Click here to LEARN more.

Feb 1, 2018

The Internet of Unsecured Things


Finding Security in the Smart Devices World

The internet of things (IoT) refers to the network of physical objects embedded with network connectivity.

This technology allows devices that were previously silent to communicate and share data. For instance, objects as complex as automobiles, public transportation and heart monitors can now share data with appliances like washing machines or refrigerators. The result is an explosion of both data creators and data collectors.

However, as the initial excitement and possibilities about IoT have subsided, it has created serious concerns about the functionality and security of connecting everyday devices. With experts forecasting that as many as 50 billion IoT devices could be connected by 2020, IT professionals are grappling with the problem of securing so many devices.

The Trouble Securing So Many Devices

One of the fundamental issues of IoT security is the sheer number of gadgets for which to account. Securing that many devices behind a single security firewall can be difficult. Just a few years ago we only had to worry about digitally securing our computers. Now we have to consider protecting our cell phones, wearable devices, home appliances and more.

Properly securing IoT could require an enormous investment of resources. Businesses already worry about the security of their networks being used through computers and smartphones, but as IoT grows, businesses may also have to secure ordinary objects, such as the motion detector that monitors how many people are in the conference room.

To make matters worse, HP has estimated that as many as 70 percent of IoT devices could be vulnerable to attack. With smart devices, such as watches, baby monitors and garage doors taking in thousands of data points daily, even small breaches could compromise millions.

Proactive Solutions for the Future

IoT brings a wealth of benefits and advantages to both businesses and consumers.

People who utilize smart devices can count on a treasure trove of relevant and targeted data. This can help companies manage everything from inventory tracking to remote workers. But managing our new smart gadget-driven world is not without potential pitfalls and security headaches.

Here are a few ways they can protect devices and networks from unwanted and malicious intrusions and keep consumers safe.

1. Patches

Developers need to ensure their devices are patchable, and then stay constant and current with available security updates. A problem still exists when patches are released, but users fail to take the necessary steps to update their devices – leaving hundreds of millions of unpatched and unsecured devices on the internet.

There is only so much that manufacturers and developers can do to remedy this problem, but two suggestions are to send alerts to users when a patch is available or allow users to opt in for automatic updates.

2. Consider Multiple OSes

Even when developers are proactive with patches, they need to understand these security updates will impact every user differently due to the variety of operating systems in use on individual devices. For instance, Apple, Samsung, Google and Microsoft all have their own IoT platforms, which don’t always communicate well with each other.

Developers need to consider a multi-layered security approach which will effectively function throughout the lifecycle of an IoT device, regardless of the operating system it’s running.

3. Password Requirements or Two-Step Verification

The next time you scan for nearby Bluetooth connections on your cell phone in a crowded place, you’ll probably see a few smart devices pop up.

Most devices already require passwords or two-step verification to connect, but developers should consider adding this security measure to all IoT products. Users will want their devices to automatically connect, but this should only be an option after security and authenticity are initially verified.

The simple fact is that most people who use IoT devices do not understand how they work and may wrongly assume that their devices are secure, which may not be the case if the product is discoverable by default.

Living in an Internet of Secured Things

Unfortunately, until there is a massive IoT security breach (and it’s likely not a matter of if, but when), we really won’t understand the risks associated with all of our interconnected devices. This is not to say we should abandon an IoT world because the security threat level is too great; the benefits far outweigh the risks.

While developers and manufacturers do hold some of the responsibility of mitigating these risks, the onus is also on users to understanding how devices will share their data and taking proactive steps – like downloading those security patches and frequently updating passwords – to protect their personal information.

Does your business have network security or IT infrastructure needs? Contact us today to learn more about INAP’s high-performance network services that will keep your applications running as fast as your business.

Explore HorizonIQ
Bare Metal


About Author


Read More
Dec 17, 2013

2014 IT security priority: Business continuity/disaster recovery


istock_Disaster_recovery_smSecurity is a central topic and concern in the digital economy. IT security attracts a significant amount of attention because of its business risk and far-reaching consequences, including significant revenue loss, customer loss and legal ramifications. Recent surveys completed in 2013 by accounting firms PwC and EY provide interesting insight into security priorities and future funding plans by corporate America.

