This week, choose one of the following new trends, and relate what the business implications (benefit, risk, threat) of the new trend. If this is a risk or threat to the organization, why does the organization accept the risk, or what else does the organization do to minimize the threat?
- Cloud Computing resources
- Internet of Things
- Mobile Devices
- Changing Privacy Legislation
The Internet of Things (IoT) is a new interconnection of technology. IoT is said to be the indicator for the next industrial revolution. This implies change and disruption. IoT is an extension of existing connection. IoT measures and reports data. The data can be as simple as numbers from a stationary or mobile sensor. It can also be complex findings from devices that measure and report many data streams at a time.
Internet of Things is advancing.
Threats that come is IoT are security and privacy. There have been incidents with hacking of companies, stolen identities and hijacking of app-connected cars. Things that are digitally-connected have security risks. Many organizations do not have strong security protocols in place. Connected device manufacturers are slow to update firmware or release patches. The resolution tends to be the next version. As a result, security and privacy on the network tends to be the user’s responsibility.
Another threat is data and complexity. IoT generates countless bytes of data. There is complexity when say thousands of sensors collect data. The sensors do this each hour across an organization. There needs to be a plan to process and analyze large amounts of data.
A third threat is business and IT buy-in. Stakeholders have concern about security and complexity. There is also the costs and risks holding back progress.
Some benefits are:
Safety, comfort and efficiency. IoT can allow more time for productive and rewarding work. This can drive higher employee satisfaction and retention, while also improving profit margins.
For example, an organization could measure and manage hazardous environments. The org needs to do this without putting people at risk. It also needs to optimize the physical environments for comfort and productivity. It better make sure to control the energy costs. Then there is the ability to automate tedious tasks that are done by machines.
Second benefit: better decision making – if you have the ability to analyze larger trends from data, you can make smarter decisions. It is providing visibility into all aspects of the business.
Lastly, revenue generation. It will help reduce expenses and improve efficiency. Can allow to discovery of new business functions and lead to new revenue opportunities. People may be hesitant with IoT but it provides a strategic advantage over the competitors.
With IoT, sensors collect, communicate, analyze, and act on information. This also creates new opportunities for all the information to be compromised (risk).
Organizations accept the risk because they want to stay competitive and stay up-to-date with the newest technology (main reason). It is not the only reason. They could accept the risk because that IoT device is the only option out there. When we talk about risk, it all comes down to what I gain from the risk outweighing the cost of having it.
It could be something like getting an IoT vending machine. This could be a low risk item and makes managing the vending machines easier. Not really the newest technology and may not provide any competitiveness to the company, but still an IoT risk.
Elizabeth,
Interesting points. As with any technology, we accept it as it provides some convenience and efficiency and we try to figure out ways to mitigate the risks that result from this new technology. I think in any case, it really depends on whether the advantages of the new technology outweigh the risks that rise from it. Organizations should not introduce new technology in which the risks outweigh the benefits. There needs to be some decision making of why organizations are accepting the risks and if it worth it or not.
Elizabeth,
I do agree costs that are associated with IoT devices and buying into them would be a pricey thing but with IT I thinks this is always going to be a problem and you just need to plan on spending some money on implementation. The thing i did not think about is how much data they could generate and you would need a person to actually ingest and compile the data.
This week, choose one of the following new trends, and relate what the business implications (benefit, risk, threat) of the new trend. If this is a risk or threat to the organization, why does the organization accept the risk, or what else does the organization do to minimize the threat?
Internet of Things
One of the definitions for Internet of Things (Iot) says that it is the extension of internet connectivity into physical devices and everyday objects. Since they can range from sensors to being embedded within other electronic devices that can interact and communicate with other IoT’s, they can simultaneously amaze and terrify a security professional. Another realization is that their numbers will most likely just keep on going up instead of trending down as chips and networks speeds get faster and their size get smaller. With the increase in number and speed, is gets more difficult to track which device talks to who. IT organizations used to just be concerned mainly with traditional devices such as laptops and desktops plus mobile devices. Now, almost everything that is labeled “smart” is most likely an IoT that is part of a bigger ecosystem and can be controlled remotely. The risk comes from the need to make sure they remain patched and updated regularly. The importance of educating end-users or general population cannot be stressed enough. These products are geared towards ease of use and while it may be easy to set it up and connect it to a home network, updates are typically more involved. A company should establish a policy to restrict or require approval for IoT devices before it can be allowed into the network. If an IoT device is compromised or commandeered by a threat actor, it can be used to perform attacks or carry out unauthorized actions. While these IoT devices are similar to a PC by having a CPU, internet connection, storage and memory, their similarities end there as IoT’s do not have the benefits of having protection such as antivirus. Keeping them updated and the vendors/manufacturers making sure they continue to take steps to keep them secure are essential.
