Subscribe to RSS - Cybersecurity

Cybersecurity

Study: IT professionals not confident in their companies’ cybersecurity staffing

 - 
11/07/2016

PORTLAND, Ore.—Tripwire, a global provider of security and compliance solutions for enterprises and industrial organizations, recently announced the results of its study, conducted by Dimensional Research. Tripwire said that only twenty-five percent of respondents were confident their organizations have the number of skilled cybersecurity experts needed to effectively detect and respond to a serious cybersecurity breach.

Securing IoT

 - 
Wednesday, October 26, 2016

Last week’s malware attack sent a sobering chill through the security industry, as it illuminated the cybersecurity vulnerabilities of IoT products, showing how easy it is to hack into unsecured IP devices.

The hackers, who were able to affect sites including Twitter, Spotify and CNN, launched a distributed denial-of-service (DDoS) attack using tens of millions of malware-infected devices connected to the Internet to overwhelm Dyn, a provider of Domain Name System services.

Although the attack amounted to a temporary inconvenience for millions, it underscored the need for cybersecurity standards for the IoT world.

Toward that end, the Cloud Security Alliance (CSA) released this month a new guidance report titled “Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products,” which was created to help designers and developers of IoT-related products and services understand the basic security measures that must be incorporated throughout the development process.

With the release of this report, the CSA looks to provide much needed education and direction to product developers who know their products are at risk of compromise, but may lack the understanding as to where to start the process for mitigating that risk.

“It is often heard in our industry that securing IoT products and systems is an insurmountable effort,” Brian Russell, chair IoT Working Group and chief engineer, cyber security solutions with Leidos, said in the announcement. “However, with the help of our extremely knowledgeable and dedicated volunteers, we are providing a strong starting point for organizations that have begun transforming their existing products into IoT-enabled devices, as well as newly emerging IoT startups. We hope to empower developers and organizations with the ability to create a security strategy that will help mitigate the most pressing threats to both consumer and business IoT products.”

Specifically, the report lays out 13 considerations and guidance for designing and developing reasonably secure IoT devices, to mitigate some of the more common issues that can be found with IoT device development. Additionally, realizing that often times there is a need to quickly identify the critical security items in a product development lifecycle, researchers also outline the top five security considerations that when applied will begin to increase an IoT product’s security posture substantially.

The CSA IoT Working Group is focusing on understanding the relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their implementations. The group is led by Russell, with initiative leads Priya Kuber and Dr. Shyam Sundaram. Nearly 30 CSA IoT working group members contributed to development of the 80-plus page guidance report.

The full report is available at https://cloudsecurityalliance.org/download/future-....

Cyber-insanity

 - 
Wednesday, September 7, 2016

It has been about a month since I used this space to talk about the rising need for cybersecurity, a topic that is increasingly popping up in conversations within the physical security space.

Just this week, a report on the Cyber Security Market from global research firm MarketsandMarkets shows that the cybersecurity market is estimated to grow from  $122.45 billion in 2016 to $202.36 billion by 2021, at a CAGR of 10.6 percent. North America is expected to hold the largest share of the cybersecurity market in 2016 due to the technological advancements and early adoption of cybersecurity in the region, the report found.

The major forces driving the cybersecurity market, the study found, are the rise in security breaches targeting enterprises and need for stringent compliance and regulatory requirements, as well as the growing security needs of Internet of Things (IoT) and Bring Your Own Device (BYOD) trends and increased deployment of web & cloud-based business applications.

This rise in cybersecurity breaches is the reason why Surveillance Systems Incorporated, a Rocklin, Calif.-based security integration company, recently launched a new cybersecurity division, SSI Threat Protect.

In my conversation with SSI president Todd Flowers, he shared with me an ironic, yet poignant story about an inexpensive drone he had ordered that arrived on day one of the Threat Protect division launch. Flowers said drones are a part of the physical security space he is excited about, and thought it would be cool to use the drones for prizes—“a fun little thing to do for some customers,” he said.

“The first day I launched our new cyber division, this drone shows up, and I plug it in—the interface is super easy and it is on Wi-Fi—but it won’t work,” Flowers explained. “So I get my IT guy over and he pulls up the network and turns off our firewall to see what is going on. Now this thing is just supposed to work internally on Wi-Fi and does not require the Internet, but when he turns off the firewall, this thing starts transmitting packets of data to Japan and Korea. The drone was trying to transmit internal information from our servers, and basically opened up a pipeline of critical information to servers in Japan and China.”