In its 2013 survey, “Under cyber attack”, EY interviewed 1900 respondents, primarily C-suite professionals and executives from finance, IT and security. Rated by respondents as a number 1 or 2 priority, the top 3 security concerns include:

  1. Business continuity/disaster recovery – 68%
  2. Cyber risks/threats – 62%
  3. Data leakage/data loss prevention – 56%

Indeed, business continuity/disaster recovery requires considerable foresight and planning. It is essential to understand the business impact in the unfortunate case that disaster strikes. This is more than a theoretical argument as evidenced in the EY survey; 10% of the respondents claimed that the threat of natural disasters has increased risk exposure for their business in the past 12 months. Organizations should set acceptable downtime limits for restoring critical business functions and plan accordingly. Consider the ramifications not only for your business, but for your customers as well, should a worst case scenario occur.

Part of business continuity planning involves the data center. What plans will you have in place for data center recovery? Shortest recovery times may be achieved by establishing a hotsite, an alternate secure facility fully equipped and on stand-by to take over operations. If this level of response is unnecessary, warm or cold sites are possible options. Alternatively, the cloud, public or private, may provide the best solution for your requirements. “PwC’s 5th Annual Digital IQ Survey” shows that 2013 investment in the private and public cloud was expected to increase significantly; we will need to wait and see if this prediction came true, and the extent to which this investment was targeted for business recovery purposes.

Clearly, selecting the appropriate data center recovery option is critical to the success of the overall business continuity plan. To what extent will your corporation develop contingencies for 2014 and beyond?

Explore HorizonIQ
Bare Metal


About Author


Read More
Aug 27, 2013

IT security audit 101: Four rules you need to know


By Clinton Henry, CISM, CISSP, Senior Director, Datacenter Infrastructure & Security for Worldnow

From time to time, it’s common to undergo an IT security audit. Having participated in more than 30 audits across multiple standards (SAS 70, SSAE 16, HIPAA, PCI, SOC 1 and SOC 2), I’ve gained some insights that may assist others embarking on the experience for the first time. Below are four rules to help you get through an audit quickly and efficiently – especially when the auditor is on site.

1. Ducks in a Row
Mike Tyson, the infamous boxer, was once asked how he handles boxing unknown opponents who’ve spent months studying everything about him and have developed elaborate strategies to defeat him. His response: “Everyone has a plan until they get punched in the face.”

Amusing quotes aside, planning ahead is essential for a successful audit. If you have a well-run team with clear policies, controls and enforcement, then you’re halfway there. Audits are about controls – you need to demonstrate that those controls are in place, documented, enforced, reevaluated and tested against regularly. Preparing and organizing documentation for an auditor prior to the audit is a key process, and allows you to respond to their requests quickly when they arise. It also forces you to re-evaluate policies that you may not have looked at in a while, and gives you a chance to document policies that may already be in place, but haven’t been officially documented or disseminated yet.

Contemporary workplaceIf your organization deals with third-party providers, it’s important to show an auditor that these vendors have been thoroughly vetted and held to stringent controls. At Worldnow, we leverage several vendors, including Internap and Salesforce. Internap provides colocation services and managed hosting for some of our critical equipment. Having their SOC 2 reports on hand is incredibly helpful to us and our auditor. Never leverage a provider who is not subject to standard industry controls such as SOC, HIPAA, or ISO 27002/17799 – you’re only asking for a headache when undergoing an audit.

2. Chinese Wall
In large firms when a single organization is representing interests of opposing parties, a “Chinese Wall” must be established to avoid conflicts. In financial firms, the trading desks are not allowed to know what analysts at the firm are going to say about a stock or company prior to it being released to the general public. During the security audit, a different kind of Chinese Wall should be established between the auditor and the company it audits. When the auditor is on site, be extremely mindful of “hallway meetings” because an overheard or misunderstood statement can lead to additional questions, which can bog down an audit for weeks or months. This is an adversarial relationship – it’s cordial, but please remember not to “speak out of school.”

It’s usually best to have a single point of contact with the auditor. This person interfaces with the auditor, collects and provides all documentation and is effectively a gatekeeper. This creates a streamlined process, prevents confusing email chains and will be appreciated by the auditor as it’s much easier to go through a single person for all information than coordinate with multiple people.

