© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
Previous   blog   posts   have   talked   about   the   expansion   of   regulatory   purview    of   existing   authorities,   and   how   that   is affecting   businesses   of   all   sizes   -   whether   or   not   they   are   specifically   regulated.   Others   have   talked   about   the   value   of market-based security , and how procurement and contracting can be leveraged. Regulatory   authorities   aside,   businesses   are   applying   the   same   scrutiny   independently.   I’m   sure   everyone   has,   at   one time   or   another,   seen   the   questionnaire   regarding   information   protection   controls   that   precedes   a   network   trust relationship.   For   example,   a   company   that   provides   outsourced   benefits   management   is   going   to   house   customer employee   data,   to   include   SSNs,   insurance   information,   and   health   data.   That’s   a   big   target,   and   before   proceeding you would want to make sure that they don’t have any wildly open doors or windows. So we’re all getting used to this. I   think   this   is   a   good   trend,   as   it   makes   security   more   aligned   with   market   forces,   providing   a   capitalism-based approach   -   you   can   make   more   money   if   you’re   secure.   It’s   also   becoming   a   necessity   as   we   move   into   more networked   means   of   managing   power   consumption,   traffic   management,   asset   tracking,   and   all   the   other   “smart” energy  / city   / hospital / etc. technologies coming into the market. The   manufacturers   of   these   technologies   certainly   bear   the   responsibility   of   ensuring   that   their   products   are   secure (and   a   security   certification   system   may   be   forthcoming),   but   I   think   we   can   all   agree   that’s   good   for   a   point   in   time only.   Things   deteriorate.   Additionally,   an   integrator   will   likely   be   required   to   get   the   technology   installed   and   working. Everyone in this food chain has a responsibility, and hardly ever are those responsibilities articulated contractually. The   manufacturer   has   a   responsibility   to   address   technical   vulnerabilities   in   the   product   as   they   are   discovered   - notify,    and    provide    a    patch,    update,    or    workaround    -    or    completely    replace    the    product.    The    integrator    has    a responsibility   to   work   with   the   customer   to   ensure   that   the   technology   is   deployed   securely   -   changing   default passwords,   activating   encryption   and   other   controls   that   may   be   optional,   and   potentially   applying   manufacturer- supplied   updates   that   can   apply   corrective   action   across   the   deployed   base.   And   you   -   the   customer   -   must   provide activity monitoring and incident response capabilities. Our   collective   attack   surface   is   growing   exponentially   during   a   time   of   increasing   criminal,   nation-state   and   terrorist activity,   while   Internet-of-Things   technologies   are   becoming   preferred   targets   for   extortion   and   are   being   weaponized to    attack    other    entities.    With    this    three-pronged    method    of    addressing    the    life    span    of    the    technology    - manufacturer’s    assurance    of    security,    integrator’s    secure    deployment    and    maintenance    process,    and    customer detection and response - are all required. Of the three, two apply to third parties and are driven by contracts. In   short,   if   it   can’t   be   shown   to   be   secure   and   there’s   no   plan   for   keeping   it   that   way,   don’t   buy   it.   Use   procurement   and contracting as the security tool it can be, or your “smart” organization may end up looking kinda dumb .
Threat Intelligence Blog CRITICAL INFORMATICS INC.
(206) 687-9100
“Smart” Security for the Internet of Things, in Three Parts 2/23/2017   By Michael Hamilton CISSP CEO
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100