Although this scary situation was remedied immediately, it exemplifies what Flowers said he sees happening within the next five years: “The physical side of what we do and the cyber side of security will converge,” he said.

Are you ready for it?

CSAA focuses on cybersecurity

 - 
Wednesday, September 7, 2016

At CSAA's upcoming annual meeting—to be held on Marco Island, Fla., Oct. 22 through 26—there will be a panel devoted to cybersecurity, which the association announced more about this week.

I spoke with Jay Hauhn, CSAA’s executive director, recently about the meeting as well as other focuses for the association.

Hauhn said that the annual meeting's cybersecurity panel was going to approach the subject in a new way, looking to focus on what companies should do about cybersecurity.

“We are not going to repeat what has been done ad-nauseum and have someone stand at the front of the room and scare everyone about cyber threats,” Hauhn told SSN. “We are going to focus on something actionable.  We are having experts talk about how to put a cyber protection program together.”

The panel, entitled “Cyber Security is a Business Risk (Not Just an IT Risk),” will include Justin Bailey, AvantGuard’s COO, Todd Neilson, president for Secuvant Security, Sascha Kylau, VP of central station solutions and service at Onetel, and Steve Butkovich, CPI Security Systems’ chief technology officer.

CSAA is going to be looking at cloud based central station automation platforms in a similar way at the meeting, Hauhn said. The panel will not only approach the features of the cloud, but what businesses’ cost savings could be and how they can get started with a cloud based platform. 

Currently, the association has an early bird rate for the meeting, which ends this Friday, Sept. 9.

CSAA is also keeping an eye on other emerging technological issues. Hauhn mentioned that the industry is changing, and standards are needed for newer technologies; CSAA recently put out the call for SMEs to assist with new technology standards.

“Monitoring life safety events in the traditional central station model remains our core business. That will not change. However, new innovative applications and services are being offered by our members. Best practices need to be created, that outline the actions monitoring centers take in this expanding environment,” said Hauhn.

“For example, when a service that monitors an asset in motion requires a dispatch of police or EMS, we have to be able to accommodate the asset traversing municipalities,” he said.   

Need for cybersecurity soaring

 - 
Wednesday, August 10, 2016

If you aren’t that worried about cybersecurity and the threat of a ransomware attack, you should be.

According to a new report, “State of Ransomware,” which was sponsored by Malwarebytes and conducted by Osterman Research, nearly 40 percent of businesses have experienced a ransomware attack in the last year. Of these victims, more than a third lost revenue and 20 percent had to stop business completely.

And that doesn't even include the companies that aren't reporting being attacked. According to FBI Section Chief Philip Celestini, who was a featured speaker at ESX 2016 in Fort Worth, Texas, 80 percent of companies that have been attacked by ransomware “are not reporting it to law enforcement,” he said. The FBI is reaching out to the industry, Celestini said, for its help in spreading the word of the importance of cybersecurity and working with law enforcement to minimize loss.

According to the FBI, ransomware attacks went from causing $25 million in losses to $200 million in just the last year in the U.S., as well as an astonishing $2 trillion in cyber crime losses worldwide.

According to Nathan Scott, senior security researcher at Malwarebytes and a ransomware expert, over the last four years, “ransomware has evolved into one of the biggest cybersecurity threats in the world, with instances of ransomware in exploit kits increasing 259 percent in the last five months alone. Until now, very few studies have examined the current prevalence and ramifications of actual ransomware incidents in the enterprise.”

Some other key U.S. findings from the study include:
- Security attacks with ransomware are increasing: Nearly 80 percent of U.S. companies have suffered a cyber attack in the last year and more than half experienced a ransomware incident. US organizations are the most attacked among the countries surveyed.
 - Email is the top vector for spreading ransomware: More than half of the U.S. attacks originated with email.
- Upper management and C-Level executives are at a higher risk: 68.4 percent of U.S. respondents noted ransomware attacks impacted mid-level managers or higher, while 25 percent of incidents attacked senior executives and the C-Suite.
- Cybercriminals held high-value data for ransom: Nearly 80 percent of the U.S. organizations breached had high-value data held for ransom.
- Attacks are impacting more than initial endpoints: More than 40 percent of ransomware attacks in all four countries were successful in impacting more than a single endpoint, with nearly 10 percent of the attacks affecting more than one-quarter of the endpoints in the business.
- Current enterprise security measures are weak against ransomware: Almost half of ransomware incidents in the U.S. occurred on a corporate desktop within the enterprise security environment.
- Ransomware remediation takes hours: 44 percent of attacks on U.S. companies forced IT staff to work more than nine hours to remediate the incident. Globally, the figure is 63 percent of incidents that took more than nine hours to remediate.
 