3. Don’t volunteer, elaborate, distort (lie) or speculate.
If you do interact directly with the auditor, and they ask you a “yes” or “no” question and you know the answer, say “yes” or “no”. If you elaborate, it could lead to multiple follow ups that wouldn’t have been asked otherwise – this should be avoided. Remember; don’t answer a question that isn’t asked. If you’ve ever been deposed, it’s the exact same process. Providing a history of the company, your architecture or anything else can only hurt you – this is a “point in time” audit, and discussing what was or what will be is counterproductive (tweet this).

What happens when you are asked a question that you don’t understand, don’t know the answer to, or know the answer but don’t think the auditor will like it? Don’t feel pressure to respond right away. The correct answer is, “I need to confirm that” or “I’m not sure” and offer to provide the information as soon as you can. This will prevent a lot of headaches — please trust me on this.

The auditor usually has an assistant who takes detailed notes of all your responses; these will be reviewed off site and will generate more follow-ups. This is where most people get burned – follow these steps to minimize the number of follow ups.

4. Keep your team in the loop
As with anything else, communication is key. Before, during, and after an audit, keep your team apprised of the situation. They should be just as prepared as you for the audit and kept updated with any significant developments. Keep your third-party partners in the loop as well. They are there to help you succeed and will usually provide a resource if questions arise from the auditor that pertain directly to them. Internap gave my auditor a guided tour of one of their data center facilities. This sort of service from your partners goes a long way with the auditor – it makes their job easier, which only helps you.

Audits can be a stressful thing, with a lot riding on successful completion. Each audit presents its own puzzles and challenges, but they do get easier over time. Those who surround themselves with smart people, communicate effectively, and prepare accordingly are usually rewarded with a passing grade. At least that’s the plan – just ask Mike Tyson.

Explore HorizonIQ
Bare Metal


About Author


Read More
Jun 25, 2013

Shadow IT: Confessions of a rogue marketer


Shadow IT: Confessions of a rogue marketerAn Open Letter to IT Departments:
I have a confession to make: in the past*, I’ve procured cloud services without your approval. I’ve used the cloud for file sharing, storage, project management and collaboration services and, at any given moment, I had at least four active subscriptions to cloud services that I used for business purposes. More often than not, you didn’t even know about any of them.

Was I purposely circumventing you as a peculiar act of defiance or intentionally compromising enterprise security? Of course not. I was just trying to get my job done as efficiently as possible. With tight deadlines, high project volume and lofty campaign goals, I needed the agility that the cloud provides. To be honest, I didn’t have the time to create a business case for these services and wait for your approval – especially when you’re so busy running day-to-day infrastructure operations and handling high-priority requests from other areas of the business.

I was unknowingly a part of the phenomenon known as Shadow IT – using hardware or software not supported by an organization’s IT department. And I’m not alone; Gartner predicts that 35% of enterprise IT expenditures will happen outside of the corporate IT budget by 2015 and the CMO will spend more on IT than the CIO by 2017.

At this point, you may be wondering what prompted me to confess these transgressions (on my current employer’s website, no less). On our recent webinar Hybridization: Shattering Silos Between Cloud and Colocation, my colleague Adam Weissmuller spoke about Shadow IT and how cloud’s accessibility and immediacy to the end user can often come at the expense of IT security and control. So, beyond letting you know that (a) the concept of Shadow IT is real, (b) it’s likely happening in your organization more than you realize and (c) I’m sorry for putting your control measures and security at risk, I wanted to share with you Adam’s suggestion for bringing Shadow IT back into the fold.

After identifying Marketing as one of the most notorious Shadow IT offenders, Adam illustrated how a cloud and colocation hybridized environment could enable quick, on-demand provisioning of additional server capacity for an upcoming marketing campaign. This type of infrastructure would enable IT to provide assets on demand, without capital outlay, and under its controls, while marketing can run their campaign on time without compromising enterprise security. You can listen to the full webinar recording here for more details, as well as other hybridization use cases: Hybridization: Shattering Silos Between Cloud and Colocation.

Thanks for reading and letting me shine the light on Shadow IT.

*Note that I have never and will never engage in such reckless behavior at Internap.

Explore HorizonIQ
Bare Metal


About Author


Read More