Thursday, January 29, 2015

Nine Questions to Ask to Improve IoT Risk Management

(BUSINESS WIRE)--As connected devices infiltrate the workplace—some with IT’s knowledge and some without—both value and risk can increase significantly. Global IT association ISACA has released new guidance urging companies to ask nine critical questions as they grapple with the Internet of Things (IoT).

ISACA recommends companies address:
1. How will the device be used from a business perspective, and what business value is expected?
2. What threats are anticipated, and how will they be mitigated?
3. Who will have access to the device, and how will their identities be established and proven?
4. What is the process for updating the device in the event of an attack or vulnerability?
5. Who is responsible for monitoring new attacks or vulnerabilities pertaining to the device?
6. Have risk scenarios been evaluated and compared to anticipated business value?
7. What personal information is collected, stored or processed by the IoT device?
8. Do the individuals whose information is being collected know that it is being collected and used, and have they given consent?
9. With whom will the data be shared?

These questions are particularly critical given that 43 percent of enterprises are leveraging IoT already, or have plans to do so in 2015, according to ISACA’s IT Risk/Reward Barometer survey.
“Connected devices are everywhere—from obvious ones, like smart watches and Internet-enabled cars, to ones most people may not even be aware of, such as smoke detectors,” said Robert Stroud, CGEIT, CRISC, international president of ISACA and vice president of strategy and innovation at CA Technologies. “Often, organizations can be using IoT without even realizing it—which means their risk management stakeholders are not involved and potential attack vectors are going unmonitored.”

ISACA’s free (after registration) “Internet of Things: Risk and Value Considerations” guide was released today as a free download at The paper includes dos and don’ts for the IoT, and outlines the types of risks organizations must consider.

Related Books

Unit and Ubiquitous Internet of Things

Smart Grid Security: An End-to-End View of Security in the New Electrical Grid

Data Privacy for the Smart Grid

Security and Privacy in Smart Grids

Monday, January 26, 2015

Critical Infrastructure Executives Complacent about Internet of Things Security

Surveys aren't as bad as listicles for clickbait, but there so seem to be a lot of them, most requiring surrender of sufficient information to quality as a sales lead. Still, they do generate some thought, and the summaries are sufficient to get the key points. Here's a  survey summary on attitudes of critical infrastructure execs on IoT dangers.

Tuesday, January 20, 2015

Cisco Annual Security Report Reveals Widening Gulf between Perception and Reality of Cybersecurity Readiness

The Cisco 2015 Annual Security Report reveals that organizations must adopt an 'all hands on deck' approach to defend against cyber attacks. Attackers have become more proficient at taking advantage of gaps in security to evade detection and conceal malicious activity. Defenders, namely, security teams, must be constantly improving their approach to protect their organization from these increasingly sophisticated cyber attack campaigns. These issues are further complicated by the geopolitical motivations of the attackers and conflicting requirements imposed by local laws with respect to data sovereignty, data localization and encryption.

Friday, January 16, 2015

Tech Support Vishing Scam Documented

I have to admit the term "vishing" for voice phishing is a new one for me even if the technique isn't.

"PhishMe has released details of a recent  'Vishing' scam experienced first-hand by its senior research Ronnie Tokazowski. Vishing is when someone rings up, pretending to be from a legitimate organization - be it a bank, the police, or as in this case technical support - claiming you’ve been a victim of fraud.

"Ronnie explains, "We recently investigated a 'vishing' call received by one of PhishMe's employees. After saying that he would call the 'technician' back, the employee passed the number over to us and we began to investigate. The number the technician provided us was 646-568-7609. A quick Google search of the number shows that other users have received similar calls from the same number. In one example, “Peter from Windows” was the person calling. In our case, it was Alex Jordan from Seattle. Once connected, I was directed to a website, 'www.pcefix.webs[d]com' where I could download the information to allow the computer technicians to 'fix' my system. These downloads were riddled with viruses."

"As you can imagine, Ronnie also had a 'little fun' with the scammers, as he confirms "Once Alex [the scammer] 'convinced' me that my computer was infected, he offered me a few different payment options. The basic option was $199 for a 2-year warranty to fix my computer, $299 bought another 2 years, and $399 bought lifetime service for fixing every system in my house. What a deal!""

Wednesday, January 7, 2015

5 Industries Devastated by Data Breaches in 2014

Truth be told, it's not just these industries that have been devastated. It's everyone one of us. Clearly, the law of unintended consequences applies here. Whatever the main motivation behind making all systems Internet facing, it seems now that it was the wrong thing to do. We're sorely ill-equipped to defend systems against well-funded people whose only purpose in life is own those systems.