main

Mobile SecuritySecurity

Cybersecurity for the Business Traveler: A Tale of Two Internets

November 27, 2018 — by David Hobbs0

travel-960x506.jpg

Many of us travel for work, and there are several factors we take into consideration when we do. Finding the best flights, hotels and transportation to fit in the guidelines of compliance is the first set of hurdles, but the second can be a bit trickier: Trusting your selected location. Most hotels do not advertise their physical security details, let alone any cybersecurity efforts.

I recently visited New Delhi, India, where I stayed at a hotel in the Diplomatic Enclave. Being extremely security conscious, I did a test on the connection from the hotel and found there was little-to-no protection on the wi-fi network. This hotel touts its appeal to elite guests, including diplomats and businessmen on official business. But if it doesn’t offer robust security on its network, how can it protect our records and personal data?  What kind of protection could I expect if a hacking group decided to target guests?

[You may also like: Protecting Sensitive Data: A Black Swan Never Truly Sits Still]

If I had to guess, most hotel guests—whether they’re traveling for business or pleasure—don’t spend much time or energy considering the security implications of their new, temporary wi-fi access. But they should.

More and more, we are seeing hacking groups target high-profile travelers. For example, the Fin7 group stole over $1 billion with aggressive hacking techniques aimed at hotels and their guests. And in 2017, an espionage group known as APT28 sought to steal password credentials from Western government and business travelers using hotel wi-fi networks.

A Tale of Two Internets

To address cybersecurity concerns—while also setting themselves apart with a competitive advantage—conference centers, hotels and other watering holes for business travelers could easily offer two connectivity options for guests:

  • Secure Internet: With this option, the hotel would provide basic levels of security monitoring, from virus connections to command and control infrastructure, and look for rogue attackers on the network. It could also alert guests to potential attacks when they log on and could make a “best effort.”
  • Wide Open Internet: In this tier, guests could access high speed internet to do as they please, without rigorous security checks in place. This is the way most hotels, convention centers and other public wi-fi networks work today.

A two-tiered approach is a win-win for both guests and hotels. If hotels offer multiple rates for wi-fi packages, business travelers may pay more to ensure their sensitive company data is protected, thereby helping to cover cybersecurity-related expenses. And guests would have the choice to decide which package best suits their security needs—a natural byproduct of which is consumer education, albeit brief, on the existence of network vulnerabilities and the need for cybersecurity. After all, guests may not have even considered the possibility of security breaches in a hotel’s wi-fi, but evaluating different Internet options would, by default, change that.

[You may also like: Protecting Sensitive Data: The Death of an SMB]

Once your average traveler is aware of the potential for security breaches during hotel stays, the sky’s the limit! Imagine a cultural shift in which hotels were encouraged to promote their cybersecurity initiatives and guests could rate them online in travel site reviews? Secure hotel wi-fi could become a standard amenity and a selling point for travelers.

I, for one, would gladly select a wi-fi option that offered malware alerts, stopped DDoS attacks and proactively looked for known attacks and vulnerabilities (while still using a VPN, of course). Wouldn’t it be better if we could surf a network more secure than the wide open Internet?

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

SecurityService Provider

The End of the Telephone

November 20, 2018 — by David Hobbs1

phone-960x602.jpg

Telephones have come a long way in their short lives, evolving from a simple transmitter and receiver to today’s ubiquitous smartphones. But as technologies continue to consolidate and automation takes over, what are we going to do at the end of the telephone? And what are the security implications of that?

Imagine a world where phone numbers have no meaning, and we instead rely on a system resembling an Internet IP address that shifts according to location. Afterall, we’re increasingly using smartphone apps like WhatsApp, iMessage, FaceTime, Skype (and so many more!) to communicate. How often do we actually dial our friends and family to talk? Moreover, how many of us still even own landlines?!

The fact is, we, as a society, interact more and more via apps, and I predict that the end of POTS (Plain Old Telephone System) will come faster than you think. Even my ageing parents have disconnected their home phones and my 84-year-old father uses an iPhone!

[You may also like: Consolidation in Consumer Products: Could it Solve the IoT Security Issues?]

So, with cybersecurity in mind, what does this new trend mean?  Do we have ways to integrate our businesses into this new era?  How do we keep our customers, friends and family connected, while keeping our data safe?

