• On December 30, 2016 the Congressional Internet of Things Working Group released a white paper on IoT stating that, “Recent examples of cyberattacks on IoT devices have exposed not just the potential impact on individual consumers, but the possible vulnerability on the broader Internet infrastructure.”

• On January 5, 2017 the Federal Trade Commission issued a complaint against D-Link claiming that D-Link’s “routers and cameras have been vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access.”

• On January 9, 2017 the Federal Drug Administration released a note about St. Jude Medical stating that its devices had vulnerabilities that, “if exploited, could allow an unauthorized user, i.e., someone other than the patient’s physician, to remotely access a patient’s RF-enabled implanted cardiac device.”

• On January 12, 2017 the Department of Commerce released a Green Paper highlighting the security concerns around IoT. It states that the DDoS attack, “was the most visible and far-reaching example of the potential risks that must be mitigated when considering IoT.”

It appears that this the beginning of an activist approach taken by the Government to monitor IoT device manufacturers.  Indeed, the Congressional Internet of Things Working Group white paper states that participants, “grappled with whether or not a solution should rely on industry established standards, agency recommendations, legislation, or a combination of all the above.”

Click to Subscribe

TELEGRID is a designer of secure embedded systems for the US Military and has developed a framework to design systems in line with DISA’s Security Technical Implementation Guides (DISA STIGs).  While some commercial manufacturers follow NIST guidelines others ignore security completely.  As Senator Mark Warner, co-founder of the Senate Cybersecurity Caucus stated, “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

Is the Government going to “incentivize” commercial manufacturers to bake in security?  Will the Government shut certain companies out of the market for selling unsecure IoT devices?  What will be the cost impact to consumers?

These are all very tough questions and it seems the Government is moving quickly to try to answer them.  Are IoT manufacturers paying attention?

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Government Activism and IoT appeared first on TELEGRID.

I believe that in order to answer this question properly we must make three comparisons:

1. The average loss for a home burglary versus the average loss for an identity theft
2. The probability of a home burglary versus the probability of an identity theft
3. The cost of a home security system versus the cost of identity theft protection

In its report on Crime in the United States, the FBI found that in 2014 the average dollar loss per burglary offense was $2,251.  This is higher than the average dollar loss for identity theft over the same time frame which was $1,343 according to the Department of Justice.

Click to Subscribe

However, when considering the number of occurrences, identity theft is far more likely than a burglary.  The DoJ reported 17.6 million cases of identity theft, or 7% of all US residents above the age of 16, in 2014.  This was 10 times more than the 1.7 million burglaries that were reported over the same time period by the FBI.

In terms of cost it is difficult to gauge exact figures based on the multitude of offerings for both home security systems and identity theft protection.  However, it seems that identity theft protection is the same or less per month than a home security system.

I understand that a home security system also provides the intangible value of personal protection and that there is no value that you can put on peace of mind.  However, I could counter that the majority of burglaries happen between the hours of 10AM and 3PM, when the homeowner is not home, and therefore personal protection has no inherent value.

So, should I protect my possessions or my identity? Based on this very simple statistical comparison it seems that, if I had to choose, I should protect my digital identity before I protect my physical possessions.  What would you pay to protect?

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure authentication, PKI and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Should I protect my possessions or my identity? appeared first on TELEGRID.

“WHAT ABOUT LATENCY?”

Three simple but powerful words that show where cybersecurity has started to go wrong.  How can you put every packet in its own tunnel without massively affecting network performance?  Does user experience even matter anymore?

Click to Subscribe

Is it just me or are new cybersecurity products just rehashes of old cybersecurity products?  We have gone from 128 bit encryption to 256 bit encryption.  We have gone from endpoint protection to advanced endpoint encryption.  We have gone from firewalls to next generation firewalls.  We have gone from deep packet inspection to deeper packet inspection to deepest packet inspection.  It is the same thing Hollywood did when they remade the greatest films of our generation like Ghostbusters and Vacation.

Do vendors stop and think about the effect they are having on network performance?  Indeed a Cisco survey found that 71% of Chief Executives think that cybersecurity slows down the pace of commerce.  So how are vendors improving cybersecurity without affecting latency?  The answer seems to be more blade servers, faster processors, and ASICs.  This may work but it also translates into higher costs for the customer.  Are cybersecurity vendors starting to price themselves out of the market?