How does your company handle cybersecurity?

Many respondents consider hiring a cybersecurity expert
 - 
06/22/2016

YARMOUTH, Maine—Cybersecurity is a topic that has dominated industry events, like PSA-TEC. While 71 percent of respondents to Security Systems News’ latest poll have never experienced a cybersecurity breach, 29 percent say they have experienced a breach at their home or business.

Nearly half of U.S. companies lack insurance coverage for cyberattacks

 - 
05/24/2016

BLOOMFIELD, Conn.—A recent study from NTT Com Security, a global information security and risk management company, found that 49 percent of the U.S. companies surveyed currently do not have insurance specifically for cybersecurity attacks.

FBI chief Celestini to speak about cybersecurity at ESX

ESX Public Safety Luncheon featured speaker is senior executive FBI representative to the NSA and U.S. Cyber Command
 - 
05/18/2016

FORT WORTH, Texas—FBI Section Chief Philip Celestini will be the featured speaker for the ESX Public Safety Luncheon on June 9, ESX organizers announced today.

PSA-TEC 2016 roundup: M&A trends; The cyber opportunity; Robots

 - 
Wednesday, May 11, 2016

There was not a free chair in the Lakehouse conference room here at PSA-TEC in Westminster, Colo. yesterday afternoon during two panel discussions that addressed topics such as: M&A, cybersecurity and managed services.

John Mack Imperial Capital said that there’s been “more significant M&A activity in the past year than in the previous 30 years.” He called that “generally good news” and predicted M&A activity will continue. He noted that new entrants into the security industry are not “taking share away” from others. Rather, new entrants are helping the security industry grow, and they’re bringing “new and interesting technology.”

NetOne’s Dave Carter said the flurry of M&A can be a concern to NetOne if a member company (there are 28) is acquired by an outsider (as happened when Safeguard Security was acquired by SAFE)  However, that is not normally the case. “For our companies, in the regions they operate, they are the acquirers," Carter said.

Brent Franklin of Unlimited Technologies looks at all of the M&A activity as an opportunity. “While the big guys are turning the battleship in the dock … [Unlimited can] pop up into that space and serve their customers,” he said.

Carey Boethel of Securadyne agreed: “When big companies are consolidating and merging they focus strategies internally. …They take their eye off the ball.”

Michael Meridith of SEi concurred,  “customers fall through the cracks,” he said. And, there's more good talent looking for jobs, he added.

Jeff Nunberg of ISS pointed out that many of the recent buyers are venture capitalist firms who “expect a return on investment in three- to five years.” As they build a business, he said, they also “suck the live out of it … which makes it hard to deliver service.” In terms of vendor M&A, Nunberg said: “We have zero control over that,” so he does not worry about it.

All of the panelist admitted concern about cybersecurity—keeping their own companies and customers as safe as possible from a breach. A couple speakers also noted that most security installation companies are not taking cybersecurity concerns seriously enough. Those companies likely will not take it seriously until there’s an incident.

Imperial Capital’s Mack and Michael Kaiser National Cyber Security Alliance talked about cybersecurity as a possible money maker for physical security integrators.

Mack said adding cybersecurity services is a “huge opportunity for people in this room.” Small and medium-sized businesses “have a lot to do to better protect their information, data, and networks.” He suggested that security integrators partner with cybersecurity experts. That would make them very valuable to customers.  “When you upgrade physical security systems [for a customer] at the same time talk to them about how to update their information security infrastructure.” Mack said if he were to get back into the operations side of security, this is where he’d focus.

Kaiser agreed that “one of the biggest gaps in cybersecurity right now is the SMB … they’re not making cybersecurity a priority,” he said. They need a provider to help them “secure their network and their security devices.”

