Is there any IoT security?

IoT security by ENISA 2015

Since the Internet of Things (IoT) is rapidly growing to be one of the largest businesses in the ICT-world, everyone is talking about it. Even more, everyone seems to be concentrating on security and how bad it is.

I saw an extensive university study which came to conclusion that all of the tested IoT home appliances were vulnerable for cyber attacks. Well, I could saved their time, since absolutely everything connected to internet is vulnerable. Their recommendation for the situation was to use stronger passwords. True, you should always use strong passwords, but unfortunately that will not help you to secure your home or business IoT environment.

There are security vulnerabilities in home IoT-appliances and usually they are deeper and more complex than bad Wi-Fi password. In most cases, they cannot be secured by the every-day user. Bad design and structural problems causes unwanted backdoors and exposures of confidential information to the maleficent side of the internet. As an example, smart TV’s have cameras which can be accessed remotely because of a software glitch. Remote controlled light bulbs and air conditioners use proprietary wireless connection which reveals your “how ever strong it is” Wi-Fi password in plain text to public. 

So what to do then? You have couple of options. You can always use an additional security device to help you to secure your environment – just like companies do. The stuff is very new, the first shipments are just beginning at Q1 2016: F-Secure SENSE, Luma smart Wi-Fi router, Dojo ja Cujo.

Another option is to make a personal risk assessment and classify your environment and privacy. Do you have to connect the specific device to the internet? What functionality will you lose if you use it as a stand-alone device? If it needs to be connected to internet, can it be secured sufficiently? It it gets hacked, what information you reveal or loose? Does it really matter or is it very important or sensitive? Can the data be used against you or others?

Then there is one additional information important to understand. Even if the data is not important to you or the connected device is more or less harmless, it could be used to cause harm to some-one else. There are cases where captured IoT-home appliance has been used from spamming email or cause Distributed Denial of Service attacks. Regular user would not even know that this kind of illegal activity is happening.

So as always, you first need to think what you are doing and connecting to internet at your home. If you do not know, ask from a friend, or better yet, ask from a professional. If you are not able to do any of these, just do not plug it in.

How is your cyber defence today?

Cognitive cyber defence

What to do, when cyber attacks are financed by nations and managed by organised crime? Attackers budgets are endless and they will not stop until they get what they want.

When even the hactivists have more resources than professional organisations, it is time to think something else.

Something else have to be totally different. Something more than fancier anti-viruses or firewalls. Intrusion detection is now a commodity and data leak prevention did not really work. Most organisations are turning to security information and event management solutions and building or buying security operations centers.

Old security phrase stated that the human is the weakest link in security. While I did never fully agree that statement, it has always been partially true. Specially now.

The weakness of any current cyber security defence is the human. It does not matter anymore if employees are negligent or the people who have built the defence mechanisms have made mistakes – they are are and they have – always.

Now the real weakness is on the active defence. How fast you can detect something you do not understand. How you even could try to react for something unknown to you? When you find out and understand what is happening, it is way too late. In old information security world (viruses and hackers) you could react for an attack in minutes. Now it all has begun weeks or months ago and all you can do is to calculate your losses.

Another challenge is understanding the goal. As in traditional warfare, the ultimate goal is usually the most protected secret. Same applies for cyber security. You use tons of different channels and methods to get on your target. Not revealing itself too early is more important than achieving 100% of the target. Attacks are so sophisticated, that event the best cyber professionals or brightest analysts cannot see the final goal for an attack by just examining the small parts of the attack mechanism. 

So is there an another answer for cybersecurity than having more money, skills and resources than the attacker? In last couple of months I have started to believe that there is – cognitive cyber security platforms. There are already few available and they are best where the humans are weak.

Cognitive cyber security platform is designed to recognise and understand a previously unseen attack, quickly extrapolate the ultimate targets and launch counter-measures and direct security processes according the security policy. Will it do all this and how? Will it really work good enough at ultra-high-security environments? I will find out and tell you what I found later this year!

No business platforms, no business

The time for IaaS, PaaS and SaaS is nearing to its end. Mastering business growth requires platform-oriented thinking and architecture. Gartner talks a lot about platforms, but what it simply means, is that you have do decide what you want your business capabilities to be and then build (or buy) platforms capable of delivering the services required by your business. Only thing that matters is the ease of how you are capable of delivering the required result.

Let say you want to provide weather reports. Then your platforms will consist of partners, solutions, services and innovations capable of gathering, processing and delivering weather data. Platforms also include things like digital marketing, management models, go-to-market models and many more tools to use when needed.

The difference of platform versus process is that the platform is flexible and capable of actually delivering the final required result. You do not need a solution or a service, you need a platform for your business.