Weak passwords can hurt any organizations security efforts and make any device easily hackable, but could they also be the greatest point of failure for internet of things (IoT) security? Weak passwords certainly put companies deploying IoT devices at greater risk of falling victim to a cyberattack.

We have already begun to see attacks targeting IoT devices, and they are using weak passwords as their way in. In 2019, threat actors took advantage of poor password management to go after popular office IoT devices like printers and phones. Already in 2020, weve seen an IoT attack target routers and result in a password data dump on a hacker forum.

Included among the vulnerable (and hacked) passwords are default passwords used by manufacturers that give the appearance of IoT security layers. In reality, all these passwords do is create an illusion of safety for users who assume that because there is a password attached to the device when it comes out of the box, that is all that is needed. The actual outcome in these situations is a larger attack surface of poorly defended endpoints for malicious actors to penetrate with ease.

Without better password management, IoT security could quickly become unsustainable.

The IoT is a hot commodity. At the Consumer Electronics Show (CES) in January, IoT devices were everywhere, in every conceivable form. We are close to reaching a point where every item we can imagine has smart technology built in, which means there is a rush to get those devices to consumers before someone else does.

Manufacturers are focused on getting smart devices into the market as quickly as possible, but in this race to capitalize on the IoTs potential, security is often woefully neglected, explained Michael Greene, CEO of Enzoic, in an email conversation.

How far down the priority list is password security or any kind of security for these manufacturers?

Numerous connected devices ship with default passwords as standard, as was the case with 600,000 GPS trackers manufactured in China that had a default password of 123456, said Greene. Government doesnt see IoT security as a high-priority issue either, so regulations around default passwords and the need to build security into IoT devices at all are currently minimal. This means the responsibility of securing these devices lands on the shoulders of users and IT departments.

But users and IT departments arent keeping up. The work here isnt limited to simply replacing default passwords, according to Greene. Rather, it must include growing smarter about overall password management. To illustrate why this is necessary, consider the fact that nearly 60 percent of users employ the same password across multiple devices, websites and other access points, according to a survey from LogMeIn.

In this environment, a hacker can easily obtain a password that was previously exposed in a breach and use it to gain access to other systems and devices, Greene added. Because of poor password management and weak passwords overall, he believes well see more attacks directed at smart devices, especially if matters of IoT security arent viewed as pressing concerns from the start and addressed across the entire development and sales ecosystem.

Change wont come easily. Users are set in their ways regarding passwords, and IT departments often have more immediate issues than the need to monitor IoT passwords, especially if they are responsible for dozens or hundreds of devices across their organizations.

Yet the IoT is becoming a major player in the overall threat landscape, said Yaniv Balmas, head of cyber research at Check Point Software Technologies, during a conversation at CPX360 in New Orleans. The security level of these devices is already relatively low, but any change that improves device security costs money, either on the development side in which case the cost is typically passed on to the consumer or on the user side.

Cost tends to win, said Balmas, and we want cheaper products.

But all is not lost when it comes to securing IoT devices. Companies are turning to solutions beyond passwords for authentication. For example, Amazon is looking at connecting its payment kiosks in brick-and-mortar stores to biometric identification methods that would prompt the customer to use the palm of their hand to verify their identity, which would be linked to a credit or debit card. Another positive step is the IoT Security Rating Program instituted by UL, formerly Underwriters Laboratories. The UL Verified Mark will alert consumers to the security risks and standards associated with a wide array of IoT devices.

Manufacturers must take security more seriously in the development stage, and companies must leverage advanced authentication options as they become available. Until then, it will be up to users and company security policies to ensure IoT devices are secure. This will require a simple first step: immediately changing default passwords to something strong and unique. As long as we continue to use weak passwords on IoT devices, we will be putting our organizations networks and data at risk unnecessarily.

Read the original:
Will Weak Passwords Doom the Internet of Things (IoT)? - Security Intelligence

Published: Tuesday, February 11, 2020 @ 6:00 PMUpdated: Wednesday, February 12, 2020 @ 5:52 AMBy: Jim Otte

MIAMI VALLEY As Ohio voters go to the polls this year the state says security is in place to make sure every vote counts.

Your voice will be heard, said Ohio Secretary of State Frank LaRose.Your ballot will be accurately counted.

With about a month until Ohios March 17 primary election, security experts are still concerned about election security and foreign election interference.

