The growth of the Internet-of-Things (IoT) paradigm begs the question if blockchain technology securing IoT infrastructure properly or not? Currently propelled by an unprecedented increase in the number of internet-connected devices. Even though the Cisco’s 2011 projection about 50 billion devices in 2020 is not ending up being very accurate, more recent estimates by Gartner and IHS confirm the tremendous growth of the number of IoT devices.
The need to support billions of devices in the years to come is inevitably pushing IoT technologies to their limits. Despite significant progress in blockchain technology, the specification and implementation of IoT technologies for identification, discovery, data exchange, analytics and security, the future scale of IoT infrastructure and services is creating new challenges and ask for new paradigms.
As a prominent example, IoT security is usually based on centralized models, which are centered round dedicated clusters or clouds that undertake to provide authentication, authorization and encryption services for IoT transactions. Such centralized models are nowadays providing satisfactory protection against adversaries and security threats.
Nevertheless, their scalability towards handling millions of IoT nodes and billions of transactions between them can be questioned, given also recent IoT-related security attacks which have manifested the vulnerabilities of existing infrastructures and illustrated the scale of the potential damage.
In particular, back in October 2016, a large scale Distributed Denial of Service (DDoS) attack took place, which affected prominent Internet sites such as Twitter, Amazon, Spotify, Netflix and Reddit. The attack exploited vulnerabilities in IoT devices in order to target the infrastructures of dyn.com, a global infrastructure and operations provider, which serves major Internet Sites.
The incident is indicative of the need for new IoT security paradigms, which are less susceptible to attacks by distributed devices and more resilient in terms of the authentication and authorization of devices. In quest for novel, decentralized security paradigms, the IoT community is increasingly paying attention to blockchain technology, which provides an infinitely scalable distributed ledger for logging peer to peer transactions between distrusted computing nodes and devices.
Most of the people that are aware of the paradigm to blockchain technology securing IoT perceive it as the main building block underpinning cryptocurrencies such as the well-known BitCoin. Indeed, the main characteristic of Bitcoin transactions is that they are not authenticated by a Trusted Third Party (TTP), as is the case with conventional banking transactions. In the case of the BitCoin, there is no central entity keeping track of the ledger of interactions between the different parties as a means of ensuring the validity of the transactions between them. Instead, any transaction occurring between two parties (e.g., A paying 1 Bitcoin to B) is kept in a distributed ledger, which is maintained by all participants of the BitCoin network and which is empowered by blockchain technology. Among the merits of this distributed ledger approach is that it is very scalable and more robust when compared to traditional centralized infrastructure.
This is due to the fact that the validation of transactions is computationally distributed across multiple nodes, as well as due to the fact that the validation requires the consensus (“majority vote”) of the whole network of communicating parties, instead of relying on a centralized entity. In this way, it is practically impossible for an adversary to attack the network, since this would require attacking the majority of nodes instead of one or a few parties.
The scalability and resilience properties of the blockchain approach have given rise to its applications in other areas such as electronic voting or IoT transactions. The principle remains the same: Transactions are logged in the distributed ledger and validated based on the majority of nodes, even though in the case of voting and other transactions Bitcoin units are replaced by votes or credits. This results in a trustful and resilient infrastructure, which does not have a single point of failure.
Based on the above principle, blockchain is deployed as an element of IoT infrastructures and services, which signifies a shift from a centralized brokerage model, to a fully distributed mesh network that ensures security, reliability and trustworthiness. Blockchain technology securing IoT infrastructure facilitates devices to authenticate themselves as part of their peer-to-peer interactions, while at the same time increasing the resilience of their interactions against malicious adversaries. Moreover, this can be done in a scalable way, which scales up to the billions of devices and trillions of interactions that will be happening in the coming years.
The development of secure mesh IoT networks based on blockchain technology is no longer a theoretical concept. During the last couple of years several companies (including high-tech startups) have been using blockchain technology in order to offer novel IoT products and services. The most prominent implementations concern the area of supply chain management. For example, modum.io is applying blockchain in the pharmaceuticals supply chain, as means of ensuring drug safety.
The company’s service uses the blockchain technology in order to log all transactions of a drug’s lifecycle, starting from its manufacturing to its actual use by a health professional or patient. Recently, the retail giant Wal-Mart Stores Inc. has announced a food products track and trace pilot based on blockchain technology. The pilot will document all the steps associated with tracking and tracing of pork, from the farm where the food is grown, to the supermarket floor where it is shipped. This pilot is a first of a kind effort to validate the merits of the blockchain outside the scope of the financial services industry.