Many organizations look to cloud computing as a solution for many hardware, software, and infrastructure alternatives. For many operating in the cloud updates and security are worries of yesteryear with amenities acting like condominium services. No lawn maintenance here. However, cloud computing is not without any risk. Security starts with the first service built. With the wrong configuration, unauthorized access to customer and business data would be as easy as opening a browser. Depending on the organization, major concerns are compliance and legal risks. Knowing who can access your data, how it is protected and where it is located is often a restriction of government regulations. Feature and version control may be out of your hands. If that is important to your organization then you may run higher then normal risk with cloud computing. Another factor outside your control is availability. Who’s service is providing 100% uptime? Employees at the vendor could pose a threat. Security provided by the vendor is a major concern.
At the time of this writing cloud computing brings many benefits and seems to have decent mitigated risks and threats yet hypervisor hacking is on the horizon. Virtual machine escapes are proven in research labs. They are also proven to be difficult and seemingly requiring harder than average initial access that only a lab can provide. As with anything time will tell, but with Moore’s Law, we know time only allows attacks to get easier.
Cloud Computing resources
Cloud computing provides a number of benefits to organizations. These benefits include scalability, availability, flexibility, and security. There are multiple types of cloud computing services that an organization can use to fit their own needs such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS), with each solution having its pros and cons.
Many organizations these days have either migrated their infrastructure, code, or data to the Cloud. These companies have realized its much cheaper, efficient, and reliable to migrate. By migrating their services, organizations can reduce the amount of hardware they have in the datacenter and the overhead required to maintain it all. In many instances, the datacenters themselves can be downgraded, cutting costs even further.
By migrating code and data to the cloud, organizations can host their applications on elastic platforms, granting them the ability to spin instances up, or down, based on demand to the application or data. With the advent of microservices and APIs, there are many built-in tools to manage these services within the platform.
These benefits are not without their risks however. By migrating to the cloud, the organization is essentially putting critical assets in the hands of another organization. They would need to make sure SLAs are well defined and the contract allows for auditing conducted on the cloud organization. Access and networking are other risks the organization needs to be wary of. They need to make sure their critical assets are segregated from other companies, and that strong physical and logical access controls are defined.
I agree with you when it comes to cloud services that they both have their pros and cons. I think the biggest con to cloud services is you are trusting another company with your data. A company needs to make sure they secure all the data they transmit off site and especially in the cloud. They will not protect you. I think this is key and is one of the more important things in the a company. Cloud is great and it has great application but you need to make sure the application is sound before going live and compromising yourself.
Is your location covered by the Fourth Amendment?
Where I spend most of my time may not directly equate to ~who I am~ but it does paint a disturbingly accurate statistical image. Include purchase history and browsing and you probably know me better than my spouse, doctor and mother. Anonymized google searches aren’t so anonymous when tagged with geojson coordinates for your home. It is great to have the ability to track your middle school child like a tagged bear on RADAR in Alaska but remember ~Pennywise the Clown~ has the same app.
What I find to be the real threat is not that ~we will be tracked~ by definition upon entering society’s gates, but that we are unclear how to proceed.
In the US, state by state rulings make this Civil Law and a game of “who’s authority is it anyway?”. Europe and GDPR already list location data as protected
https://www.aclu.org/issues/privacy-technology/location-tracking/cell-phone-location-tracking-laws-state
Mobile Risks and Threats: The Importance of Mobile Security
As technology advances, mobile devices are increasingly being used in the organization. There are risks that mobile devices present to the organization in addition to the benefits. The benefits of mobile devices range from increasing mobility, productivity, working remotely to improving customer service. However, mobile devices bring mobile specific challenges to the organization which is the reason organizations are considering mobile security and embracing mobile technology more confidently and securely in your environment.
The risks that mobile devices present are their physical size, mobile connections, data privacy, and mobile attacks.
Physical Size: The size of the mobile devices makes them more susceptible to being lost, stolen or temporarily misplaced. This puts the data in the mobile device from the user’s credentials, personal and corporate information under risk from being compromised.
Mobile Connections: Mobile devices connect through a variety of networks to receive and transmit data. Each of these networks has its security strengths, limitations and each is a vector for remote exploits including data leakage.
Data Privacy: Mobile applications may take advantage of the mobile specific capabilities such as precious location which can invade the privacy of data and possible put it in the hands of unauthorized users.
Mobile Risks and Attacks: As with any technology, mobile devices are susceptible to risks and attacks such as trojan horses, worms, viruses and social engineering attacks.
