Strategies for Preventing Compromised Devices:An introduction, for security professionals, to IoT protection and the current smart device landscape.

The rapid expansion of the Internet of Things (IoT) has given rise to an increasingly interconnected world, permeating both consumer and enterprise landscapes. The inherent complexity of IoT ecosystems from smart security systems and kitchen devices to medical sensors and fire alarms has spawned a plethora of new vulnerabilities and attack vectors, placing the security of these devices at the forefront of cybersecurity concerns.

In this post, we will look at the current IoT security landscape, provide real-world examples of IoT breaches, and discuss strategies to mitigate risks, including visibility into device relations, lateral movement protection, microsegmentation, and Zero Trust.

To understand the magnitude of IoT security challenges, consider the following notable incidents:

To effectively address IoT security risks, it is crucial first to comprehend the challenges they pose:

Mitigating IoT security risks

A comprehensive approach to IoT security should encompass the following strategies:

An in-depth understanding of the relationships between IoT devices and their associated networks is crucial for effective security. To achieve this:

Relevant Link: NISTs Guidelines for Managing IoT Cybersecurity and Privacy Risks

Restricting lateral movement within a network can significantly reduce the potential impact of a compromised IoT device. To achieve this:

Relevant Link: Lateral Movement Protection Best Practices

Segmentation provides granular control over network traffic, enabling the enforcement of security policies at the device level. To implement microsegmentation:

Relevant Link: Microsegmentation Made Easy

Adopting a Zero Trust security model requires the verification of all applications, users and devices attempting to access resources, regardless of their location. To implement zero trust for IoT:

Relevant Link: Zero Trust and Your Organization: What It Will Take to Put Theory into Practice?

The ever-increasing reliance on IoT devices brings an expanding attack surface and the potential for significant security breaches. Security professionals can effectively safeguard their organizations from IoT-related threats by implementing comprehensive strategies that include visibility into device relations, lateral movement protection, microsegmentation, and zero trust. As the IoT landscape evolves, cybersecurity professionals must remain vigilant and adaptable, ensuring that security measures keep pace with technological advancements.

Working towards securing IoT

At TrueFort, we specialize in lateral movement protection and have formed strategic alliance with Armis, major asset visibility and security provider. This joint effort enhances our customers ability to discover, comprehend, and implement security policies across IT, Internet of Things (IoT), and operational technology (OT) settings.

The post How can we Secure the Internet of Things (IoT)? appeared first on TrueFort.

*** This is a Security Bloggers Network syndicated blog from TrueFort authored by Nik Hewitt. Read the original post at: https://truefort.com/securing-the-internet-of-things/

More here:
How can we Secure the Internet of Things (IoT)? - Security Boulevard

Gartner projects that spending oninformation security and risk managementproducts and services will grow 11.3% to reach more than $188.3 billion this year. But despite those expenditures, there have already been at least 13 major data breaches, including at Apple, Meta and Twitter.

To better focus security spend, some chief information security officers (CISOs) are shifting their risk assessments from IT systems to the data, applications, and processes that keep the business going.

If you look at security from a purely technical perspective, its easy to get lost in, `I need to have this shiny object because everyone else has it, says David Christensen, VP and CISO at benefits administration software provider PlanSource. The reality is often the most popular or well-known new security solution can waste money and slow the business, especially if it doesnt align with business goals. And even if it helps secure one part of the business, it may not be the part of the business or business process that creates the most risk or is most important.

Don Pecha, CISO at managed services provider FNTS, agrees, adding: Each business unit of the company might have unique considerations, and unique compliance, regulatory, or privacy applications, and each business may have unique risks for the board or C-suite to consider.

Frank Kim, CISO-in-residence at venture capital firm YL Ventures, and fellow at the SANS Institute, cites the case of one CISO who was fired after suggesting costly endpoint detection, and response and incident response programs considered not stage appropriate for such a startup. Their focus was on survival and revenue growth, Kim says. He didnt realize his job was not just to suggest a bunch of new security capabilities, but business enablement.

Aligning security with the business goes beyond traditional methods of justifying security spend, such as warning of consequences from hacks or trying to prove ROI. For internal enterprise security teams, Kim says to accept that security is a cost center and demonstrate how the CISO manages total cost of ownership over time. This might include updating CFOs and CEOs on specific cost reduction, such as reducing spend with a security vendor, finding a less expensive product to fill a security need, or improving internal metrics such as the average cost to mitigate a vulnerability, adds Tyson Kopczynski,SVP and CISO at financial services provider Oportun.