After more than 6,000 ballots werent counted in Miami County in 2018,News Center 7s I-Team took a look at what has changed since 2018 and how people can be sure that their vote will count.

>> RELATED:I-Team: Are votes, voting equipment secure?

As a child, Inge Voisard immigrated from Germany to Ohio.

That perspective, as a proud naturalized citizen who now calls Troy home, means shes always taken voting seriously.

I dont think Ive ever missed an election, she said.

But in November 2018, when Ohio governor race was hot, her early absent vote was one of the 6,288 in Miami County that was initially tabulated as zero.

Records obtained by the I-Team indicate after the Nov. 6, 2018, election the problem went undetected until Dec. 20, 2018.

Thats when the Ohio Secretary of of States Office alerted county leaders of a discrepancy.

It was not until Jan. 22, 2019, when the lost ballots were finally counted and included in the amended vote count.

Miami Countys elections director was fired.

But what is the county doing to make sure this doesnt happen again?

>> RELATED:Miami County leaders meet to discuss the 6,200 votes that went uncounted this past election

We had to re-write a policy manual, said Laura Bruns, Miami Countys current board of elections director. We had to re-write out procedures.

Bruns came here after the 2018 incident. She said an employee missed a step in the process of loading early votes into the the counting system.

If the staff had been looking, she confirmed they would have found this a zero in the initial vote count showing no early votes were counted.

I laid out in front of them a year ago, said LaRose.Right now you have a trust deficit with the voters of your county.

LaRose put Miami County on state oversight.

The errors also led the state to spend $114 million on new voting machines to increase security.

The new Miami County machines start with a paper ballot. You darken a circle by the candidates name and then put it into a scanner to be counted.

>> RELATED:State investigation begins into uncounted ballots in Miami County

The paper ballot can always be recounted again if needed.

The machines are not hooked up to the internet.

So there's no possible way for the machine to be hacked, said Bruns. We keep it in a room that has double locks on the door.

While the machines are under lock and key, there are still national election security concerns.

Adam Levin runs the internet security firm CyberScout.

He said foreign governments are still trying to hack election computer systems and are trying to undermine out faith in the election system.

We're living in a dangerous world, said Levin. There are more vulnerabilities that we've ever thought about before. Disinformation has become mainstream.

>> RELATED:Election board fires director after 6,200 ballots werent counted

The Department of Homeland Defense is not providing technical help to get all states and local boards of elections.

There's no such thing as 100% secure, said Matt Masterson, election security adviser for the Department of Homeland Security. There's always areas for improvement. That's why this is an ongoing, evolving process.

University of Dayton professor David Salisbury is the regions top cyber security expert.

He said it appears Ohios election system is on the right track.

Still, like any organization, emails to election workers remain one of the biggest threats.

What keeps me up at night is a person who is well-intentioned, a hard worker, at their job, busy as all get out, one of the messages come by and before they can think it through they click, he said.

>> RELATED:8 Ohio counties fail to meet election security deadline

LaRose said they have recently detected and defeated an Iranian malware attack.

They bad guys lost and the good guys won, he said.

For added protection, LaRose sent a 34-point preventative measure checklist to every Ohio election board.

Just recently Miami County was released from state supervision.

With extra cyber security provisions, like paper ballots and new voting machines, local boards of elections are promising your vote will be counted.

We will be ready, said Bruns. I have a good staff. We have a good board. We're all going to work together to make it happen.

However, there are a few legitimate cases where a vote you cast will not be counted.

The first case is if you vote for a write-in candidate who has not registered with the state in advanced.

>> RELATED:Report: DHS 2020 election security plan not finalized before voting started

And if you forget to sign your absentee ballot and send it in at the very last minute, its too late to correct it.

Also, if you are not registered to vote you cannot cast a ballot. So make sure to check your registration with the board of elections long before Election Day.

Continued here:
Will your vote count? Ohio working to increase election security - WHIO

Last summer, NHS Digital announced the NHS Secure Boundary, which aims to strengthen cyber resilience across health and care. Alfie Harvey, strategic delivery lead at NHS Digitals Data Security Centre, talks about how the project is going.

NHS Digitals plan to provide world-class next generation firewalls to help protect the increasing digital perimeter of the NHS has reached a significant milestone, York Teaching Hospitals NHS Foundation Trust is the first organisation to be fully integrated into NHS Secure Boundary and will lead the way for other organisations to get on board.