The reliance on chat apps is beneficial in that it helps avoid international call charges and allows us to be global citizens without boundaries imposed by phone companies.  But it also opens us up to vulnerabilities, like potentially communicating and exchanging sensitive data with the wrong person(s). While two factor authentication—which is used, for example, when you log into a bank account from a public Internet device and the site confirms your identity via text or a call—works now, when phone numbers disappear, it won’t do any good.

This is where the future of innovation plays a critical role; we will need a new way to identify and connect with people beyond face recognition, fingerprints on an iPhone or a password generated by a system. For example, 5G networks allow for the design of software defined private networking and the ability to provide function virtualization.   We should begin to see full security stack solutions at the endpoint of radio /5G /WiFi, without security having to live in the central office.

[You may also like: IoT, 5G Networks and Cybersecurity: Safeguarding 5G Networks with Automation and AI]

Look forward to the future where trust and identity are going to be better than some sort of robot speak of numbers and data on the screen.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Attack MitigationSecurity

Consolidation in Consumer Products: Could it Solve the IoT Security Issues?

October 9, 2018 — by David Hobbs1

consolidation_in_iot_security_blog-960x640.jpg

In 2003, I went to Zermatt, Switzerland to go snowboarding under the Matterhorn. We had an eclectic group of people from all over the world. Some of us were enthusiasts, some ski patrol or medics, and a few were backcountry avalanche trained. Because of this, we had a lot of different gear with us, including ice saws, shovels, probes, avalanche beacons, radios, etc. In addition to the gear we carried, we also brought cameras, cell phones, MP3 players and of course, large battery charger bays with international inverters/adapters to keep everything going. I had a backpack with all the avalanche and snow testing gear. In my jacket, I carried an avalanche beacon,  digital camera,  flip cell phone,  family radio with a long external mic, GPS, and an MP3 player with headphones. I felt like I was Batman with all the gear crammed all over the place. I told one of my friends on the trip that one day all of this technology would be consolidated into one device – radio, phone, camera, MP3 player, and avalanche beacon. My friends thought I was crazy and that it would never happen. Fast forward to the smartphone where we now have it all, with the exception of Avalanche beacon, in one device.

To think that many of us had these “point solutions” in our personal tech and now it’s all consolidated into one makes me wonder when will we consolidate at home?

The future of the smart home

I have a Zigbee bridge for my lights, a Zigbee bridge for my blinds, 5 smart speakers, solar panels on the blinds (to charge them and get heat/sunlight measures), smart smoke detectors, smart locks, IP cameras, smart watering system for the plants, smart lights, smart alarm, UTM firewall, WiFi mesh, etc. These are all point solutions. Some of them are really neat and probably should stay point solution based, but what if the technology companies today were to start thinking about consolidating and adding security into the mix?

[You might also like: Cities Paying Ransom: What Does It Mean for Taxpayers?]

I’ve started to look at upgrading my home WiFi network as my smart TV and smart streaming box are now struggling to play streaming movies. After looking at some of the new consumer level WiFi mesh solutions, they show a lot of promise. One of the vendors I’m considering offers not only an easy to set up mesh WiFi, but they also provide automatic channel changing for WiFi radio frequencies to find the fastest radio, as well as automatically move devices around to access points. One of them offers VPN services as well as anti-virus and content filtering, (keeping you safe from malicious websites) and giving out tokens for guests and keeping them on their own network. This all looks great, but I started to think back to Zermatt, Switzerland.

What if the smart home speaker manufacturers wanted to really capture the market? What if you could get a smart speaker that had both a WiFi Mesh Access Point, Zigbee/Zwave access point (for lights, controllers, etc), and cloud-based security features in it? If I could drop a new smart speaker in any room and set it up in 3-5 minutes and have it join my wireless mesh network, it could cover a lot of territories quickly. Now, if one of them were the base unit that plugged into the internet router, it could be the main interface for security. Take all the device groups and help suggest security policies to keep them from talking to things they shouldn’t (like the cameras should never talk to the smart watering controller). What if it could look for IoT threats that spread internally as well as connections to malware Command and Control servers?

