Cloud Hosting

Internet-connected gadgets like lightbulbs and fitness trackers are notorious for poor security. That's partly because theyre often made cheaply and with haste, which leads to careless mistakes and outsourcing of problematic parts. But its also partly due to the lack of computing power in the first place; it's not so easy to encrypt all that data with limited resources. Or at least thats how the conventional wisdom goes.

But real-world data suggests that many of those ubiquitous tiny gadgets can run versions of traditional, time-tested encryption schemes. A team from the Swiss IoT encryption firm Teserakt argues that there's no need to reinvent the wheel when the real solution is simply holding IoT manufacturers to higher standards. They made their case at a National Institute of Standards and Technology conference in Maryland this month focused on developing lightweight cryptography for embedded devices.

But traditional cryptography, particularly the stalwart Advanced Encryption Standard, often works just fine in IoT devices, says Antony Vennard, Teserakt's chief engineer. The researchers have even observed a number of situations where security-conscious manufactures found ways to incorporate it, like in the embedded systems of cars. And other, independent studies have had similar findings.

"The lightweight competition is based on the idea that for embedded devicesthings like industrial controllers and smart cards like chip credit cardsAES is too heavy, too big. Using it takes up too much space and power," Vennard says. "But my passport has a chip in it that can run AES. Modern smart cards can run it. Fitness trackers like FitBits can run it. In our experience, AES is pretty much everywhere, even in embedded devices."

"Where it could get confusing is where people arent sure what level of security they need."

Antony Vennard, Teserakt

Its important to talk about the actual utility of lightweight encryption now, because it takes years for the cryptography community to develop and vet a new encryption scheme to ensure that its safe to use. NIST has already been working on lightweight cryptography since 2015. And once those standards are in place, it takes even more time to gain real-world experience implementing the scheme to catch mistakes. It adds a lot of time and potential risk to the process of securing these devices. If you can make existing encryption algorithms work on them instead, all the better.

In February, for example, Google debuted a method for encrypting most low-end Android devices regardless of how piddly their processors. Rather than a novel encryption scheme, it relied on clever implementations of AES and other existing cryptographic methods to reduce the chance of introducing a fundamental flaw. The method, dubbed Adiantum, is an impressive solution to one of Android's more daunting problems. But Johns Hopkins cryptographer Matthew Green points out that the lengths Google had to go to to achieve it may actually indicate a need for lightweight cryptography, rather than showing that it's worth sticking with AES. "It's not actually a great argument for 'AES is fast enough,'" Green says.

Though it may be possible to implement traditional encryption more widely than the IoT industry currently believes, Vennard admits that there are situations where lightweight encryption would be useful. Certain devices, particularly things like simple sensors in industrial control settings, are powered by microcontrollers so rudimentary that they really would require special encryption techniques to secure. But Vennard argues that the key is clearly defining these categories rather than creating a situation where developers and manufacturers don't know which cryptographic techniques should be used where.

"There are some cases where you might need lightweight crypto, but where it could get confusing is where people arent sure what level of security they need," Vennard says. "If people can use AESwe have about 20 years of experience implementing AESbut don't, that's a risk, because implementing something new is tricky."

It's also always possible that the US government knows something private researchers don't. Along with NIST, the National Security Agency, for example, has stressed the importance of developing next-generation cryptography schemes. That's partly because of the threat to encryption posed by the rise of quantum computing, but it's also because of the IoT security crisis.

View post:
The Debate Over How to Encrypt the Internet of Things - WIRED

Aside from security risks, European governments should consider the wider consequences of handing out contracts to 5G suppliers, according to an EU document seen by CNBC and one which could have repercussions for the Chinese firm, Huawei, that is under scrutiny as a potential 5G supplier.

"In addition to the technical risks related to cybersecurity of 5G networks, also non-technical factors such as the legal and policy framework to which suppliers may be subject to in third countries, should be considered," a draft document prepared ahead of a meeting of European ministers and seen by CNBC said.

5G is the next generation of mobile internet technology, designed to deliver super-fast data speeds. However, the debate over the providers of 5G technology has become politicized, with officials in the U.S. and U.K., among other countries, expressing concerns that suppliers like Huawei could pose a security threat.

In the case of Huawei, there are specific concerns about its links to the Chinese government. Huawei has rebuffed those concerns, saying it is independent of the Chinese state and would not allow its technology to be used for any state surveillance, as some experts have suggested could happen.

The same EU document highlighted that European countries should "consider the need to diversify suppliers in order to avoid or limit the creation of a major dependency on a single supplier."

The draft document, which is set to be agreed on during the first week of December at a meeting of EU ministers, comes as the EU lays the foundations for the implementation of 5G over time.

The European Commission the EU's executive arm released a report last month assessing the risks of 5G. The report said that the roll-out of 5G networks is expected to "increase the exposure to attacks and more potential entry points for attackers."

It also said that "the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country."

A spokesperson for the European Commission, told CNBC via email last week, that the "report deliberately does not contain any references - explicit or implicit - to individual countries or suppliers."