Beyond supply chain implementations, novel products are expected to emerge in the areas of connected vehicles, white appliances and more. Several of the applications are expected to benefit from blockchain’s ability to facilitate the implementation of monetization schemes for the interaction between devices. In particular, as part of blockchain implementations, sensors and other IoT devices can be granted micropayments in exchange of their data.
The concept has already been implemented by company tilepay, which enables trading of data produced by IoT devices in a secure on-line marketplace. At the same time, cloud-based infrastructures enabling developers to create novel blockchain applications are emerging. As prominent example Microsoft is providing a Blockchain-as-a-Service (BaaS) infrastructure as part of its Azure suite.
Overall, blockchain technology is a promising paradigm for securing the future IoT infrastructures. Early implementations are only scratching the surface of blockchain’s potential. We expect to see more and more innovative products in the next few years.
In this direction, several challenges need also to be addressed, such as the customization of consensus (i.e. “majority-voting”) models for IoT transactions, as well as efficient ways for carrying out the computationally intensive process of transaction verification. Solutions to these challenges will certainly boost the rapid uptake of this technology in the IoT technology landscape.
Mobile BYOD security is always an issue for IT and security. Going online increasingly means going mobile. "There's an app for that" is the truth these days. Unfortunately, mobile device security brings the same set of concerns that full computer and cloud systems are battling – threats, hacking, and ransomware.
The biggest security threat to mobile devices that is not found in desktops or servers is that very mobility. In mid-2015, 2.1 million Americans reported their mobile phones lost or stolen according to Consumer Reports. That's a drop. Add tablets and the count is higher, but still less than what it has been. CR doesn't try to say why the number of missing devices is down.
The ability to wipe data or lock down a smartphone was considered high end security. Apple led the pack in that kind of security, but even the vaunted iPhone was hacked. It's probably easier than you think. "More than 86% of Apple iPhones in the world are apparently still vulnerable to a security flaw that allows a hacker to completely take over the device with just a text message, according to data from mobile and web analytics firm MixPanel," said a report at Business Insider.
It does not matter if your work environment is BYOD or company-supplied. Once the mobile device is gone, expect it to be hacked. Think a remote wipe of the mobile device is going to protect your information? It won't. A quick google on "recover lost data from smartphone" turned up plenty of companies selling information-recovery software.
YouTube also has plenty of videos teaching people how to recover files from a smartphone. While these tutorials are aimed at helping someone find and restore "lost" photos or text messages, there's not a real difference between a picture of someone's kids at the park and a file with a client's payment information. Data is data.
Some of these ideas are worth adding to your company's mobile BYOD security policies.
None of these are guaranteed to stop a dedicated hacker when it comes to mobile device security. But they will frustrate someone who stole the phone or tablet and hoped for an easy score. They can also create enough of a delay for you to lock out the device from your system and alert any customers whose information may be compromised.
The US Computer Emergency Readiness Team (CERT) says mobile hacks are steadily climbing. The report lists things to do to protect mobile devices. CERT's best security ideas are:
Mobile may not be part of your company's business model right now, but it is coming. If you already have it, what are you doing to make things secure? What's in your company's written mobile device policy? How do you enforce it? How do you monitor the devices, especially if you are BYOD?
Having issues with recruiting cyber security experts with deep experience in wireless protocols, mobile networks, mobile security apps and BYOd security? Click below to ask NextGen how we can solve recruitment issues and deliver the right candidates for hire.
Embracing next technology healthcare without adequate preparation will only open new risk avenues and threat vectors for healthcare cyber attacks. Technology is perceived as a solution to address operational inefficiencies within the healthcare industry and to expand the reach of high quality healthcare services to remote regions. But the risks are mounting.
Vulnerable Devices for Critical Medical Practices
The proliferation of smart technologies will encompass the healthcare industry in coming years. Digital devices such as smart pacemakers and insulin pumps are used widely today, and the next generation of smart technologies will cover a variety of critical cardiovascular, respiratory, and neurological medical practices. However, next technology healthcare devices aren’t immune to sophisticated attacks. In control of malicious actors, vulnerable smart medical devices can deliver the killer blow to patients instead of maintaining stable health.
Cloud connectivity is critical to access patient information anywhere-anytime, a promise that’s driving transition to the cloud for healthcare institutions. PHI data is effectively stored in off-site data centers beyond the control of healthcare providers originally in charge of maintaining patient data privacy and security. Any vulnerability in their cloud networks is an open invitation for hackers to compromise sensitive patient information.
Unlike cloud vendors subject to stringent compliance regulations, patients themselves are unable to secure IoT-connected medical devices at home. A malware infected dialysis machine could be part
of a DDoS attack intended to bring down the entire network infrastructure of a hospital. Since IoT devices come from multiple vendors, through different processes and offer different technologies, it’s not entirely possible to maintain a consistent standard and control around healthcare cyber attacks and IoT device security.