Organizations can minimize the risks associated with mobile devices by establishing formal security policies, procedures, standards, providing education and training to their employees.
https://blog.securityinnovation.com/mobile-risk-and-threats-part-i
Internet of things (IoT) in theory is relatively a good idea and really revolutionized how we interact with our daily world. However, when it comes to a security standpoint of IoT there really are some short coming that causes problems in the security realm. The first and biggest problem I see with IoT devices is that they are usually out of date with patching and security updates. When an IoT devices comes out they usually are running a specific operating system and a lot of the times these operating systems could be unpatched for the lifetime of the device. This will cause security vulnerabilities to be exploited and attackers to get into the network. A benefit to an organization could be the low power and footprint they have in the organization. A small device like a raspberry pi could run a print server or a digital signage machine and have little cost and overall technical footprint on the network. The problem is however that if they are not updated on a regular basis and properly vetted, they could be an entry point for a lot of attackers. A lot of times the organization accepts the risk for these devices because they want to be on the cutting edge of technology and have the latest and greatest. In order for this to happen they need to make some sacrifices that a lot of the security team may not agree with. Another problem that comes along with the IoT devices is integration. A lot of time it requires open ports and special rules to allow it to work properly in the network. All this could be points of failure for an attacker to get in. An organization can minimize risk by making sure the device is properly vetted before being installed and maybe running them behind a specific firewall and/or VLAN. Another way to minimize risk making sure patching and all vulnerabilities have been and are always being patched as they come out with new revision and updates.
We always see IoT devices being hacked and used as part of a larger botnet. Many of these IoT devices are from China, where manufacturers don’t really put much stock into the security of the device. These devices end up with many vulnerabilities at the time of sale, with the primary one being the use of default user and passwords.
Ahmed,
I agree, a lot of things that come out of china are more vulnerable then stuff made here. Unfortunately, nobody think about these things until its to late. I do agree with you that one of the biggest issues is definitely default usernames and passwords.
In a culture of convenience, we have adopted many new technologies that make our lives easier but the security features of these technologies have often not caught up. These short falls usually puts unknown users at risk. One emerging trend that is currently being deployed at a massive rate, with unknown or untested vulnerabilities, is the Internet of Things (IoT). An IoT is a network of web-enabled smart devices that use embedded sensors and hardware to collect, send and act. IoT devices share data that are collected by connecting to an IoT gateway or other edge devices to be analyzed in the cloud or locally depending on the type of device. IoT is one of the best examples of the tradeoffs between conveniences over security, which is an emerging trend of integrating automated devices to make everyday tasks more accessible and manageable. This integration ranges from simple smart electrical plugs to smart door locks, washers, driers, from TVs to lights. IoT devices share data that are collected by connecting to an IoT gateway or other edge devices to be analyzed in the cloud or locally depending on the type of device. Home automation devices can be divided into two categories, locally controlled or remotely controllable systems. Connectivity, networking and communication protocols of these IoT devices depends on the application used. Remotely controlled systems use the Internet to offer control of set devices via computer or mobile application. If it’s connected to the internet, it will have vulnerabilities and susceptible to cyber-attacks. IoT devices would experience the same threat vectors IS would such as DoS attacks, malice codes, identity and credential exploits, and unauthorized access.
For many organizations, the benefits of mobile devices out weights the risk of using them. Mobile devices are a way of life now, expressly when it comes to conducting business. Information is at the tip of everyone’s hand thanks too Mobile devices. Think about the average sales or market person, having mobile devices increase their ability to satisfy their clients and employers in the matter of seconds. But with great benefits there are risk involved. Below are some of the benefits, risks, and threats involved with Mobile devices.
Benefits:
Increase flexibility
Simplify processes
Improve communication
Up-to-date technology.
Save money.
Increase productivity (working remotely)
Risks:
Lost or stolen devices with unencrypted PII data stored on it
Access Unsecure Wi-Fi
Downloading malware
Cybercriminals can also intercept cellular calls
Supporting multiple device types and OS.
Spending a large amount of money for keeping devices up-to-date
Data usage charges.
Threats:
Can be used to harass or bully a person
A hacker can use mobile devices to gain unauthorized access to data
Sheena,
Mobile devices are necessary to organizations but may also be the main reason behind many of the incidents that can happen within it as well. They do introduce many benefits to the organization from convenience of being able to work remotely and saving money but at the same time if employees are not aware of the risks that can come with the devices being stolen or left for a period of time without anyone using it. Again, decision makers need to understand the risks that mobile devices introduce and be willing to have methods that can help mitigate these risks if they plan on bringing on the use of mobile devices,
Sheena,
I definitely agree that the benefit of mobile devices outweighs the risks. Mobile devices bring such ease to organizations. When it comes to employees on business travel or having to step out of work to go to an appointment or attend their child,s event, mobile devices allows for employees to still be connected. Especially when critical items arise while the employee is not in the office or at home by their laptop. They can respond via email or take a call. This can apply to iPads as well.
