Article was inspired by Dan Lohrmann  How can we provide better security for IoT devices? Some researcher writes that cybersecurity can be improved solely with technology improvements.
After a few statements, speculations, facts investigation, we could answer the title question; while the right juristic basis, knowledge has organised. We have rights to partially disagree or agree with the first statement. As the developer of the new way technology and ADSC (Artificial Differentiated-Sophisticated Consciousness) I believe that full removing people from IoT security is ‘mission impossible’, need to involve people to evolve the security processes. I recently read an intriguing Harvard Business Review article by Yevgeny Dibrov, titled: The Internet of Things is Going to Change Everything About Cybersecurity This was the other inspiration for me to explicate my personal opinion. This well-written and thought-provoking opinion piece begins with the reality that cyber threats are exploding globally and data breaches have led mainstream businesses to spend over $93 billion (worldwide) in past year (2017) on stopping cybercrime. But all we know that this mission was unsuccessful. While these mainstream businesses spent millions to stop cybercrime, the hackers did as usually, hackers do. For example at the end of the first quarter of 2017. Do you remember? ..... Hackers globally have attacked social institutions, other important/non-important databases, etc. The whole world has frightened - maybe this was the basis of $ millions spending? Thence, the cyber attacks against IoT devices are more frequent as before, because the hackers recognised the weak points in systems, of IoT devices. They got cheap big data and information sets. The companies, institutions anticipate that a third of hacker attacks will be targeting shadow IT and IoT by 2020 and all weak endpoints. Every non (weak) -secured connected/ non-connected device, information, data remain as a potential victim in the closest future, until the moral or the attitude, behaviour does not change. Fact: “Executives who are preparing to handle future cybersecurity challenges with the same mindset and tools, that they have been using all along are setting themselves up for continued failure.” No doubt, old methods, solutions of defending enterprises from cyber attacks are time to time unsuccessful, nevertheless, new security solutions are certainly needed to defend the sensitive data and IoT devices. Fact: Hackers could reach the endpoint hardware/software tool by careless, untrained users' negligence or an unmanageable, defective hardware key, wrong settings or inadequate secure policy/protocol. How should avoid? Never will enough to use some firewall, antivirus, malware removal tool, necessarily enlist new generation hardware and intelligent software methodologies.
Some researcher opinion: “It can’t be denied, however, that in the age of increased social-engineering attacks and unmanaged device usage, reliance on a human-based strategy is questionable at best… A virus or an infected code is susceptible to airborne attacks, although hacker certainly not require standing close to the attacked device, enough a user may have productivity goals in mind do as usual, but there is simply no way you can rely on employees to use them within acceptable security guidelines. Users forget the proper settings, a system damage occur, etc. IoT training and awareness programs certainly will not do anything serious to help support the evolved problems and will not take the proper solution to solve the infections, hardware, software weaknesses or policy/protocol defects. "It is time to relieve your staff (partners, customers, etc.) of the cybersecurity burden.” Fact: I certainly agree that human is generally the weakest link in online security, while some industrial policy/protocol has the human base. All we must do better-equipping users, relieving them from the cybersecurity burden. This process is going in the wrong direction. People use the technology, and their functions, the processes that are followed. This will always be the essential components of effective security strategies and policies/protocols with the myriad new IoT devices. The conventional and effective business wisdom remains true that the appropriate solutions must involve people, process and technology answers, IMPORTANT surplus instruction: by the best intelligent protocol, coordination. Thus the complete statement: The appropriate solutions must involve people, process and technology answers, by the best intelligent protocol-, and coordination. That is true, the largest percentage of security challenges involve user actions (or interactions). Nevertheless, I am willing to concede that the percentage breakdown assigned to each category is open to debate and may be different for various products, services, companies and/or IoT devices. “I want to say that I certainly agree that we need much better security built into IoT devices. I certainly think IoT security is at the cutting edge of cyber-issues, and I share Dibrov’s sceptical view that we can keep doing the same things and get different results — in all three categories.” Totally agree. Take a look at a new dimensional approach security protocol system:
Fact: Almost everyone - except criminal hackers - would like to have IoT devices shipped most secure by default or secure by design with a hack-proof seal of approval on every IoT device. Which brand promise that builds/ships their device with a hack-proof mark or create a software which is unbreakable? No doubts that much more needs to be done with the security built into all technology, and it would be great if we could dramatically reduce IoT security flaws and the potential number of mistakes that can be made by end users. Here want to note again, the user authentication is the first step to improve the security of IoT devices, while the second is the safety policy/protocol system evolving. However, bring to the fore effective security consciousness training (because not enough to experience the security, need to eternally feel that) and/or a comprehensive security culture - that I call policy/protocol - against better technology is a serious mistake and ultimately leads down on a path to dismal failure, therefore the importance to entail both. Security consciousness training without technology evolution is a conventional "mule". History of IT has shown us that lasting security answers must include both of the above, with people, process and technology, they are working together well. A Short History Lesson Regarding Cybersecurity As user wants, the promise of “secure by default” has not a patch on reality across the technology industry software, hardware and even cloud-hosted services. This is what could change. Almost every company has the same/similar issues with technology bugs and security defects that hackers eventually find and parlay. It may occur when technology hardware/software products have default cyber protection settings enabled. Yes, the default security settings not means that the IoT gadget has the best or personalised security