protection Officer (DPO) is, and any team or individuals related or responsive for data protection compliance.

6| Supply chain

All suppliers and contractors within your business need to be GDPR compliant. This is to ensure that they are not going to cause any breaches and pass any penalties or fines onto you. You will need to make sure that your contracts with your suppliers are updated too, so make sure you obtain a copy of this.

7| Fair processing

As part of GDPR, you must now be able to explain to individuals what you’re using their personal data for. This shouldn’t be a difficult task or one to worry about if you’re using their data fairly and correctly.

8| Data Protection Officer

It’s time to decide whether you need to employ a DPO or not. Small businesses are likely to be exempt, but larger businesses may not. It’s worth checking out to make sure you’re not in breach of any GDPR rules.

Defining consent

As an individual, you may be familiar with pre-ticked boxes when signing up for online accounts, purchasing products, registering for newsletters etc. These boxes were often pre-ticked and somewhat hidden, giving companies access to your personal data. Now, gone are the days of being bombarded by unwanted marketing emails and random phone calls.

Consent has been redefined under the new GDPR rules. Gone are the days of small print and hidden messages where individuals ‘accidentally’ or involuntarily sign up to marketing emails, texts, etc. Policies must be made abundantly clear now and be presented in such a manner.

Rules around pre-existing personal data are a little different. You may not require consent for this, but there must be a legal basis that’s compliant with the Data Protection Act (DPA). The main thing here is to remember that these legislations apply to businesses and consumers!

GDPR statistics 2018

  • Around 59% of UK businesses know the implications that GDPR will have on them.
  • On average, 73% felt that they were prepared when it came to documents and print management.
  • Only 6% of UK businesses made GDPR a priority. This is compared to 30% in France.
  • CNIL (French data protection regulator) reported a 50% increase in the number of complaints since GDPR came into force on 25th May.

Right of Access

Right of access (or subject access) allows an individual the right to obtain their own personal data. Right of access gives individuals the ability to understand how their data is being used and why their data is being used in such a way. This ensures that their data is being used in a lawful manner.

Individuals have the right to obtain certain information from companies, which includes:

  • a copy of an individual’s personal data
  • confirmation that an individual’s personal data is being processed
  • supplementary information (mainly corresponds to information provided in a privacy notice)

An individual, as we know, is entitled to their own personal data. However, they are not entitled to information about other people. On the other hand, if the information they are trying to obtain is about them as well as someone else, this is acceptable.

As an individual, it’s recommended that you ascertain whether the information you’re requesting is defined as personal data or not. You can check to see what’s classed as personal data (to be sure) here.

Am I a Data Controller or Data Processor?

GDPR applies to data controllers and data processors, but what does this actually mean? Data processors refer to operations performed on data, so when data is stored, collected, recorded, shared, etc. Data controllers are also data processors, the difference being is that they decide what the purpose or reason for processing data activities actually is.

Data Processors

As a data processor, there are legal obligations that GDPR require you to do:

  • Keep and maintain up-to-date personal data records. This includes outlining the details of processing activities and data subject categories. Categories refer to customers, employees, suppliers, and the types of processing – transferring, receiving, disclosing etc.
  • Keep and maintain details of transfer to countries that are outside of the European Economic Area (EEA)
  • Implement and maintain security measures that are appropriate, e.g. encryption

If a data processor is responsible for a data breach, they will have a lot more legal liability compared to the DPA. Individuals can make a direct claim against the data processor, so it’s imperative that you understand your responsibilities as one.

Data Controllers

As a data controller, you are by nature a data processor too. The same GDPR requirements therefore apply. However, the GDPR obligations are placed on you and your business to ensure that contracts with processors are compliant and standards are met.

Continue Reading
Advertisement

Trending

Copyright © 2018 Inventrium Magazine

%d bloggers like this: