Tag Archives: BPR

Four Common IoT Security Holes

If you follow the Internet of Things space, not a day passes where you do not see an analyst report or news article talking about IoT security vulnerabilities across every sector: consumer, enterprise, industrial and government/Smart City.

I’ve been working with Internet-connected devices (medical devices, industrial actuators, sensors for environmental, security monitoring, even military systems) for many years. In my job, I am lucky enough to able to work with industrial and enterprise devices daily. At home, I play with them both as a consumer and developer. Time and again, I see the following IoT security holes with alarming frequency:

Security Hole #1: Not Using Strong Encryption

It is amazing that in 2016 people are still not using strong encryption to protect important data. However, I frequently see IoT devices that use no encryption at all: they store and transmit data in the clear. Other devices use homegrown encryption techniques that are are unproven by peer review and relatively easy to hack.

Most of the arguments I have seen against encryption fall into three camps: 1) it is too computationally expensive for low-powered devices, 2) it is too hard to use for IoT protocols, and 3) the device data is too obscure to understand. Let’s look at each:

  1. Yes, encryption is computationally expensive. However, ongoing investments in the space are providing more efficient RSA, AES, and ECC algorithms that work on smaller devices. In addition, Moore’s Law is even allowing penny-sized devices to have enough power to use these.
  2. IoT protocols are also getting better and better at providing strong encryption and secure connections (see Security Hole #2).
  3. Finally, the old “Our-data-is-too-obscure-for-hackers-to-understand Argument” was proven a fallacy years ago, first by the credit card industry’s Cardholder Information Security Program, and later by its replacement: PCI DSS. Any disgruntled employee (or hacker masquerading as a contractor) can bypass the “obscurity protection.”

Not using strong encryption is probably the most egregious security vulnerability. Any 14-year-old can use downloadable packet sniffing programs to capture your data. Solutions that mitigate this risk are readily available. There is no excuse to not encrypting your data.

Security Hole #2: Not Using Secured Sessions

A common error is information/cyber security is forgetting that secure communication consists of two components:

  1. Encryption of data and
  2. Establishment of secured sessions

Secured sessions use protocols to establish mutual authentication and to exchange  shared secret that only the transmitter and receiver have. If you do not establish a secured session you are blindly guessing that the recipient of your data is the correct person. When you do not use secured session you invite a Man-In-The-Middle (MITM) attack where the attacker can intercept and redirect your transmissions.

Many people think they are not likely targets of a MITM attack. Here is simple scenario.

  • A disgruntled employee or hacker-posing-as-contractors first intercepts and copies traffic from your devices.
  • From this data, he learns what devices are attached to items of interest (a patient, your house, etc.). He can then also learn the normal pattern of communication from the device.
  • Next he replaces the data from your device to send his own. This can give the appearance that a patient who is sick is now health (or vice versa) or that your house is not being broken into (allowing his partners to break in). The hacker can even intercept your over-the-air commands and download programmable software or send commands to shut-down devices.

This work is technically hard, but doable with software downloadable on the Internet. If communication between your IoT devices and your secured (and encrypted), the hacker would have to gain enough permissions to get a hold of your SSL certificates and hijack DNS (if he has this, you are in a lot of trouble already). However, if the communication between your IoT devices and servers is not secured, a hacker can conduct this MITM attack from anywhere. By the time you learn about it, the damage will be long done.

Thankfully, there are many solutions available in the IoT domain that provide both strong encryption and secured sessions (plugging Security Holes #1 and #2):

  • If you are using standard “Internet of Servers” protocols, simply installing a full compliment of certificates will enable you to use SSL over TLS for HTTPS and FTPS (but not SFTP).
  • If you are using MQTT (one of my favorites), there are many brokers available that also provide SSL over TLS.
  • If you are using CoAP (which rides over UDP), you can use DTLS.
  • If your devices have edge constellations, you can turn on Bluetooth Security Mode 4 and get SSL with the same Elliptic Curve Diffie-Hellman secret key exchange used by the NSA.
  • You can even download and borrow the wonderful MTproto protocol designed by the folks over at Telegram (it is designed for low-powered, lossy, distributed communication).

None of these solutions are perfect. However, all reduce security risks significantly. Furthermore, all are evolving in the open source community as people find new vulnerabilities. Why more people do not use them is puzzling.

Security Hole #3: Not Protecting Against Buffer Overflow

When a hacker triggers a Buffer Overflow vulnerability, she typically causes a program to do two things: dump critical data and crash.