Christensen further suggests explaining how security can cut costs or increase productivity. For example, he says, web application firewalls dont only protect applications but cut networking costs by reducing spurious and malicious traffic. Also, adopting zero-trust architecture and secure access service edge technologies can help boost productivity by freeing users from manually deploying virtual private networks to access resources or interrupt meetings when their VPN fails.

Kopczynski adds that CISOs can uncover such improvements with questions such as whether their organization is using all the functions in a security tool, if those features overlap with other tools, and whether the organization is paying too much for licenses or for too many licenses. Ways to maximize value include considering tools that perform multiple security functions, or running penetration tests, attack simulations, or offensive security campaigns that prove a tool can repel high impact attacks, he says. For example, he uses the Titaniam encryption engine to support several data protection use cases, as well as security tools provided by cloud providers such as Amazon and Microsoft. We also look at generic cloud security solutions that provide multiple sets of protections, versus addressing one particular use case, he says.

At global marketing agency and consulting firm The Channel Company, security considerations are deeply embedded in business strategy and budgeting, says CIO Rik Wright. This ranges from the need to meet the European Unions GDPR to complying with security requirements from customers.

Averting threats is also part of the security value equation at the firm, which uses managed services provider GreenPages both for infrastructure and to help meet its security needs. Wright says hes seen some companies spend potentially business threatening amounts up to $20 million after a ransomware attack, so preventing such losses, he says, represents very real value.

Aligning security spend with business needs starts with understanding what is most important to business managers.

Kim recommends using a risk = impact x likelihood formula, and understanding on a scale of 1 to 10 what your most important processes and assets are. Your financial data might be a 10 but your HR data might be a seven as its not a business differentiator, he says. Just using a simple scoring rubric to your risk calculation helps to bubble up what the priorities are.

Besides business, Christensen says CISOs must also consult IT to understand the administrative burden a new security technology might impose, and all the areas in which a security tool could be used to maximize its value. He uses the Secure Web Gateway from dope.security to not only control access, but to understand what information and Web sites users are accessing, and the potential risks they expose the business to.

Industry standard frameworks can also provide a common language and structure for risk assessment, like the NIST (National Institute of Standards and Technology) cybersecurity framework. Its simple enough that its not necessary to be a security practitioner to understand it, but it models your maturity and helps to relate that to business stakeholders, says Christensen, adding its also based on industry standards rather than the CISOs opinions, and is continually updated to reflect new risks.

Different security frameworks are best for different industries, says Pecha. If Im in government, Im going to align with NIST, he says. If youre a global business, use the ISO/IEC27000 family of standards. Its not necessary to be certified, but be compliant and understand what the controls are in order to understand your partners security needs as well as your own.

Scott Reynolds, senior security and network engineering manager for manufacturer Johns Manville, uses the ISA/IEC 62443 standard to create a common understanding between business managers, security experts and suppliers about common terms such as the zones of assets that share common security needs. This process also shows we agree on the same level of risk for the entire zone, and not just each asset in the zone, he says. The weakest link in the zone will impact all the assets within it.

Over at media creation and editing technology provider Avid Technology, Dmitriy Sokolovskiy, its CISO and CSO, uses NISTs Cybersecurity Framework to measure the maturity of his security processes, and the Center for Internet Securitys top security controls for specific tactical guidance,which, he says, highlight, low-hanging fruit that businesses can easily address in their infrastructure.

Several CISOs were skeptical about using benchmarks to compare their security spend with others. Thats because, they say, companies may define security spend differently or have different needs. They also say benchmarks often dont describe how and why organizations allocate their security budgets. As a result, they use benchmarks as a rough guide to budgeting, relying primarily on their own risk assessments.

But Kim warns CISOs against refusing C-level requests for benchmarking. Its not unreasonable to ask for a benchmark, he says. A chief financial officer couldnt say, We cant compare our earnings-per-share with others in the industry. Provide benchmarks, he says, but as one part of a wider explanation of how your security spend compares with others, the challenges the organization faces, and how youre reducing the total cost of ownership of security over time.

CISOs should describe current threats and attacks, says Pecha, and supply alternatives to remediate them. Its then up to the board and the C-suite to decide whats acceptable and what needs to be done to manage the overall risk to the business, he says, because only they have the clout to drive change.