"It follows an objective approach and identifies a number of strategic risks, which will help define appropriate mitigation measures," the spokesperson also said.

In Germany, the debate over 5G has intensified in recent weeks. Chancellor Angela Merkel decided not to stop Huawei from potentially supplying Germany's 5G networks. She said that all telecom providers will be allowed to participate in the roll-out of 5G in Germany provided they meet specific and tight security standards.

However, the German parliament as well as some senior government officials have criticized Merkel's decision.

German Foreign Minister Heiko Maas said earlier this month that Huawei is obliged to pass on information to the Chinese government and, as a result, he raised doubts as to whether the firm should be allowed to work in Germany.

However, all German telecom providers use Huawei equipment and have warned that banning Huawei would postpone the roll-out of 5G as well as cost billions of euros, the BBC reported.

Go here to read the rest:
The EU says security is not the only concern when it comes to 5G - CNBC

The GlobalInternet Of Things (IOT) Security Marketis carefully researched in the report while focusing largely on top players and their business strategy, geographical growth, market segments, competitive landscape, manufacturing, and pricing and cost structures. Each section of the research study is specially prepared to explore key facets of the global Internet Of Things (IOT) Security market. For example, the market dynamics section digs deep into the drivers, constraints, trends, and opportunities of the global Internet Of Things (IOT) Security market. With qualitative and quantitative analysis, the report could help you with thorough and comprehensive research on the global Internet Of Things (IOT) Security market. Our analyst has also focused on SWOT, and Porters Five Forces analyses of the global Internet Of Things (IOT) Security market.

For Better Understanding, Download Free Sample PDF Brochure of Internet Of Things (IOT) Security Market Research Report @https://marketresearch.biz/report/internet-things-iot-security-market/request-sample

Competitive Landscape

Leading players in the global Internet Of Things (IOT) Security market are analyzed, taking into account their market share, latest developments, partnerships, new product launches, mergers or acquisitions, and markets served. MarketResearch.Biz provides an exhaustive analysis of their product portfolios to explore the products and applications they concentrate on when operating in the global Internet Of Things (IOT) Security market. It also provides useful recommendations for new as well as established players of the global Internet Of Things (IOT) Security market.

Some of the Major Internet Of Things (IOT) Security Market Players Are:

IBM Corporation, Infineon Technologies, Symantec Corporation, Check Point Security Software Technologies Ltd., Cisco Systems Inc, Intel Corporation, Alcatel-Lucent S.A., Sophos Plc, NSIDE Secure SA, ARM Holdings

Internet Of Things (IOT) SecurityMarket Segmentation

Global IoT security market segmentation by security type:

Network securityEndpoint securityApplication securityCloud securityOthersGlobal IoT security market segmentation by component:

SolutionIdentity access managementData encryption and tokenizationIDS/IPSDevice authentication and managementSecure software and firmware updateSecure communicationsPKI lifecycle managementDistributed denial of service protectionSecurity analyticsServicesProfessional servicesManaged servicesGlobal IoT security market segmentation by application area:

Smart ManufacturingSmart Energy and UtilitiesConnected LogisticsConsumer WearablesConnected HealthcareSmart Government and DefenseConnected VehiclesSmart Retail

The report provides market size with 2018 as the base year in consideration and a yearly forecast until 2028 in terms of Revenue (USD Million). The estimates for all segments including type and application have been provided on a regional basis for the forecast period mentioned above. We have implemented a mix of top-down and bottom-up approaches for market sizing, analyzing the key regional markets, dynamics, and trends for various applications. The Global Internet Of Things (IOT) Security market has been estimated by integrating the regional markets.

Regional Analysis

A section of the report has given detailed information about regional analysis. It provides a market outlook and positions the forecast within the context of the overall global Internet Of Things (IOT) Security market. MarketResearch.Biz has segmented the global Internet Of Things (IOT) Security market into major geographical regions such as North America, Europe, Asia Pacific, South America, and the Middle East and Africa. Potential new entrants desiring to target only high growth areas are also incorporated in this informative section of the global Internet Of Things (IOT) Security market.

Inquire/Speak To Expert for Further Detailed Information About Internet Of Things (IOT) Security Report:https://marketresearch.biz/report/internet-things-iot-security-market/#inquiry

Key Take-Away:

Economic Trends, Industry Development, Challenges, Forecast and Strategies to 2028.

Expectations and Growth Trends have been highlighted until 2028.

Qualitative Insights, Key Enhancement, Share Forecast up to 2028.

Competitive Landscape and Regulations, 2019 to 2028.

Advanced Technology, Future Opportunities Till 2028

Reasons to buy this report:

MarketResearch.Biz report is prepared in a method that assists clients to obtain a complete knowledge of the overall market scenario and the significant sectors.

This report comprises a detailed overview of market dynamics and broad research.

Detail information on competitive landscape, recent market trends and changing technologies that can be valuable for the companies which are competing in this market

Explore further market opportunities and recognize high potential categories based on detailed value and volume analysis

Gaining knowledge about competitive landscape based on comprehensive brand share analysis to plan an effective market positioning

Share Your Questions Here For More Details On this Report or Customizations As Per Your Need:https://marketresearch.biz/report/internet-things-iot-security-market/#request-for-customization

Get in touch with Us:

Mr. Benni Johnson

Prudour Pvt. Ltd.