The first documented cases of Buffer Overview exploits data back to 1972. As more and more computers were connected to the Internet, these attacks became more pervasive. Fifteen years ago, Code Red highlighted to much of the general public what a Buffer Overflow exploit can do.

Over the past few years, application framework libraries have and higher-level languages, have added many defensive programming protection to make these vulnerabilities less prevalent than they were in the past. (As anyone who has encountered an awlful error page that shows you a stack trace error, these defenses are still far-from-perfect). Nevertheless, they have plugged many holes.

However, IoT devices are bringing this vulnerability back into the mainstream again. As most IoT devices operate with far less memory and CPU than expensive devices like your laptop or smartphone, their firmware and applications are primarily written in lower level programing languages. It is much easier to trigger buffer overflows in these languages than more forgiving higher level languages. Exception handling libraries are less robust. More often than not, memory management is handled using good old-fashioned C/C++ programming (there is no Garbage Collector to save you). This significantly raises the risk of buffer overflows in devices.

When buffer overflow crashes occur in the data center there is at least someone around to fix things. When they happen to a remote IoT device in the field, they can literally shut down a security or medical sensor. There is no IT or Ops department nearby to fix it. The device is shut down (at best, or bricked at worst). Essentially device is dead to world. Depending on what is was responsible for, lots real-world physical damage can ensure.

Devices that maintain continuously open Internet connections (like all those connected baby monitors) are especially prone to buffer flow attacks as remote hackers can discover them using port-scanning software. However, even industrial IoT devices that only pull commands and programs down over-the-air are vulnerable to MITM attacks that can shut them down by flooding data to the device (this reinforces the need to plug Security Holes #1 and #2 discussed above).

The fix to this problem is fairly clear:  implement defensive programming and test it aggressively. Today’s automation technologies for continuous integration and delivery make this a much easier and trustworthy process than it was even a decade ago.

Security Hole #4: Weak Systems Engineering

The fourth big security hole I commonly see spans the intersection of technical design, system processes, and human behavior. It essentially boils down to this: if you use flawless technology in ways that it is not intended, you can create big vulnerabilities. If I design perfectly secure medical device but put it on the wrong patient (accidentally or maliciously), I will prevent capture of data about that sensor. If someone who installs the security sensors in my house sets my account up to call their cell phone (and not mine), they can break in while I am gone and I trick the company into thinking it is a false alarm.

The way around this is to design IoT devices that work when things (humans, the network, servers, etc.) fail.

  • Build in redundancy (devices, network paths and servers) to mitigate technical failures
  • Build in positive and negative feedback looks to mitigate human failures. For example, I should not just be notified if my home security sensor goes off. I should should be notified if my smartphone and my security companies servers both cannot communicate with my home security IoT devices.

Plugging this systems engineering IoT security hole takes a combination of technology engineering and business process design.  This is a natural fit to the enterprise, where IoT can be used as a component of business transformation. In the consumer segment the answer is usually an ecosystem solution. Amazon’s and Google’s solutions stand out regarding robustness and security.

***

The Internet of Things offers great potential to transform how we work and live by removing many tedious tasks from our day-to-day activities. Making this a reality requires a secure Internet of Things. We will never make security perfect. However, we have the tools to make it trustworthy. What is needed is just the discipline to include them as we build new IoT devices, systems and processes.

Web 2.0 business service for ERP program implementation

Why social networking (a.k.a. Web 2.0) is positioned to help ERP implementation

Over the past decade, I have participated on (fully led, particularly led or directly supported) five different Enterprise Resource Planning (ERP) programs. These programs have use both of the leading vendors’ technology platforms – SAP and Oracle. Some have been small (budgets of less than $10-million), some large (budgets exceeding $250-million). Regardless of size or vendor, I have often seen that the largest problems that these programs have to overcome are not technological, they are social:

  1. Getting people in the organization to agree to the need of moving the enterprise on a single, integrated platform
  2. Eliciting people to share input into how their organizations, process and technology work (so you can map their business onto the platform)
  3. Vetting what your produced with enough of the organization to ensure it will enable it work more efficiently (i.e., conducting Red Team reviews)
  4. Finding the points of resistance in the organization to using the new system and processes
  5. Enabling the organization to ask questions, share insights and gain understanding as to how to use the new system after it “goes live”

If an ERP program fails to address any one of these problems, the organization will not realize the intended ROI from its program investment. If the program fails to address several of these, the program may very well fail (this leads to those many metrics on the failure rate of large-scale ERP programs).

As these problems are social in nature, Social Networking (a.k.a. Web 2.0 or — truly in this case — Enterprise 2.0 ) is well-positioned to help address them in a cost-effective manner.