Insisting a business executive formally accept a business risk, even in writing, often convinces them to agree instead to the proposed security spend. When Sokolovskiy has insisted such signoff, Without fail, so far the business unit was actually driven to lower the risk themselves because they own it, he says.

A business-focused approach can also spur efforts by security and business teams to identify opportunities to increase efficiency and save money, says Christensen, such as by eliminating redundant systems and processes. With business alignment, you have no choice but to find unique and innovative ways to solve problems that are generated by how the business operates, he says.

Read more:
Why IT leaders are putting more business spin on security spend - CIO

Open source security provider Wazuh has launched the latest version of its unified extended detection and response (XDR) and security information and event management (SIEM) platform with a suite of upgraded capabilities.

Wazuh 4.4 adds a string of new features to Wazuh agents and managers, which users deploy on endpoints and servers respectively. These features include support for IPv6 for agent-manager connections, search upgrade to OpenSearch v2.4.1, vulnerability detection for Suse Linux, updates to Linux software composition analysis (SCA) policies, and Azure integrations in Linux agents.

The 4.4 launch implies that all the packages and images for the version such as the AMI, OVA, and Docker images for the Wazuh central components, and the Windows, macOS, Linux, and other operating systems packages for the Wazuh agent are immediate and publicly available, said Santiago Bassett, CEO of Wazuh.

Amazon Machine Images, Open Virtualization Appliance, and Docker images are all pre-configured virtual machine images made available by AWS, VMware, and public docker registries to help users download and deploy across various virtualization platforms.

Wazuhs free and open source managed security platform can be accessed both as an on-premises as well as SaaS-based offering providing detection, incident response, and compliance management capabilities to its customers. The SaaS-based offering is called the Wazuh Cloud.

In order to keep up with the networking standards, Wazuh has updated its platform to add the latest internet protocol version 6 (IPv6) supportto allow agents to register and connect to managers through an Ipv6 address.

It means customers can leverage the benefits of the IPv6 protocol with better security and performance in the agent-server communication, Bassett said. Connecting through IPv4 is still possible, but now its users can opt to set IPv6 parameters for the connections.

Wazuh indexer and dashboard have been reworked to run the latest version of OpenSearch, Amazons open source search and analytics engine. Wazuh now integrates with OpenSearch 2.4.1 to provide a scalable and centralized solution for indexing and analyzing security events and logs collected by its endpoint agents.

Wazuh has also updated the SCA policies for Ubuntu Linux 20.04 and 22.04 because the existing version had some errors, the company said. As part of this task, it has used the Center for Internet Securityguidelines for Ubuntu Linux 22.04 LTS systems.

Previously, the SCA policy for Ubuntu 20.04 systems didnt work as expected. In particular cases, the Wazuh agent didnt report the actual system state correctly using the SCA policy file for this operating system. Wazuh would report some particular configuration test results as failed when they should have actually been reported as passed, Bassett added.

Wazuh 4.4 now supports vulnerability detection in the Suse Linux systems. This was previously available for select Linux systems and other operating systems including Windows, macOS, and FreeBSD.

The company has also added support for Azure integration on its Linux-based agents. This is done by modifying the package generation process to add Azure support on agents installed using Windows Packaging Project (WPK) packages, a distribution format for Windows applications.

Each new WPK package will contain all the updated binaries and source code, and the installer will update all files and binaries to support Azure integration.

Previously, users needed to set up the Azure integration in the Wazuh server but now its possible to configure the very Linux agents to set up the Azure integration, Bassett added.

See the article here:
Wazuh launches version 4.4 with a suite of new capabilities - CSO Online

Who are you? is one of the first questions when we meet strangers.

Its also the first question a security system asks when anyone tries to access a network. Without verified identity, access is denied.

Yet identity management and its twin, access management is still a huge problem. According to the 2022 Verizon Data Breach Investigations Report, 40 per cent of the 3,875 incidents it looked at involved the use of stolen credentials.

According to a survey of 100 IT and security pros done last year for identity provider Radiant Logic, 61 per cent reported that their business views identity management as too time-intensive and costly to manage effectively on an ongoing basis (although almost the same number agreed it is of vital importance).

These numbers should be kept in mind because today is the annual Identity Management Day, observed on the second Tuesday in April. Its a day when IT leaders should think about their identity and access management strategy or lack of one.

As part of the event today, the U.S.-based Identity Defined Security Alliance is holding a day-long webinar, while Canadas IdentityNorth starts a two-day online symposium on Wednesday.