How should you educate yourself on cybersecurity? Attend the RSA show in San Francisco, Mack said. Do your homework about companies attending RSA. Many of them really want to know about physical security. “I guarantee you there will be guys who will be incredibly interested in talking to you," Mack said.

PSA Security is also an excellent resource to educate yourself on cybersecurity he said, noting that Andrew Lanning would be presenting the initial PSA Cybersecurity playbook at PSA-TEC on May 12. Here’s information on that presentation.

“Be part of the solution,” Lanning said.

Managed services make your commercial companies more valuable, Mack said. In addition, he said that acquirers are losing their appetite for security companies that derive all of their RMR from residential accounts. Buyers don’t like the high creation costs on the resi side and the “commoditization of residential security."

“There is no question if you show up [to sell your company] with more RMR, you have a higher valuation,” Mack said. “Guys who show up with a mix of RMR with a commercial focused business will be higher valued than the gyu with the same about of RMR from a residential business,” he said.

There is technology out there now that makes managed services much easier, Mack said. And the financing model for managed services is easier to manage than the model on the resi side. “You don’t have to go upside down on the direct labor and materials,” he said. “But the selling proposition to the customer and how you define that customer and sell to them has to be different,” Mack said.

He said it is probably a good idea to create a new division, or even a new company, to do managed services. Other speakers agreed.  

Robots were another topic of discussion at PSA-TEC. Sharp announced its new SRBD. Here’s a link to this story. A key SRBD executive—Mike Kobelin—is well known to PSA Security members and PSA-TEC attendees, as he is a former PSA board president.

One of the first people in the security industry to talk to me about security robotics was Joe Lynch of Minuteman. Here’s a story I wrote a couple years ago where I spoke to 10 top integrators about tech trends.  Scroll to the end to read Lynch’s remarks. One year after I wrote that story, I asked Lynch about aerial drones and he said there were many questions about legislation and regulation, an obstacle that PSA Security CEO Bill Bozeman told me will hold back development of that technology for the short term. I ran into Lynch today and asked him about aerial drones. He said he’s been able to figure out the FAA regulations and is optimistic about the possibilities. Minuteman owns an aerial drone and is using it in beta projects currently.

Ray Dean of ASI  was at the Sharp robotics press conference and was eager to know when the company’s product would be available.

Outsmarting the smart home

 - 
Wednesday, May 4, 2016

Talked about heavily at ISC West in April, cybersecurity is the buzzword in the industry right now, as manufacturers and dealers on the residential side try to figure out how to navigate through the potential minefield of new smart home products and devices that may leave their security systems vulnerable to hacking.

In a study unveiled this week, Cybersecurity researchers at the University of Michigan were able to hack into a leading "smart home" platform and essentially get the PIN code to a home's front door.

Their "lock-pick malware app" was one of four attacks that the cybersecurity researchers leveled at an experimental set-up of Samsung's SmartThings platform, and is believed to be the first platform-wide study of a connected home system. The researchers weren’t picking on Samsung, as the overall goal of the research was to show how vulnerable these new connected home devices and systems are to hacking.

The researchers found “significant design vulnerabilities from a security perspective," noting that hackers’ attacks can “expose a household to significant harm—break-ins, theft, misinformation and vandalism. The attack vectors are not specific to a particular device and are broadly applicable."

The findings will be presented on May 24 at the IEEE Symposium on Security and Privacy in San Jose, in a paper titled "Security Analysis of Emerging Smart Home Applications."

At the very least, this study—as well as numerous stories of hackers finding their way into connected home devices, from smart TVs to baby monitors—raises important questions that manufacturers and dealers must ask themselves in this new world of advanced technology and interactivity.

As Samsung works out the kinks in its system, many other smart home companies can benefit from this study, as it sounds an alarm—no pun intended—of the importance of cybersecurity. While no system is completely immune from hacking, the research also underscores the fact that smart home companies and dealers need to make sure they are adhering to, at a minimum, the industry’s best practices and guidelines.

One resource is UL’s new Cybersecurity Assurance Program, a standard by which companies can have their products tested and verified by UL for guard against well-known cyber risks.

Having your products and systems third-party tested is a good first step in addressing any security flaws that may be present, as well as any potential fixes, and provides a measure of comfort for customers who are making their first forays into this bold new world of connected home technology.

 
 

Pages