Healthcare providers adopting telemedicine practices using smartphone health apps may not realize or control the personally identifiable information shared with third-party advertisers. These apps run on mobile platforms vulnerable to security threats, especially when the OS is not updated to apply the latest available security patches.
Considering the general lack of security awareness among patients using outdated mobile app and OS versions, and fall prey to mundane social engineering ploys, the industry has a long way to go before considering mobile apps as secure channels to offer effective firewalls and security against healthcare cyver attacks.
Do you think the next technology healthcare industry is ready to take a deep dive into cyber security adoption without adequate preparation and fixing loopholes that exist within the technology itself?
Need an executive search consultant with deep knowledge and contacts in the medical field? NextGen has identified and recruited key personnel ranging from principal / chief engineers in software development, systems design, and embedded wireless to directors and VPs in sales, business development, and technology to president of business unit for medical device manufacturers, electronic health records developers, clinical integration, and bio medical research and development.
The threat of IoT Botnets describes a network of devices that have been compromised by a cybercriminal and are being used to conduct a coordinated attack. Typically these devices are a mixture of computers and mobile devices.
IoT Botnets can be utilized for many different types of cyber attack. Spam email campaigns and Distributed Denial of Service (DDOS) attacks are two common uses for botnets. A DDOS attack involves overwhelming a target with requests and causing the service to fail.
In both scenarios, using a network of compromised machines spreads an attacker's point of origin. This means that DDOS attacks cannot be thwarted simply by blocking a single IP address, and makes it tough for spam filters to identify the source of malicious email. The most commonly discussed examples of these smart devices tend to be consumer-focussed, such as the capacity to control your home heating from your smartphone. But increasingly, there are more and more uses of IoT devices in the business world. Many industries now use a connected network of sensors and cameras to capture data and automate decisions based on that information.
Gartner has predicted that there will be approximately 20 billion IoT devices by the year 2020. And because these devices have an IP address and the ability to share data, they are susceptible to cyber criminals. In fact, many of these devices are far easier to hack than traditional computers and smartphones. In a rush to catch early adopters, manufacturers are overlooking security in favor of product features and speed to market. Additionally, as the industry is still quite new, there are no standardized methods for detecting and fixing a compromised IoT appliance.
One of the main threat of IoT botnets pose is that they make DDOS attacks easier to conduct. Many of these appliances may be connected via the same router, and with their low security levels, it’s straightforward for hackers to compromise multiple devices very quickly. For businesses, this means that even the many consumer IoT gadgets are a threat. Back in 2014, cyber security experts Proofpoint discovered an attack that utilized consumer devices in a sustained cyber breach.
The Internet of Things offers many easy-to-reach IP addresses with which to conduct an attack. And while DDOS attacks aimed at a particular company can be damaging to business and reputation, a coordinated attack of this nature aimed at a country’s critical infrastructure could have even more damaging effects.
The second major threat of IoT Botnets is compromised IoT devices is related to the nature of the work they do. As mentioned previously, the role these appliances play tends to involve the collection of data and subsequent decision-making process. This data itself could be valuable to criminals via ioT botnets. The heating and lighting habits of a particular building could indicate the times when it’s staffed, for example.
But even more dangerous is the prospect that hackers could manipulate this data. For industries that use sensors to indicate that equipment components have exceeded their designed wear thresholds, an inaccuracy in this information could have life-threatening repercussions.
All of this concern inevitably leads us onto the question of what users can do to protect themselves against these attacks. And the honest answer at the moment is that it’s tricky to take definitive action. Much of the progress to secure these devices needs to be made by the manufacturers themselves.
But there a few things that businesses can do to mitigate the risk. The first thing to do is to review your cyber security processes. If you assume that your email filters would not be able to stop a coordinated spam attack using IoT botnets, then how well educated are your users? Do they know how to identify a suspect email?
Secondly, if you’re a business that uses IoT devices, ensure that you have strong login credentials and that you have a robust process for installing any manufacturer updates and patches. You may also be able to segment these appliances onto a separate network to reduce the risk of lateral infection into the rest of your organization.
Probably the biggest thing users can do to threat of IoT botnets is to petition the vendors to take it more seriously. Practices such as digital firmware signatures and anomaly detection could begin to make these devices more secure. It’s clear that the Internet of Things poses a security risk to consumers and businesses alike. There’s no easy answer when it comes to protecting your business from attack. All companies should be reviewing their security policies, having recognized the increased threat of an attack that has multiple origins.