Last summer, we announced the delivery of NHS Secure Boundary and our partnership with Accenture, and we now hope that more NHS organisations will take up this centrally funded service, which will enable us to strengthen cyber resilience across health and care.

Over the past four months, we have been working with organisations across the NHS to develop NHS Secure Boundary as a pilot. This has involved gathering their vital feedback so we can learn the best way to extend this solution across the wider NHS.

One of the key things to come out of the feedback is a clear message that organisations need us to vary our approach to onboarding onto the solution. This allows us to walk them through each step of the process, providing support with a dedicated set of expert resources, tailored to their needs.

Organisations can manage how they go through the onboarding process. If local IT teams want to be more hands on in how they manage their set up, then that is fine and we will take a step back, offering support if and when they need it. We have produced an onboarding manual which details every step from inception through to implementation

So why Secure Boundary?

NHS Secure Boundary is a powerful cyber security tool that gives NHS organisations the chance to control what passes in and out of their digital estate. IT teams can benefit from secure filtering for web content, next generation firewalls, secure DNS services and data loss prevention, among other things.

It also gives us a chance to see a broader picture centrally of what is happening with internet traffic. The more we can see across the NHS system, the better we can scan for potential threats in real time, detecting and neutralising them to help NHS organisations to protect themselves.

The NHS Secure Boundary also supports essential programs, such as HSCN and Internet First, by helping to modernise security for organisations access to the internet. This will give front-line clinicians across organisations the ability to access more timely information and therefore make more informed decisions on patient care.

There are the longer-term strategic objectives to keep in mind, as well. NHS Secure Boundary supports both the NHS Long Term Plan and the Secretary of States Tech Vision. It does this by providing additional protection for accessing the internet, leveraging the cloud, and taking advantage of innovative technologies and services which, in turn, will deliver greater operational efficiencies and better clinical outcomes.

Over the last couple of years, we have been analysing, identifying, neutralising and responding to cyber security risks in the NHS, using data from the Data Security and Protection Toolkit, our on-site cyber assessments, our Security Operations Centre and our Cyber Security Support Model.

Organisations without specialist cyber security expertise will benefit hugely from the central support delivered by NHS Secure Boundary. NHS Digital and our supporting partners, Accenture, Imperva and Palo Alto Networks, can provide a helping hand, supporting organisations to manage their firewalls and protect internet traffic, though the option is still there to locally manage firewalls.

It also protects HSCN or National Gateway connections as well as local internet breakouts, to a national standard. Internet-facing applications, like appointment booking systems, are often vulnerable to a range of potential threats like Distributed Denial of Service (DDOS) attacks. The NHS Secure Boundary not only protects these systems, but the patients using them as well.

Next steps

The more NHS organisations that sign up to NHS Secure Boundary, the better for the whole system as it will build an even stronger network to fight against cyber threats and manage attempts to infiltrate the system.

Working with Accenture, Imperva and Palo Alto Networks, we will be focussed on supporting NHS organisations and central network service providers to get them onboard over the next two years with managed support from our partners over the next five years.

There is a centrally funded two-year programme to onboard organisations with a dedicated team on hand to manage and support them, which started in January 2020.

NHS Secure Boundary complements and supports the other services provided by NHS Digitals Data Security Centre to help mitigate the risks we identified in our analysis of the wider system. These include Microsoft Advanced Threat Protection, our email filtering service, the Cyber Security Support Model, our workforce simulated phishing campaigns and our board level-training, providing both physical protection from threats and better awareness of cyber issues for staff.

Feedback from our early adopter

Shane Martin, Network Manager at York Teaching Hospital NHS Foundation Trust said: NHS Secure Boundary has given us an extra layer of security for our internet access at almost zero cost for our trust, saving potentially hundreds of thousands on a similar product if wed had to buy it in ourselves.

Its next-generation firewall, which identifies potential threats early on and reduces our risk of exposure to hackers, was really appealing to us and the fact that NHS Secure Boundary helps to fulfil the Cyber Essentials+ and Data Security and Protection Toolkit requirements was also a big bonus.

Well be using NHS Secure Boundarys Web Application Firewall, which will protect all of our external-facing web services from potentially malicious inbound access requests.