As Dima mentioned, their can be a risk of these devices being stoles but it is no different than your own personal devices being stolen. The major difference is that mobile device can have sensitive information. With that known risk, companies should have solid process in place if that is too happen and the top security when it comes to mobile devices.
I was reading about the article below, and it made me think of an argument we always have at my place of work, – which is better/more secure – Iphone or androids ???, and even though this is always a debatable topic, I find that organizations tend to lean more towards the iphone.
For example, if you have an iphone, my employer would download/let you download the office email (outlook) and some other few official apps (Webex, etc), but this is NEVER an option with an android phone.
So the article reads below
One of the mobile security threats you should take seriously – Out-of-date devices
Smartphones, tablets and smaller connected devices — commonly known as the Internet of Things (IoT) — pose a new risk to enterprise security in that unlike traditional work devices, they generally don’t come with guarantees of timely and ongoing software updates. This is true particularly on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date — both with operating system (OS) updates and with the smaller monthly security patches between them — as well as with IoT devices, many of which aren’t even designed to get updates in the first place.
“Many of them don’t even have a patching mechanism built in, and that’s becoming more and more of a threat these days,”
Increased likelihood of attack aside, an extensive use of mobile platforms elevates the overall cost of a data breach, according to Ponemon, and an abundance of work-connected IoT products only causes that figure to climb further. The Internet of Things is “an open door,” according to cybersecurity firm Raytheon, which sponsored research showing that 82 percent of IT professionals predicted that unsecured IoT devices would cause a data breach — likely “catastrophic” — within their organization.
Again, a strong policy goes a long way. There are Android devices that do receive timely and reliable ongoing updates. Until the IoT landscape becomes less of a wild west, it falls upon a company to create its own security net around them.
https://www.csoonline.com/article/3241727/7-mobile-security-threats-you-should-take-seriously-in-2019.html
Stella,
Very interesting article. You are right in terms of the ongoing debate between iphones and andrioids. I think in the long run it is about which operating systems are updated regularly with bug and vulnerability fixes. There needs to be strong security policies in place for organizations regarding the use of mobile devices to ensure that employees abide by them and understand the risks that they may pose on the organization if they do not.
Dima,
I agree that article was deferentially interesting. It is a very interesting though about which operating system updates more regularly and i cant tell you owning an android phone I always have updates. I think they are on top of it more than Apple but i may be biased. The security that needs to be in place like a MDM and encryption in certain industries could hold vital.
New Trends in Information Security- Mobile Devces
The ever-increasing use of mobile devices in organizations is ubiquitous; more apps that will deliver even more advanced business processes are constantly been developed on a continual basis. Insomuch as workers have come to enjoy and demand even more flexibility with regards to being able to carry out their job functions via mobile devices, the need to weigh the benefits, versus the risks and threats should form part of an organization’s business strategy.
Some of the benefits that mobile devices offer includes;
Increased efficiencies from enhanced communication and connectivity
Enhanced workflow processes
Streamline business processes
Risks associated with Mobile devices are inherent because mobile devices extend beyond the secured perimeters of an organization. Workers travel with these mobile devices and can access sensitive material via these devices thereby exposing unauthorized access to data. Some of the notable threats facing mobile device use in organizations include, data leakage, social engineering, poor password hygiene.
To help combat some of these risks and threats, a good starting point is developing a mobile device policy that will address mobile device acceptable use within an enterprise. Also using a mobile device management tool will help streamline vulnerabilities and address weak points especially with the use of personal devices (otherwise known as byod) for accessing corporate mail and content.
Mobile Devices
Benefit:
The benefit to Mobile Devices is that organizations can leverage mobile applications to increase their staff’s response time and flexibility. Communication such as approvals or content management can be done on a mobile environment. This has the benefit that certain actions are completed faster, the staff is always aware of changes and thanks to biometric and two-step security, mobile devices can act as another defense in-depth layer. Mobile Devices are usually better secured than full fledged computers and are harder to scope/enumerate and attack remotely due to their transient network nature.
Risk:
One major risk with Mobile Devices, since they are on the employee at all times and not physically secured to a building, is that they can be exfiltrated easily. Information stored on devices can be stolen with relative ease, even if the device is locked or off. Since Mobile Devices are so ubiquitous in the workplace, they also run the risk of being abused for data leakage, whether the Mobile Device owner knows or not. It is hard or impossible to control for data leakage on a Mobile Device which is connected to a carrier’s WAN.
Threat:
Mobile Devices pose a threat for data exfiltration, espionage and firewall circumvention attacks.