And for businesses that utilize IoT appliances, it’s a case of understanding there is an element of danger and ensuring that the competitive edge offered by these devices outweighs that risk. What does this decision process look like in your business? Are you using IoT appliances and has the phrase ‘Internet of Things’ started to work its way into your general security policy conversations? Are you prepared to face IoT botnets?
Have a key staffing need in cyber security, wireless systems, or IoT data, devices and networks? Consider the expert executive search recruitment team of NextGen with over 30 years of placing executive management, functional leaders, and key sales / engineering staff/
When we think of cyber threats to endpoints, typically what comes to mind is the need to protect our PC’s and laptops. Many more businesses are adding comprehensive security solutions and user policies administered to include mobile threat exploits.
But it’s unquestionable now that mobile phones are just as likely (if not more likely) to be targeted by cyber criminals. There are a few reasons for that. The first reason that mobiles are now a legitimate target is the sheer number of them. It’s estimated that there will be over 6 billion smartphones in use by the year 2020. That’s around 70% of the world’s population using a smartphone in 3 years’ time.
Modern smartphones are now small computers. The processing power, functionality, and the way we’ve integrated them into our lives make them a treasure trove of valuable information and easy food for hackers wishing to use mobile threat exploits. And IoT Botnets further increases the vulnerability of cloud based data and mobile devices.
Many people today use their mobile phones to access online banking and as a physical payment method in store. Cybercriminals tend to follow the money and so are putting resources into targeting mobiles. Last year, security vendor ESET discovered a form of malware that presented a false version of online banking login screens to steal credentials.
Like any operating system, there is a continual process of discovering vulnerabilities and attempting to patch them before hackers can take advantage.
This can be complicated on the Android OS. Android is open source, allowing stakeholders to modify and redistribute it to fit their needs.
This means that when mobile threat exploits and vulnerabilities are fixed at the source, it doesn’t always translate to the problem being resolved for the user.
The most famous example of this is the Stagefright vulnerability. This was mobile threat exploits in the code library associated with media playback. If a hacker sent malicious code within a video via MMS, the attack could be successful without any interaction from the user. This vulnerability was said to affect 95% of Android users making patching a nightmare. Although there had been previous serious vulnerabilities in Android, such as FakeID, TowelRoot, and PingPong, this was the first exploit of this scale that could be successful without any user input.
Typically, we see most of mobile attacks targeted at Android devices. But iOS is not completely bulletproof. XcodeGhost was a copycat version of Apple’s development environment, used for creating apps. Developers that used the rogue version of Xcode to create their apps unwittingly delivered their product to the App Store with the malware in tow.
So clearly, we need a robust plan in place to protect mobile devices from mobile threat exploits. But how do we go about this? The first thing to consider is user education. When using a laptop, most people know not to open attachments from unknown sources. But mobile users are not always as careful. Educate them to apply this same level of caution to mobiles; only downloading apps from trusted sources and giving the application, the minimum permissions required to perform its task.
Your company likely already has an Enterprise Mobility Management (EMM) solution in place. This is useful for managing a fleet of mobiles and preventing opportunistic crimes by enforcing passcodes, for example. But EMM is not sufficient to protect against more advanced threats, and most suites don’t have the functionality to detect, analyze and respond to cyber attacks. For this reason, it’s important to supplement your EMM with a Mobile Threat Defense (MTD) product.
MTD has far greater mobile threat exploits threat-detection capabilities and can help to prevent man-in-the-middle attacks, detect non-compliant or malicious apps, and spot jailbroken devices. It’s important to have this level of security on your mobile devices due to the amount of corporate data that can typically be accessed via mobile now.
A cloud-based Identity as a Service (IDaaS) solution can also help to increase security. The benefits of this to a business are two-fold: For the user, all their corporate systems can be accessed via a single sign-on (SSO). This eliminates the need to remember multiple login credentials.
It’s likely to be a multifactor sign-on process which is more secure than a static password. IDaaS also allows users to be automatically granted certain access rights or privileges based on their role. Employees get the right tools to complete their job function and no more. This means that in the event of a mobile threat exploits, the compromise, the amount of accessible information can be limited.
As mentioned, patching mobile devices is not always straightforward, particularly in Android ecosystems. Updates can be blocked by Google, the handset manufacturer, or the mobile operator. However, this situation has improved since Stagefright. Even given these difficulties, it’s important that you have a process for keeping your operating systems up to date. This should be easy to configure in your EMM solution.
Ultimately, we don’t need the statistics to tell us that mobiles are here to stay in the business world; we see evidence of this every day. Mobiles are now integral to huge chunks of our working lives. And because of this, the threat from hackers will continue to grow.
What steps are you taking to ensure that mobiles aren’t an easy attack vector into your business?
And do you feel that your users are as educated on mobile threat exploits as they are about conventional PC-based malware?