420 Lexington Avenue, Suite 300 New York City, NY 10170,

United States

Tel:+ 1-347-826-1876

Website:https://marketresearch.biz/

Continue reading here:
Recent Research: Internet Of Things (IOT) Security Market Comprehensive SWOT Analysis and Competitive Insight Report 2019-2028 - Daily Criticism

A close analysis of the cybersecurity attacks of the pastshows that, in most cases, the head of the cyber kill chain is formed by somekind of privilege abuse. In fact, Forrester estimates that compromised privileged credentials play a role in at least 80 per centof data breaches.

This is the reason privileged access management (PAM) has gained so much attention over the past few years. With securing and managing access to business-critical systems at its core, PAM aims to provide enterprises with a centralised, automated mechanism to regulate access to superuser accounts. PAM solutions ideally do this by facilitating end-to-end management of the privileged identities that grant access to these accounts.

However, the scope of privileged accesssecurityis often misconceived and restricted to securing and managing root account passwords alone. Passwords, beyond a doubt, are noteworthy privileged access credentials.But the constant evolution of technology and expanding cybersecurity perimeter calls for enterprises to take a closerlook at the other avenues ofprivileged access, especially encryption keyswhichdespite serving as access credentials for huge volumes of privileged accounts, are often ignored.

This article lays focus on the importance encryption key managementwhy enforcing SSH key and SSL certificate management is vital, and how by doing so, organisations can effectively bridge the gaps in their enterprise privileged access security strategy.

1. Uncontrolled numbers of SSH keys trigger trust-based attacks

The average organisation houses over 23,000 keys and certificates many of which grant sweeping access to root accounts, says aPonemon survey. Also, a recent report about the impact of insecured digital identitiesstates that 71 per cent of the respondents did not have any idea about the number of keys or the extent of their access within the organisation.Without a centralised key management approach, anybody in the network can create or duplicate any number of keys. These keys are often randomly generated as needed and are soon forgotten once the task they are associated with is done. Malicious insiders can take advantage of this massive ocean of orphaned SSH keys to impersonate admins, hide comfortably using encryption, and take complete control of target systems.

2. Static keys create permanent backdoors

Enterprises should periodically rotate their SSH keys to avoid privilege abuse, but huge volumes of unmanaged SSH keys make key rotation an intimidating task for IT administrators. Moreover, due to a lack of proper visibility on which keys can access what, there is widespread apprehension about rotating keys in fear of accidentally blocking access to critical systems. This leads to a surge of static SSH keys, which have the potential to function as permanent backdoors.

3. Unintentional key duplication increases the chance of privilege abuse

For the sake of efficiency, SSH keys are often duplicated and circulated among various employees in an organisation. Such unintended key duplication creates a many-to-many key-user relationship, which highly increases the possibility of privilege abuse. This also makes remediation a challenge since administrators have to spend a good amount of time revoking keys to untangle the existing relationships before creating and deploying fresh, dedicated key pairs.

4. Failed SSL certificate renewals hurt your brand's credibility

SSL certificates, unlike keys, have a set expiration date. Failing to renew SSL certificates on time can have huge implications on website owners as well as end users. Browsers don't trust websites with expired SSL certificates; they throw security error messages when end users try to access such sites. One expired SSL certificate can drive away potential customers in an instant, or worse, lead to personal data theft for site visitors.

5. Improper SSL implementations put businesses at risk

Many businesses rely completely on SSL for internet security, but they often don't realize that a mere implementation of SSL in their network is not enough to eliminate security threats.SSL certificates need to be thoroughly examined for configuration vulnerabilities after they are installed. When ignored, these vulnerabilities act as security loopholes which cybercriminals exploit to manipulate SSL traffic and launch man-in-the-middle (MITM) attacks.

6. Weak certificate signatures go unheeded

The degree of security provided by any SSL certificate depends on the strength of the hashing algorithm used to sign the certificate. Weak certificate signatures make them vulnerable to collision attacks. Cybercriminals exploit such vulnerabilities to launch MITM attacks and eavesdrop on communication between users and web servers. Organisations need to isolate certificates that bear weak signatures and replace them with fresh certificates containing stronger signatures.

Bridging the gaps in your PAM strategy

All the above scenarios highlight how important it is to widen the scope of your privileged access security strategy beyond password management. Even with an unyielding password manager in place, cybercriminals haveplenty of room to circumvent security controls and gain access to superuser accounts by exploiting various unmanaged authentication identities, including SSH keys and SSL certificates. Discovering and bringing all such identities that are capable of granting privileged access under one roofis one important step enterprises should take to bridge gaps in their privileged access security strategy.For, today's unaccounted authentication identities could become tomorrow's stolen privileged credentials!

Error: Please check your email address.

Read the rest here:
Six reasons for organisations to take control of their orphaned encryption keys before it triggers the next security breach - CSO Australia