As we celebrate Identity Management Day, IdentityNorth wants to emphasize the importance of advancing trust in all aspects of identity management, said Krista Pawley, digital transformation and inclusion leader and event co-chair of Identity North. This includes trust in data, building trust with users, and future-proofing IT systems. With sensitive information at risk, building digital trust must be a top priority for IT managers.

According to the Identity Defined Security Alliance, this is a day to raise awareness about the dangers of casually or improperly managing and securing digital identities.

Account management is important enough that it ranks Number Five in the Center for Internet Securitys Top 18 security controls and access control management is Number Six.

Treat identity management like a plan, not a one-time project, urges Geoff Cairns, a principal analyst in Forester Researchs security and risk practice.

Identity management starts, Cairns said, with having executive buy-in to having a plan that recognizes not everyone can access everything. Some employees will have access limited by their roles.

Briefly, experts say, this means management agreeing to a zero-trust approach to security: Dont trust everyone who can log into the network. There has to be regular authentication for accessing sensitive assets.

Access to data or an application can be through role-based access control (based on a users role) or attribute access control (everyone in the human resources department can access a project management tool), or both. The IT leader will have to find a solution that automates provisioning.

This is followed by security control Two: Inventory and rank your software assets because management cant decide what employees and customers can access if doesnt know the data it holds.

Then follow access control best practices and policies to limit access to data to only those who need it.

In some circumstances, notes access provider StrongDM, the principle of least privilege doesnt provide the necessary flexibility that certain situations require. For instance, a help desk associate may need a temporary elevation of privileges to troubleshoot a customers urgent ticket. One way to enforce identity and access management best practices, yet still support the principle of least privilege without compromising user experience, is by leveraging just-in-time access.

A vital step in identity management, Cairns said, is limiting identity sprawl making sure that identities are revised when staff changes roles and revoked when they leave the organization. Thats where identity governance regularly auditing usage and reducing unnecessary standing permissions can pay dividends, he said.

Password management is another step. Although passwordless solutions such as biometrics are increasingly being used by organizations, experts say passwords will be with us for some time. So a login password or passphrase policy is a good place to start. This is especially important if the organization uses single-sign-on tools. Adding multifactor authentication either biometric or sending a one-time code these days is vital. Look for phishing-resistant MFA.

Finally, dont forget that machines such as sensors, servers, PCs, smartphones or POS devices may need identity management as well as people.

Chris Hickman, chief security officer of Keyfactor, notes that Googles initiative to shorten digital certificate lifespans to 90 days from 398 days will complicate identity management. On the one hand, the shorter the window of opportunity to use a stolen certificate, the greater reliance a system can put on the authenticity of the device or workload presenting that digital credential. On the other, its a significant jump and would require a higher degree of automation to manage frequent updates, or significantly more manual labor to keep up, he said in an email.

The biggest mistake IT or identity leaders make is trying to do everything at once, Cairns said. Break down things into chunks that you can prioritize. Getting your arms around what you have your user base, user population, the different roles and attributes is at the top of the list.

Another big mistake is expecting a technical process to solve what is fundamentally a process problem, he added. Identity management depends on a solid strategy and plan that covers people, business processes and technology.

Identity Management Day underscores the importance of protecting our digital identities now that identity-related data breaches are becoming more frequent, said Stuart Wells, chief technology officer of Jumio. Organizations and the public alike must adjust to the current cyber threat landscape and take action by securing and responsibly managing their digital identities. After all, identity-related information remains one of the most coveted data by hackers, and commonplace security measures like passwords, two-factor authentication and knowledge-based authentication are no longer enough to keep data safe. Although cybersecurity is enhanced and developing daily to safeguard data, cybercriminals continue to find new and better ways to access it.

It is crucial for IT and security teams to effectively manage and regularly safeguard all digital identities in their environment, as most breaches today start with compromised identities, said Kevin Kirkwood, deputy chief information security officer of LogRhythm. The best chance of defending against fraudsters trying to access sensitive data is for organizations to deploy the requisite level of security that supports identity access management (IAM) solutions along with enabling consistent identity and single sign-on(SSO) through SIEM (security information and event management) integration.

Hackers dont break in; rather, they log in, said lmog Apirion, chief executive officer and co-founder of Cyolo. So, when we talk about enterprises, we need a shift into a robust zero-trust framework to protect all forms of user data. Identity-based access control enables businesses to strengthen their security posture while also gaining visibility and control over the access to their most critical systems.

More:
Identity Management Day advice: This is not a one-time project - IT World Canada