RSA Conference 2016 – A New Hardware-Based Approach to Secure the Internet of Things

Live Demo: A New Hardware-Based Approach to Secure the Internet of Things
RSA Conference 2016 – Abu Dhabi
November 16, 2016 | 11.20 – 12.10 hrs | Level 1 | Room: Etihad Ballroom 2

rsa-2016-garlati-clip

Quick look – This session will address four key elements that have introduced serious weaknesses into the IoT: proprietary systems, connectivity, unsigned firmware and lateral movement. Discussion will showcase a new approach to IoT security demonstrating how SoC virtualization and security through separation can address these vulnerabilities, which have already been shown to have potentially life-threatening consequences.

Read more of this post

Securing The Internet of (broken) Things: A Matter of Life and Death

Securing the Internet of broken thingsIf you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.

Read more of this post

The Data Breach Pandemic: Information Security is Broken

Verizon Data Breach Report 2015Have enterprises basically just given up on IT security? Global budgets fell by 4% in 2014 over the previous year and as a percentage of total IT budget they’ve remained at 4% or less for the past five years. The picture is even starker for firms with revenues of less than $100m, who claim to have reduced security budgets 20% since 2013.

Yet the threats keep on escalating. When it comes to information security, there are really only two situations out there: companies that have been breached, and companies that still don’t know it.

If 2014 was the “Year of the Data Breach” then 2015 is proving to be at least its equal. This month alone we’ve seen TV stations shunted off air by pro-jihadi cyber terrorists; the discovery of major new state-backed attack groups; and another massive data breach at a US healthcare provider.

We talk today about managing risk, rather than providing 100% security – because there’s no such thing. The conclusion I have reached is that the traditional information security model is broken. But why? And how can we fix it?

Read more of this post

The GitHub attack – is the worst still to come?

What we can learn from the recent cyber attack to the popular website GitHub and why we should worry about what is likely to come next.

 

TTL analysis performed by Netresec in SwedenOver the last few days the popular website GitHub has been the target of a massive Distributed Denial Of Service attack – DDoS, apparently originated from China. As I write this note, the GitHub status webpage now indicates “Everything operating normally” and “All systems reporting at 100%”. However, I am afraid the story is far from over and the worst may still be to come.

GitHub is the largest and most popular repository of open source projects and a key infrastructure website for the Internet. Among other, GitHub hosts the Linux project – arguably the world’s most widespread open source software. Various flavors of Linux power most of the Internet servers and an ever-increasing number of consumer devices across the globe.

Read more of this post

European Data Protection Reform – What you should know.

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

 

EU regulation vs. U.S. laws: a matter of cultural bias?

The consolidated version of the EU commission´s proposal for a General Data Protection Regulation following the LIBE Committee vote of October 21, 2013 differs fundamentally from the U.S. approach to the protection of personal data. “Whether one approach is better than the other, is a question of data protection culture. You might think that these are two extremes. On the one hand you have very restrictive regulation with higher fines, which are in my opinion over the top. On the other hand, there is so much leeway under the U.S. data protection laws that you can do almost anything as long as it’s not specifically prohibited.” observes Andreas Leupold, the German IT attorney recipient of the “Lawyer of The Year 2013” award who advises clients across Germany, England and the U.S.

Read more of this post

How secure is Mobile Device Management anyway?

Objective-C HookingResearchers have successfully breached the Good Technology container. MDM software can only be as secure as the underlying operating system.


As the adoption of smartphones and tablets grows exponentially, one of the biggest challenges facing corporate IT organizations is not the threat of losing the device – likely owned by the employee – but the threat of a targeted attack stealing sensitive corporate data stored on these mobile devices. As a first line of defense, an increasing number of companies rely on Mobile Device Management software and Secure Container solutions to secure and manage corporate data accessed from these mobile devices. However, a recent analysis conducted by Lacoon Mobile Security – presented a few weeks ago at the BlackHat conference in Amsterdam – shows that the leading secure container solution Good Technology can be breached and corporate email stolen from Apple iOS and Android devices.

Read more of this post

The Financial Impact of Consumerization – Does BYOD make business sense?

enterprises-deploy-many-types-of-byod-programs-378x284One of the less understood aspects of Consumerization is its financial impact on the business. Is your BYOD program in the money?


Studies* show that an increasing number of organizations allow their employees to use personal devices to connect to corporate networks and data for work related activities – the so called Bring Your Own Device phenomenon. However, a recent study conducted by Forrester Reserach reveals that only a few companies measure the actual financial impact of this new IT model and that even fewer have a clear sense of whether Consumerization actually makes good business sense.

Read more of this post

Legal and technical BYOD pitfalls highlighted at RSA Conference

Companies that don’t protect themselves through policies place themselves at risk.

Post based on my interview* with Mikael Ricknas of Computerworld.

Allowing employees to bring their own devices to work is causing new challenges, including what happens when a device needs to be wiped or employees want to sell their smartphone or tablet.

Mobile security and BYOD (bring your own device) are main themes at the European edition of RSA’s security conference, which takes place this week in London.

Letting employees use their own smartphones or tablets for work represents a loss of control for IT departments. Also, if personal data isn’t handled correctly, the company may end up being sued, said Cesare Garlati, vice president of mobile security at Trend Micro and the moderator of a conference session called “The Dark Side of BYOD“.

Read more of this post

Smartphone Security Winners & Losers

Mobile Security Winners & LosersPost based on my interview with Jeanne Friedman, content manager for  RSA Conference.

In the mobile space the BYOD trend is becoming a minefield for IT administrators. Many companies have experienced a data breach as a result of an employee owned device accessing the corporate network. When the stakes are this high, corporate IT needs to know which platforms to allow and which to refuse.

Android is the most popular mobile platform in the world. It is also the most vulnerable to attack and in fact the most exploited. Contrary to common perception, Apple mobile devices are not immune to security flaws. And in fact less secure than Android if users “jail break” their devices – to escape Apple’s control.

Read more of this post