We need to rethink cybersecurity.  We need to start designing solutions based on both network protection AND network performance.  We need to look at our network from a holistic standpoint and identify existing tools that we can use for cybersecurity.  Let’s call it Cybersecurity 3.0!  (I know we skipped 2.0 but I was at a social media talk last week and the speaker used the term Web 3.0 so cybersecurity needs to catch up.)

In the next few weeks TELEGRID will be launching the first Cybersecurity 3.0 product which promises to turn the field of authentication on its head.  If you are not on it already then Join Our Mailing List so you do not miss the release.  In the meantime if you are looking for a secure authentication tool give me a call at 973-994-4440 and I will give you a sneak peek.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Why is Cybersecurity So Slow? appeared first on TELEGRID.

Last month the Department of Defense Chief Information Officer Terry Halvorsen made a bold call for the replacement of Common Access Cards within the next two years.  Common Access Cards, or CACs, are credit-card-sized smartcards used to provide Two-Factor Authentication (2FA) to DoD networks.  This method of access requires two out of three of the following items:

• Something the user knows
• Something the user has
• Something the user is

A CAC – “something a user has” – in conjunction with a PIN – “something a user knows” – provides the required 2FA.  The issue Mr. Halvorsen has with CACs is that they do not work well in a tactical environment.  As he said, “It’s really hard to issue CAC cards … when people are dropping mortar shells on you and you need to get in your systems.”

So what will we use instead of CACs?  Mr. Halvorsen mentions Biometrics as part of the solution.  Biometrics, or “something the user is”, includes physical characteristics like fingerprints or behavioral characteristics like how many times a user misspells Halvorsen in a blog post (purely hypothetical).  I discussed some of the security concerns surrounding Biometrics in a previous post but the biggest issue seems to be with public key cryptography.  In public key cryptography the user maintains a secured private key and shares a public key with the world.  The private key is stored on the CAC and is unlocked with a PIN as part of the DoD Public Key Infrastructure (PKI).

Click to Subscribe

If there is no more CAC, does that mean there is no more private key?  We can derive passwords from Biometrics, for instance fingerprints have enough entropy for the equivalent strength of a 13 character password, but it is not public key cryptography.  If there is no more public key cryptography how can the DoD maintain its PKI?

I believe this highlights a very interesting debate on the difference between authentication and encryption.  If we look back at the earliest days of authentication, passwords were often sent in the clear (e.g., Password Authentication Protocol (PAP)).  It was assumed that the channel would be encrypted and all information, including passwords, would be encrypted by the channel.  Authentication was merely used for authorization and accounting.  It was not until we moved from point-to-point networks to the Internet that we combined authentication and encryption in PKI.  Is Mr. Halvorsen telling us that we no longer need PKI?

I do not believe this is the case because at a luncheon following the CAC elimination comment Mr. Halvorsen made a point of recognizing the need for PKI.  As he said, “I want to make it clear, when we replace the CAC card, it will be public-key infrastructure.”   Mr. Halvorsen suggested using Derived Credentials in conjunction with Biometrics to simplify authentication and maintain PKI.  Derived Credentials is a software-based version of the CAC contained in an electronic device such as a smartphone.  In that architecture Biometrics would unlock the electronic device while a user’s certificate and associated private key would be stored in the Derived Credentials.

Derived Credentials is intriguing because it heralds the ability to Bring Your Own Device (BYOD).  The only issue is current policy (i.e., NIST 800-157) which requires that credentials issued at Level of Assurance (LOA) 4 be kept in a hardware cryptographic module that has been validated to FIP 140-2 Level 2.  This means you may need a special hardware solution which is an issue for BYOD.

The moral of the story is that the DoD is now committed to changing how users authenticate themselves and that we should expect to see big changes in the next few years.  This will make it difficult for the Government to purchase devices or applications that have a fixed authentication mechanism.  Perhaps this is the reason we are seeing so much interest in applications that allow a flexible authentication mechanism, like TELEGRID’s SMRTe.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Does the death of the CAC mean the death of PKI? appeared first on TELEGRID.