Social Networking solution position for ERP implementations

(You will note that I started this discussion by stating an ERP implementation problem that social networking can address. This follows the business service concept I wrote about last month: that the purpose of technology is not to create widget but to enable people to be more effective in what they do for a living – or do everyday to live. Along this line, the first step after identifying a problem is to establish a position for the solution…)

For: Organizations exacting large-impact ERP program

Who: Want to increase the probability or realizing the promised ROI of large-scale ERP efforts (a 1% increase in probability can generate a $x million value on large-scale ERP programs)

ERP Social Collaboration is a transformational social networking business service

That pairs social networking with ERP Blueprinting, Change Management and Hyper-care efforts to elicit employee concerns, ideas and feedback in response to changes driven by the ERP program

Providing more effective business process reengineering (by exposing process gaps before they are enacted) and increased process adoption (by letting employees voice questions and concerns that can be addressed through communications and training)—ultimately leading to faster realization of ERP program ROI

Unlike traditional change management solutions that do not tap into wide scale employee “ground truth” and traditional hyper-care solutions that react to employ feedback after ERP roll-out rather than during ERP blueprinting or realization

Social networking solution perspective for ERP implementations

The best way to explain how this ERP Social Collaboration Business Service would work to outline a sample perspective of how it would fit into a real-world scenario:

XYZ is a global, large-scale enacting a multi-million-dollar ERP program. The ERP program does not simply deliver a new software application but also requires the entire corporation to realign itself around new global processes for management of human capital, order-to-cash, supply chain, accounts receivable, general ledger, etc. In order for XYZ to fully realize the promised ROI of the ERP program, these new processes must not only improve how resources are managed but also be fully adopted by all staff.

XYZ’s ERP Program Office sets up a social network that mirrors the large-scale processes of the program. Each business process work stream (e.g., Order-to-Cash, Supply Chain, Human Capital Management) will have its own community area with the following: the Business Process Owner’s Journal, a Virtual Business Process Workshop, and the Virtual Business Process Town Hall.

The Business Process Owner’s (BPO’s) Journal serves as a platform to communicate key messages to employees. Here, the BPO can share the goals of the work stream along with its timeline and status. After the program has launched (i.e., achieved go-live), the BPO can post success stories and metrics from his or her journal.

The Virtual Business Process Workshop uses social networking to improve process design. From here, the BPO can issues calls-to-action requesting all employees affected by the process change to share knowledge about existing processes, systems, and organizations. This will reduce the risk of missing key activities, interfaces, or standards during the blue printing phase of the program. It will enable employees to comment on each other ideas and additions, using network behaviors to correct mistakes and drive consensus, making future roll-out and adoption more successful. Finally, when blueprinting nears completion, the BPO can issue a second call-to-action to key opinion leaders to offer comments on the process design, essentially driving a Virtual Red Team exercise across the whole company. Again, this will leverage network behaviors to expose process weaknesses and prioritize risks and other areas of concern, making future roll-out and adoption more successful.

The Virtual Business Process Town Hall will become important as the ERP Program Office prepares XYZ for deployment of the new system and program. From here the BPO and Change Management Team can share inspirational and instructional videos and elicit questions, comments and concerns from affected employees. Again, network behaviors will drive the most critical points of resistance to the forefront, allowing the Change Management Team to concentrate resources on the highest area of need. This will also enable the Go-Live Help Desk to pre-populate their knowledge base with answers to the most commonly expected questions.

Integrating this solution with existing enterprise infrastructure allows XYZ to balance targeted outreach with elicitation of candid responses. By integrating with existing company directories, it can enable BPOs to target calls-to-action to the correct audiences and drive response. However, by anonymizing comments and response during Red Team and Town Hall activities, it can expose true risks that employees may be otherwise reluctant to raise.

The use of social networking allows XYZ to move essential change management activities forward from launch to blueprinting in a highly visible, yet controlled manner. This not only elicits information critical to success, it also facilitates greater ownership and adoption by employees throughout the company. Ultimately, this significantly increases the speed and probability of realizing the promised ROI from these large-scale, capital-intensive programs.

How far away is this?

This is not very far away. I know of a few different technologies (from several companies) that could be coupled together in short order (8-12 weeks) to provide this service. Once this is complete, it can be easily integrated in the standard ERP process implementation approaches (e.g., SAP’s ASAP or Oracle Accelerate) or offered on an a la carte basis (as a competitive advantage by ASAP- or Accelerate-certified Implementation Partners).