Securing The Internet of (broken) Things: A Matter of Life and Death

Securing the Internet of broken thingsIf you’re like me you’ll probably be getting desensitized by now to the ever-lengthening list of data breach headlines which have saturated the news for the past 24 months or more. Targeted attacks, Advanced Persistent Threats and the like usually end up in the capture of sensitive IP, customer information or trade secrets. The result? Economic damage, board level sackings and a heap of bad publicity for the breached organization. But that’s usually where it ends.

Read more of this post

The Data Breach Pandemic: Information Security is Broken

Verizon Data Breach Report 2015Have enterprises basically just given up on IT security? Global budgets fell by 4% in 2014 over the previous year and as a percentage of total IT budget they’ve remained at 4% or less for the past five years. The picture is even starker for firms with revenues of less than $100m, who claim to have reduced security budgets 20% since 2013.

Yet the threats keep on escalating. When it comes to information security, there are really only two situations out there: companies that have been breached, and companies that still don’t know it.

If 2014 was the “Year of the Data Breach” then 2015 is proving to be at least its equal. This month alone we’ve seen TV stations shunted off air by pro-jihadi cyber terrorists; the discovery of major new state-backed attack groups; and another massive data breach at a US healthcare provider.

We talk today about managing risk, rather than providing 100% security – because there’s no such thing. The conclusion I have reached is that the traditional information security model is broken. But why? And how can we fix it?

Read more of this post

Google Vault Makes Play for Mobile Security Hardware Space

Google Project VaultLast week Google made a splash with its latest futuristic tech offering: Project Vault. In essence, this mini-computer on an SD card is designed to enable secure authentication, communications and data storage on your smartphone or laptop. So what exactly is going on here? After years experimenting with Android, has one of the world’s biggest software companies finally admitted hardware level security is the way forward? And if so, what are the implications for enterprise and consumers? Read more of this post

Cesare Garlati Joins prpl Foundation as Chief Security Strategist

prpl FoundationSANTA CLARA, CA–(Marketwired – April 07, 2015) – Well-known information security expert Cesare Garlati today joins the prpl Foundation as Chief Security Strategist. Garlati will assist the Foundation with security strategy in the newly formed Security PEG (prpl Engineering Group), a working group dedicated to creating an open standard framework that addresses next-generation security requirements for connected devices.

“Cesare Garlati is an internationally renowned leader in the mobile security space,” said prpl Foundation president Art Swift. “We all look forward to his contributions in security strategy and his participation in the ground-breaking Security PEG.”

Read more of this post

The GitHub attack – is the worst still to come?

What we can learn from the recent cyber attack to the popular website GitHub and why we should worry about what is likely to come next.

 

TTL analysis performed by Netresec in SwedenOver the last few days the popular website GitHub has been the target of a massive Distributed Denial Of Service attack – DDoS, apparently originated from China. As I write this note, the GitHub status webpage now indicates “Everything operating normally” and “All systems reporting at 100%”. However, I am afraid the story is far from over and the worst may still be to come.

GitHub is the largest and most popular repository of open source projects and a key infrastructure website for the Internet. Among other, GitHub hosts the Linux project – arguably the world’s most widespread open source software. Various flavors of Linux power most of the Internet servers and an ever-increasing number of consumer devices across the globe.

Read more of this post

European Data Protection Reform – How to minimize impact and costs

European Data Protection ReformIf your company touches any Europeans’ data you’d better prepare for what’s coming.


The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

Read more of this post

How secure is Mobile Device Management anyway?

Objective-C HookingResearchers have successfully breached the Good Technology container. MDM software can only be as secure as the underlying operating system.


As the adoption of smartphones and tablets grows exponentially, one of the biggest challenges facing corporate IT organizations is not the threat of losing the device – likely owned by the employee – but the threat of a targeted attack stealing sensitive corporate data stored on these mobile devices. As a first line of defense, an increasing number of companies rely on Mobile Device Management software and Secure Container solutions to secure and manage corporate data accessed from these mobile devices. However, a recent analysis conducted by Lacoon Mobile Security – presented a few weeks ago at the BlackHat conference in Amsterdam – shows that the leading secure container solution Good Technology can be breached and corporate email stolen from Apple iOS and Android devices.

Read more of this post

The Financial Impact of Consumerization – Does BYOD make business sense?

enterprises-deploy-many-types-of-byod-programs-378x284One of the less understood aspects of Consumerization is its financial impact on the business. Is your BYOD program in the money?


Studies* show that an increasing number of organizations allow their employees to use personal devices to connect to corporate networks and data for work related activities – the so called Bring Your Own Device phenomenon. However, a recent study conducted by Forrester Reserach reveals that only a few companies measure the actual financial impact of this new IT model and that even fewer have a clear sense of whether Consumerization actually makes good business sense.

Read more of this post

Icebergs, The Nordics, and Other BYOD Considerations

The BYOD iceberg headed towards your businessNew data shows that companies are increasingly exposed to security risks due to a variety of consumer-grade technology brought in by the employees.


I just returned from a tour in the Nordic countries where I presented to the local press the results of the latest BYOD survey* conducted by YouGov on behalf of Trend Micro. The data collected from 3,012 interviews across Norway, Sweden, and Denmark highlights many details of this controversial IT Trend. Most importantly, the research confirms an undeniable truth: Companies around the world are exposed to increasing security risks due to a variety of consumer-grade technology brought into the enterprise by the employees and inevitably used for work-related activities.

Read more of this post