This means that we will be able to host our patient administration systems on our own network, and both community workers and sanctioned external organisations will be able to securely access them from wherever they are. So, this will enable a much more mobile and connected workforce, allowing clinical information to be available securely at the point of care, be that on our premises or at a patients home.

So, NHS Secure Boundary will not only save the trust money, it will ensure that the best possible protection surrounds our most critical systems and allow us to provide an even better level of care to our patients.

We want more organisations to start sharing in the benefits of NHS Secure Boundary, to help better protect themselves and each other. To find out more about the potential benefits that NHS Secure Boundary can give your organisation and sign up, contact the mailbox nhssecureboundary@nhs.net

More here:
NHS Secure Boundary the next layer of cyber protection for the NHS - Digital Health

Globalinternet of things (IoT) security marketis set to witness ahealthy CAGR of 34.10% in the forecast period of 2019 to 2026. Internet of Things (IoT) connects devices including industrial machinery and consumer items to a network, allowing data gathering and software management of these systems to boost effectiveness and allow new services. IoT helps build smart communications environments including smart shopping, smart housing, smart healthcare, as well as smart transport. WSN, RFID, cloud services, NFC, gateways, data storaage & analytics, and visualization elements are the main components of IoT. Few of the major competitors currently working in theInternet Of Things (Iot) Security marketareCisco Systems, Inc., IBM Corporation, Intel Corporation, Infineon Technologies AG, Symantec Corporation, Gemalto NV, Allot, Fortinet, Inc., Zingbox, Mocana, SecuriThings, CENTRI Technology, Armis, Inc., ForgeRock, NewSky Security, McAfee, LLC, AT&T Intellectual Property, Check Point Software Technologies Ltd., Trustwave Holdings, Inc., Verizon, PTC among others

Avail 20% Discount on Buying This Report: Click Here to Get Free Internet Of Things (Iot) Security Market Research Sample PDF Copy @https://www.databridgemarketresearch.com/request-a-sample/?dbmr=global-internet-of-things-iot-security-market&yog

The key players of the Internet Of Things (Iot) Security market are making moves like product launches, joint ventures, developments, merges and accusations which is affecting the market and Industry as a whole and also affecting the sales, import, export, revenue and CAGR values. The readers will find this report very helpful in understanding the Internet Of Things (Iot) Security market in depth. Analysis and discussion of important industry trends, market size, market share estimates are mentioned in the report. The data and the information regarding the Internet Of Things (Iot) Security industry are taken from reliable sources such as websites, annual reports of the companies, journals, and others and were checked and validated by the market experts.

Global Internet Of Things (Iot) Security Research Methodology

Data collection and base year analysis is done using data collection modules with large sample sizes. The market data is analyzed and forecasted using market statistical and coherent models. Also market share analysis and key trend analysis are the major success factors in the market report. To know more pleaserequest an analyst callor can drop down your enquiry.

Key Insights in the report:

The titled segments and sub-section of the market are illuminated below:

Region Included are:United States, Europe, China, Japan, Southeast Asia, India & Central & South America

By Component

By Type

By Application Area

Top Players in the Market are: Cisco Systems, Inc., IBM Corporation, Intel Corporation, Infineon Technologies AG, Symantec Corporation, Gemalto NV, Allot, Fortinet, Inc., Zingbox, Mocana, SecuriThings, CENTRI Technology, Armis, Inc., ForgeRock, NewSky Security, McAfee, LLC, AT&T Intellectual Property, Check Point Software Technologies Ltd., Trustwave Holdings, Inc., Verizon, PTC among others

Unlock new opportunities in Market the newest release from Data Bridge marketing research highlights the key market trends significant to the expansion prospects, allow us to know if any specific players or list of players must consider gaining better insights.

TOC of Internet Of Things (Iot) Security Market Report Includes:

Download table of Contents with Figures & Tables @https://www.databridgemarketresearch.com/toc/?dbmr=global-internet-of-things-iot-security-market&yog

Thanks for reading this article, you can also get individual chapter wise section or region wise report version like North America, Europe or Asia.

Key questions answered in the Global Internet Of Things (Iot) Security Market report include:

Company profile analysis covers in-depth analysis of the players business and key financial metric such as net revenue, revenue breakup by segment and by region, SWOT Analysis, risk analysis, key facts, key business strategy, major products and services, and recent news and other market activities.

About Data Bridge Market Research:

An absolute way to forecast what future holds is to comprehend the trend today!

