IoT Archives - Corsec Security, Inc.®

IoT Expansion Opens The Door to Vulnerabilities

Jake Nelson — Wed, 11 Apr 2018 20:30:25 +0000

The IoT expansion has been innovative, immersive, and impressive; revolutionizing modern day interactions and connectivity.

To meet this demand, companies are deploying products at rapid speed, while lowering prices to promote user adoption; leaving many in the security sector concerned about user data protection and proper product security hardening.

To address these concerns, The UK is taking a proactive approach, outlining a 13-point Code of Practice for manufactures, service providers, mobile application developers, and retailers to follow related to the IoT space – “Secure by Design: Improving the Cyber Security of Consumer Internet of Things Report”.

This concept may be new to the growing IoT space, but it is already the status quo for many products in Regulated Industries, as well as heavily mandated by Federal Governments around the globe. Their requirements for certifications like FIPS 140-2, Common Criteria, and the DoD’s APL address these concerns; ensuring products protect sensitive data and implement proper security architecture frameworks prior to deployment and network integration.

For companies looking to analyze their current security strategy and implement sound product security certification practices, there is help. Corsec Security is the global leader in providing assistance in security certifications and product security hardening. With the largest staff of experts in the industry and a comprehensive end-to-end solution that includes assessment audits, documentation, testing, enterprise lab services, and strategic product roadmap planning, Corsec has helped secure more than 400 unique products for hundreds of organizations on five continents over the last 20 years.

This guidance helps companies address security requirements for healthcare, financial services, critical infrastructure, national and international markets, and now IoT. Not only do they secure products, but also foster public trust and reap rewards for security investments, enabling you to overcome competitors in a market valued at over $3.5 trillion.

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

IoT Security Facing Government Regulation

Jake Nelson — Wed, 27 Sep 2017 19:08:03 +0000

New legislation could be on the way to secure the devices we use in our everyday lives. From our smart phones to our garage door openers, the IoT space has revolutionized the way we organize and live out our daily routine. In recent months, the security of these devices has been scrutinized as vulnerabilities have been uncovered, and even worse, exploited.

Republicans Cory Gardner and Steve Daines along with Democrats Mark Warner and Ron Wyden are working to introduce a new bill that will work to prevent such attacks – Internet of Things Cybersecurity Improvement Act of 2017. The bill outlines “minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.” The legislation is intended to hold providers of devices that connect to the internet accountable for potential threats to the security of the connected products. These companies would need to provide patches, fixes, and other means to safeguard against attacks as they are uncovered.

The bill lays out several security focuses, including:

IoT companies that offer products purchased by the federal government must ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities
Requirements for alternative network-level security requirements for devices with limited data processing and software functionality, led by the Office of Management and Budget (OMB)
The development of new guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government, led by the Department of Homeland Security’s National Protection and Programs Directorate
An executive agency mandate to inventory all Internet-connected devices in use by the agency

This concept may be new to those within the growing IoT space, but it is already the status quo in many Federal agencies and heavily Regulated Industries around the globe. Security standards and procedures exist today in order to hold companies accountable for the technology they produce, and through an accredited security certification testing process, they are validated against potential threats to systems and infrastructure. This new movement to secure the IoT space has already taken lessons learned from other industries in order to quickly and effectively introduce protocols to protect user data and security. This new bill specifically “requires the contractor providing the Internet-connected device to provide written certification that the devices, does not contain, at the time of submitting the proposal, any hardware, software, or firmware component with any known security vulnerabilities or defects listed in the National Vulnerability Database of NIST.”

NIST oversees other security certifications such as FIPS 140-2, which is used to secure products sold into the U.S. federal government are required to complete FIPS 140-2 validation if they use cryptography in security systems that process sensitive but unclassified information.

If you would like more information regarding IoT Security, or how existing security certifications like: FIPS 140-2, Common Criteria, or the DoD’s APL, can be applied- then contact Corsec today to get started!

Subscribe to Corsec emails!

IoT Device Security – What You Need To Know

Jake Nelson — Thu, 20 Apr 2017 21:40:17 +0000

The expanding market for connected devices and the Internet of Things (IoT) has propelled demand for products that alleviate the stress of managing daily interactions; from buying groceries to protecting our homes, there is an app or device for that. To meet this demand, manufacturers are developing products at rapid speed, while trying to keep prices low to promote user adoption. This has left many in the security sector asking the question, have we taken the necessary steps to ensure these products are properly securing user data?

Internet of “Bad” Things?

The IoT industry expansion has been innovative, immersive, and impressive. The direct-to-consumer IoT device market has also faced incredible growth, however with increased access and cheaper solutions, device security is not always prioritized.

IoT products aren’t limited to just one consumer audience- in fact, you can find products directed towards any demographic. Not only are the devices sold as a singular solution, but they can also be incorporated into existing technology. Often, they are fairly inexpensive and this is what makes unsecured IoT devices a goldmine to hackers; as they are now able to infiltrate and disrupt any consumer industry. From children’s toys, home assistants, connected cars, etc; IoT devices have begun to incorporate themselves within our everyday lives.

Protecting consumer data isn’t difficult, but it is a step that many overlook in a quest for convenience or excitement in adopting the new technology.

IoT specific security standards haven’t been ratified, which means that it is up to the consumer in most cases to ensure that they are taking every precaution in securing their devices.

Here is your basic IoT Device Securing Checklist:

Identify which of your devices have communication abilities, and ensure that the hardware/software/firmware is up to date on both the IoT device and whatever device you are establishing a connection with.
Upon your first use of the IoT device, update your user credentials. Do not just keep the credentials on the factory/default setting.
Disable any Universal Plug and Play (UPnP) option, and disable any automatic connections to the device.
Check to see if there is a competing product that has gone through the security certification process. A FIPS 140-2 certification shows that the product has undergone extensive testing and that the crypto functionality of the solution is up to NIST/government standard.

If you are unsure of whether or not your IoT solution could benefit from obtaining a security certification like: FIPS 140-2, Common Criteria, or DoDIN APL; contact Corsec to discuss your options.

Subscribe to Corsec emails!