Security should be a priority

In terms of the security that could easily be offered and bundled across this platform could be things like VPN (both to and from the home network). This could allow you to browse safely while using public WiFi. You could also access any home devices that may not be very secure from the manufacturers like IP cameras and DVR’s without having to expose them to the world. Cloud-based security offerings could do things like look for malware infections and requests to malware botnet controllers. Then, layers like intrusion prevention and active WiFi defense layers could help detect if hackers were aiming at getting onto the network and doing harm. And finally, putting all of these offerings into a single pane of glass for visibility would definitely be attractive to end customers.

Granted, I know this could put the point solution providers in a position where their WiFi solutions and home routers become less valuable to the mainstream. But what if we got better antivirus and IOT protection? I can only dream of the day that we as consumers are able to consolidate all of our home networks to a real smart home-based solution. I know in the enterprise IT market; we have gained the popularity of Unified Threat Management platforms. Firewalls that do Intrusion Prevention, Wireless Intrusion Prevention, Inline Antivirus, Content Filtering, Guest and networks. I think the next logical step is to see all of these features consolidated into the next generation smart home speakers. How long will it take to see this reality? I don’t know. Will people think this idea is crazy? Probably.

Update: At the time of writing this, there has been an announcement from one of the smart home speaker manufacturers for a new smart home speaker. This new line will actually include a smart home hub in the speaker.  Nothing has been said as to whether it provides any security features.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

BotnetsDDoS AttacksSecurity

Cities Paying Ransom: What Does It Mean for Taxpayers?

September 25, 2018 — by David Hobbs1

cities_paying_ransom_higher_taxes_blog-960x641.jpg

On September 1, Ontario’s Municipal Offices experienced a cyberattack that left their computers inoperable when Malware entered its systems and rendered its servers useless. The municipality was faced with paying a ransom to the attackers or face the consequences of being locked out of its systems. Per the advice of a consultant, the city paid an undisclosed amount of ransom to its attackers.

Only a couple months earlier, the Town of Wasaga Beach in Ontario, faced the same issue and paid one bitcoin per server.  It spent 11 Bitcoins, valued at the time at $144,000, to regain control of 11 servers. The town negotiated with the attackers to reduce the price to $35,000.  After paying the ransom, Wasaga Beach assessed the damages to its city at $250,000 for loss of productivity and reputation.

This scenario has become commonplace today.  Cities, municipalities, and government agencies have all experienced ransom attacks. But ultimately taxpayers are the ones that pay the bill for these cyberattacks.  The city of Atlanta projected $2.6M for ransomware recovery in May of 2018.  Atlanta chose not to pay the ransom, and instead allocated the funds to incident response.

Have these cities actually tested backup systems and disaster recovery within the last 2-3 months?  As public entities, we would ideally have full transparency and an understanding of the capabilities in place to protect public infrastructure.

Why have certain cites lacked transparency about the decision to pay attackers? Could the reasons for poor public disclosure be a lack of expertise and IT security spending, fear of public criticism, or actual weaknesses in their IT systems?

[You might also like: Defending Against the Mirai Botnet]

Should there be disclosure laws for public sectors concerning data breaches and malware events?

If a city is constrained with IT budgets preventing their IT department from making advances in cybersecurity protection, do its citizens get to vote on how IT is handled?  What if outsourcing IT to a managed services expert reduced costs (and headcount/jobs) while providing greater security? Would municipalities be better off if they could focus on delivering services to their citizens without having to worry about IT security?

Considering there aren’t a ton of checks and balances (and possibly budget), is this going to become the norm for hackers to target?

Private sector companies have been forced to take cybersecurity more seriously and according to some projections, will spend over $1 trillion on global digital security through 2021. Bank of America and J.P. Morgan Chase each spend around $500 million a year on cybersecurity.  Meanwhile, federal cybersecurity spending continues to lag, with some estimates suggesting it will reach a meager $22 billion by 2022.

Is the answer to the problem to start looking at better disclosure in IT spending? Should the public sector IT be outsourced to IT experts and moved to the cloud? Will the taxpayers perpetually be on the hook for poor IT security protection in the public sector?

There are hosted solution providers today that provide secure solutions for cities. Some cloud providers already have turnkey government solutions available for sale. Some of these platforms include city management, fare and tolls, police and intelligence, prison management, court management, video management, and safe city management. What if the taxpayers found that it cost less money and did a better job of security?  Would the voters be able to push public transparency and cost reduction through? How many more events like this will it take to move government IT into better hands?