Data Bridge set forth itself as an unconventional and neoteric Market research and consulting firm with unparalleled level of resilience and integrated approaches. We are determined to unearth the best market opportunities and foster efficient information for your business to thrive in the market. Data Bridge endeavors to provide appropriate solutions to the complex business challenges and initiates an effortless decision-making process.

Data Bridge adepts in creating satisfied clients who reckon upon our services and rely on our hard work with certitude. We are content with our glorious 99.9 % client satisfying rate.

Contact:

Data Bridge Market ResearchUS: +1 888 387 2818UK: +44 208 089 1725Hong Kong: +852 8192 7475Email:[emailprotected]

Read more:
Global Internet of Things (IoT) Security Market Segmentation along with Regional Outlook, Competitive Strategies, Factors Contributing to Growth and...

Many security professionals in developing their strategy still fall back on the old punch list approach to security configurations. They believe that if they check the box on tried and true methods such as password managers, creating strong device passcodes, using two-factor authentication, encrypting devices and using VPNs, their companies will be secure against cyberattacks.

But by simply going through the suggested methods to safeguard your organization, security professionals arent considering the actual risks or impact on workflows. Every organization requires a tailored approach to cybersecurity, which simply cant be achieved by checking off boxes on a standard list.

The National Institute of Standards and Technology (NIST) has been pushing for the abandonment of security checklists for yearsever since the dawn of the Cybersecurity Framework and integration of the Risk Management Framework into the security life cycle.

The problem with security baselines and the hundreds of registry keys, file and folder permissions and Windows Group Policy settings is that they limit the idea of what achieving sound security is. Sound security is a constant cycle of changes and the balance of risk, cost and liability while maintaining confidentiality, integrity and availability of cyber resources.

Checklists are also never complete and never current. In the bring your own device (BYOD) and IoT world, the variety of operating systems, versions and capabilities make it impossible to have a hard-coded punch list. These static lists also provide a road map for hackers to know what not to try, thus making detection harder.

Another issue is that checklists create a false sense of security. Organizations are vulnerable when their security leaders have the viewpoint that if we do X, Y, Z, then were good. That couldnt be further from the truth. Security is not absolute and is different for everyone. The specific needs of one industry vary greatly from the needs of another. In developing your security strategy, once you identify whats required for your industry and organization, you will be able to better limit the potential of a cyberattack and mitigate the damages.

So, how do you successfully get rid of the checklist approach? What is an alternative way to develop a security strategy that maximizes your defenses?

Start by taking the structures provided in the NIST Core Controls or Center for Internet Security 20 and apply the areas of concern from each group/family to every class of tech in your network. This includes PCs, servers, switches, firewalls, IP phones, peripherals (printers, cameras, UPS, video boards), mobility (smartphones, tablets, IoT), software and any other outliers.

Once you have everything categorized, take a long look at the risks and figure out how you can best mitigate and manage them.

Now that risk is understood and the methods to mitigate them are in place, its time to write them down. There are multiple parts to this:

Your security plan and procedures are in place. Everything has been implemented and maintenance is fully automated. Youre secure, right? Wrong. Theres an old idiom I like to keep in mind: Trust but verify. Look at the procedures and plans and ask, How do I test this? Having the procedures available to test enables you to develop plans about when to test. Do you audit everything or just a sample? How is the sample selected? Are there event-based triggers?

In college, my English professor embedded the mantra, Writing is a recursive process, into my brain. Ive learned that this also applies to security plans, policies and procedures. Annual reviews of these materials are critical to ensure completeness and to make necessary updates to any changes over the previous year.

If you encounter a cyberattack, its important to have post-event reviews based on forensic details to reformulate your strategy. Ask yourself, How and why did this happen? What can be done to prevent or mitigate?

There are certain significant changes that should always trigger a risk assessment and documentation, plan, policy and procedure update. These changes include migration to cloud SSO platforms, OS major revision upgrades, change of security solution vendor, etc.

As Ive mentioned, security is not absolute. A checklist thats not frequently revised and updated will not provide proper value and protection. As new threats emerge, and as every organization has different requirements for cyber protection, its crucial to introduce a security strategy and cybersecurity framework that will keep up with constant changes, limit the occurrence of cyberattacks and mitigate the damages if an attack does occur.

Read the rest here:
Security Strategy: Moving Away From Tried and True - Security Boulevard