options enabled, in several cases administrators set up the security level as default for companies (this policy/protocol has not match with company mission or users often turn off security features or fail to download critical security updates, maybe do not follow recommended practices such as changing default passwords). It may also happen that the administrator, not even enough knowledge to evolve, manage company security policy/protocol. Some researcher is not alone who suggested that technology can be made secure regardless of people’s actions. However, considering the present situations could see that this viewpoint remains popular in turn we head into 2018. Why could it occur? Beyond software development flaws, we have experienced decades of insider threats caused by hackers, who were able to use processes and weaknesses in people to overcome sophisticated data protection, to acquire bank accounts (money), sell user information to researchers, advertisers or just for fun (deliberate/intentional cause damage). Until this time was no way that IoT manufacturers create and then spend the kind of amount on security like the National Security Agency (NSA) spends on technology to protect national secrets. And yet, even those technology defences would able to be strengthening by new way protocols, security policies and AI improvements. External hackers use those techniques and these techniques weaknesses, as demonstrated at security conferences, like RSA. Recent cyber attacks against bitcoin exchanges represent another example of how attacks will go after weaknesses in people and process, despite solid technology which is supposedly "hack-proof." Just as a South Korean bitcoin exchange declared bankruptcy after the second attack in less than a year. This situation developed after commentators still maintain that the bitcoin currency cannot be hacked. Perhaps this statement is true, but the bitcoin wallet can still be raided. Similar problems may continue to occur with IoT devices in the future, this is what we should change. “It may be prudent, and required, for you to continue with awareness programs, but you will have to rely more on intelligent technologies and automation if you hope to have any chance at success. …” As again, from some researcher state that: “It’s time to remove people from the discussion and move towards a more intelligent, secure future.” It is not the reality. Not necessary to take staff out of the security policies/protocols formation. Inversely. Need to involve them to evolve these policies/protocols by their viewpoint, habits, practice (what they do, where they do, where could find the potential bugs, gaps in the system). Audience echo confirmed that. Side note: After the article (with the viewpoint of taking off staff from security discussions) was posted on LinkedIn and Twitter, these comments reject and disavow this viewpoint. Everyone certainly agrees with the goal to build more-secure IoT devices. Humans certainly make mistakes, and we should aim to automate as much security as possible - just as we safely fly planes on autopilot, should we strive to build secure, smart devices. Of course. And ... I am all for more-secure IoT devices that remove the potential for most end-user errors or security mistakes. Nevertheless, training and working with people and processes to protect data will never be an optional extra for secure enterprises, this should be the default, it confirms the raison d'être of ADSC (Artificial Differentiated-Sophisticated Consciousness). So, the HBR article by Yevgeny Dibrov appears to offer an attractive answer because it promises IoT security solutions without the very hard enterprise security culture change, while alternatively, all manager has to accept the change without compromises and without to accept the false offered hope by eliminating “reliance on a human-based strategy”. While necessary to recognise a consensus that offering better security with a perfect technology-driven, or bolt-on tech solution, for all IoT devices with human lead security protocol/policy combo. Do not fall to trap and do not imagine that saving significant money by reducing the time required for staff to be trained and/or understand and implement appropriate (and secure) business processes with innovative technology as Managers usually imagine. This invented conflict is similar to another security paradox from a few years back that asked the question: "Are data breaches inevitable? The same holistic approach is required for IoT security. If we need to pick technology protections over enabling people with better awareness training and engaging in cyber-exercises, choose the AI-based technology (ADSC). The NIST guidance encourages an assessment of all cyber-risks with prioritisation based upon your specific situation. It recommends that solutions contain end-user training, technical training for developers and system administrators, cybersecurity exercises, management briefings, repeatable technology upgrade processes and much more. Final Thoughts Better cybersecurity protections for IoT requires improvements in:
So let’s not pit people issues against technology protections in a fight for dollars — let people think with AI, let them to jointly working with a cyber policy/protocol which leads by AI. Pretend that a perfect black cylinder is coming that will enable IoT nirvana while keeping people and process in the security equation. The security message is more central like this: People and their actions will always matter in cybersecurity while letting them improve their actions by new way technology by ADSC and a new IoT device. A new solution IoT device has hatched out from the marriage of AI and IT What is the solution? A separated high encrypted network... bring beyond NSA technology for your company Create a cyber policy/protocol following these rules User log in policy:
Security protocol:
Forget passwords. The future for bio-authentication. What use for log in policy? The future is for the biology-authentication. What is biology (bio) authentication? Similar RFID (Radio-Frequency IDentification) technology, while it does not use any other implants, it does simple (face, motion, voice) scans. Some brand implemented their authentication processes to identify user like a fingerprint, face recognition. Are these solutions enough? Sometimes, in some situation, yes. Are these safe? No doubt. All we are thought is small or larger group, team, not globally, just do it with AI.
Resources:
www.govtech.com/blogs/lohrmann-on-cybersecurity/how-to-transform-the-business-using-technology.html www.iotjournal.com/articles/view?13249/3 www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-Security-Awareness-Programs.html www.govtech.com/blogs/lohrmann-on-cybersecurity/seven-keys-to-create-a-positive-culture-for-cybersecurity.html https://www.brighttalk.com/webcast/14977/241539/securing-iot-what-did-we-learn-from-rsa-2017 www.telegraph.co.uk/technology/2017/12/19/bitcoin-exchange-collapses-second-cyber-attack-year/ www.marketoracle.co.uk/Article60986.htm
Jack McRoy
1/20/2018 08:40:59 am
Nice write. Comments are closed.
|