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Security

The Legitimacy of Cryptocurrency Has Made It Harder for Hackers

March 22, 2018 — by David Hobbs1

cryptocurrency-960x640.jpg

Last year a few noteworthy things happened in terms of cryptocurrencies. The IRS won their case against Coinbase and over 14,000 people who traded over $20,000 USD in 2015 now have to face the IRS.   Exchanges in Asia started forcing KYC (Know Your Customer) requirements on customers as did most of the rest of the world. Bitfinex decided to block all U.S. customers in November of 2017 due to regulatory issues and uncertainty. What this means is that Bitcoin and cryptocurrency is becoming harder to trade anonymously and without paying taxes. This is what happens because of legitimacy from regulation, lawful trade and taxation. I am not saying there isn’t much debate still regarding the legality, legitimacy or utility of cryptocurrencies; I’m saying 2017 had a significant change in how it is viewed.  Today, the SEC in the U.S. has been discussing forcing cryptocurrency exchanges to register with the SEC and there is no definitive answer to what this is going to mean or if it is going to happen.

Security

A Review of the MIT EF Blockchain Presentation

January 30, 2018 — by David Hobbs2

mit-forum-blockchain-960x640.jpg

By now, almost everyone has heard of Bitcoin and blockchains.  Mainstream news, investment platforms, Wall Street, and everyone else is talking about this technology as the most amazing discovery since the internet. Many have called a Bubble on the Crypto Coins and likened it to Tulip Mania, while others caution about the Dot Com Bubble and how this has the same look and feel of that.  One thing is for certain: There will be some winners in the technology space, and some form of blockchain technology will live on, just like the dot com did. We all still use the internet and dot com companies as an everyday thing. Can we look at the past “dot com bust” and predict the future of blockchain, cryptos and the future of this technology?

Security

It’s All Fun and Games…Until Your “Smart” Home Gets Hacked

September 21, 2017 — by David Hobbs0

iot-smart-homes-960x640.jpg

A year ago, we bought a fixer-upper well below market value. We knew that we would have the opportunity to make some investment in smart tech. When Amazon sent a Smart Home Consultant to our house, they said we were farther ahead than most of the people they met with. I was trying to get them to help me make my lights flash blue and green when the Seahawks NFL team scored a touchdown. We’ve since solved that problem, and along the way, we had to take many important security measures.

Security

GDPR and HITECH: Can the past predict the future?

June 27, 2017 — by David Hobbs2

gdpr-hitech-compliance-960x640.jpg

In February of 2017, Memorial Healthcare System settled their HIPAA violation fines for $5.5 Million USD. During an investigation, it was discovered that over 100,000 patient records had been impermissibly accessed. Allegedly, an ex-employee retained access to personal identifying information and sold data records to people who filed fraudulent tax returns using the data. Federal criminal charges were filed against the ex-employee.

SecuritySSL

To stay secure: Four new SSL implementation thoughts

June 1, 2017 — by David Hobbs0

ssl-implementation-960x640.jpg

10 years ago, I left my position as the principal architect at a major U.S. financial institution. We developed the standards for how SSL was used inside the bank and their systems. Because of the weakness of ADC hardware at the time, we standardized on the “fastest and lightest” ciphers that would allow us to be compliant for online banking. In today’s age, many would argue that is absolutely foolish. But is it?

We know that SSL has changed a lot in the last 10 years. Old ciphers are now considered insecure, obsolete, and out of PCI compliance. In looking at what many companies have shared about how they deal with SSL, we know there’s a blend of “just enough” cryptography to pass, and “Next-Gen” crypto, as some are calling it. According to Gartner, 50% of traffic in enterprises today is encrypted.

Security

ISP DDoS Protection May Not Cover All of Bases

May 25, 2017 — by David Hobbs0

isp-ddos-mitigation-960x641.jpg

Most organizations cannot rely solely on on-premise solutions because of the volumetric aspects of DDoS attacks. Multi gigabit-sized attacks cause on-premise connection lines to fill up, and organizations to go offline. Vulnerabilities with CDNs also has limitations for organizations. On-premise and cloud-based solutions offer protections that most ISPs are not able to deliver effectively. Some ISP’s have much better detection and DDoS mitigation capabilities, and next-generation offerings may include WAF and DDoS automation and integration. Every ISP is different and actual protections will vary over time and with vendors.