,

Toreon teams up with AIOTI to improve security awareness in the IoT space

We at Toreon have a strong focus on the security of Internet of Things (IoT). During our technical assessments, it became clear that a lot of IoT devices are built without basic security in mind. The principle of security by design seems farfetched. That is why we decided to join AIOTI and become actively involved in their workgroup focussing on IoT standards and security.

AIOTI is the European Alliance of Internet of Things Innovation, initiated by the European Commission in 2015. The members of the alliance are commercial organisations and institutions, both large and small companies. Its goal is to foster the collaboration between its members and external organisations to build an ecosystem that promotes innovations in the domain of IoT.

It’s been repeatedly demonstrated that IoT devices provide an easy access to hackers. Just think about the Meraki DDOS attack which involved 1,5 million IoT devices, mostly IP cameras, which generated 665Gbs of traffic. Yet, there is no safety label or certification to distinguish a safe from an unsafe device so consumers have no guidance when buying a WiFi router or smart TV. They just assume that their devices are safe. The AIOTI workgroup we joined has as goal to change that.

It’s our ambition to make recommendations to the EC on how to:

  • evaluate existing IoT security standards
  • create new security standards
  • create certifications or safety labels to indicate the safety/security level – usable for the public
  • analyse gaps in standardisation
  • consolidate the architectural frameworks and reference architectures in the IoT space
  • Securely integrate devices and their cloud platforms
  • Protect the personal data of the various categories of stakeholders in the IoT space.

These recommendations will form the foundation for IoT standards and policies imposed by the EC upon manufacturers. Security certification can help consumers make an informed decision on what to buy. There is still a lot of work to be done, but at Toreon we are committed to contribute to the realisation of a safer IoT, as it will determine our future and that of our children.

To be continued!

,

Three recommendations to protect your data

In a previous blog we shared 7 common recommendations to protect your systems. Now, let’s look at 3 recommendations to protect your data.

  1. Make backups and be able to restore systems and data

Can you ever be 100% sure you have completely cleaned up a compromised system after a breach? The only answer is no. You have to be able to completely rebuild any system to a known and trusted state before the incident. Therefore, it’s important to have good data backup and system reinstallation procedures.

  1. Be able to quickly and efficiently respond to security incidents

Suppose that someone lets you know you have been breached. Do you know what to do? You should have a plan rehearsed and ready so you can react to incidents accordingly. Because ‘failing to plan is planning to fail’. Decide who is in charge and what needs to be done. Determine who can make the tough decisions, such as unplugging a business critical server. You also need to know whom you can call for help. You should rehearse your plan regularly. Compare it to a fire drill.

  1. Data encryption

You have a lot of security measures deployed in several locations of your IT environment. But the local environment surrounding your data is sometimes overlooked. If you have data in a less secure environment, you should consider data encryption. That is especially important on laptops, because they have a tendency to get lost or stolen. You don’t want any sensitive data ending up in the wrong hands, or in the wild. Can you easily identify sensitive data thanks to security classification labels on your documents or other characteristics? Then it’s worth considering Data Loss Prevention (DLP) or Digital Rights Management (DRM) to prevent your data from leaking.

,

Seven advantages of penetration testing

In a previous blogpost we explained what penetration testing is and how it can help improve your security. Time to take a closer look at the 7 benefits pentests have for your company.

  1. Reveal vulnerabilities

Penetration testing explores existing weaknesses in your system or application configurations and network infrastructure. Even actions and habits of your staff that could lead to data breaches and malicious infiltration are being researched during penetration tests. A report informs you on your security vulnerabilities so you know what software and hardware improvements you have to consider or what recommendations and policies would improve the overall security.

  1. Show real risks

Penetration testers try to exploit identified vulnerabilities. That means you see what an attacker could do in the ‘real world’. They might access sensitive data and execute operating system commands. But they might also tell you that a vulnerability that is theoretically high risk isn’t that risky at all because of the difficulty of exploitation. Only a specialist can perform that type of analysis.

  1. Test your cyber-defence capability

You should be able to detect attacks and respond adequately and on time. Once you detect an intrusion, you should start investigations, discover the intruders and block them. Whether they are malicious, or experts testing the effectiveness of your protection strategy. The feedback from the test will tell you if – but more likely what – actions can be taken to improve your defence.

  1. Ensure business continuity

To make sure your business operations are up-and-running all the time, you need network availability, 24/7 communications and access to resources. Each disruption will have a negative impact on your business. Penetration tests reveal potential threats and help to ensure that your operations don’t suffer from unexpected downtime or a loss of accessibility. In this respect, a penetration test is quite like a business continuity audit.

  1. Have a third party expert opinion

When an issue is identified by someone within your organisation, your management may not be inclined to react or act. A report from a third-party expert often has a bigger impact on your management, and it may lead to allocation of additional funds.

  1. Follow regulations and certifications

Your industry and legal compliance requirements may dictate a certain level of penetration testing. Think about the ISO 27001 standard or PCI regulations, which requires all managers and system owners to conduct regular penetration tests and security reviews, with skilled testers. That is because penetration testing focuses on real-life consequences.

  1. Maintain trust

A cyber assault or data breach negatively affects the confidence and loyalty of your customers, suppliers and partners. However, if your company is known for its strict and systematic security reviews and penetration tests, you will reassure all your stakeholders.

Interested to learn how we can help? Just let us know!

,

Why every company should get hacked

Did you know that, in traditional western movies, the heroic cowboy wears a white hat, while his enemy wears a black one? That’s where the expression ‘white hat hacking’ comes from. White hat hackers are the good guys. They specialise in penetration testing with the intention of alerting companies to vulnerabilities in their systems, software and networks, to pre-empt hacking attempts by an ill-intentioned individual.

Penetration tests
Penetration tests combine manual and automated methods and technologies. Their objective is to methodically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once the vulnerabilities have been successfully exploited, the testers use the compromised system to launch further exploits and go deeper and deeper from one vulnerability to the next.

White hat hackers evaluate the ability of organisations to protect their networks, applications, endpoints and users. The hackers use external and internal attempts to by-pass security controls with a view to gain unauthorized access to protected assets. Afterwards, full test results and recommendations are sent to help prioritise remediation efforts. Consequently, the company is in a better position to anticipate emerging security risks and protect its critical systems and most valuable information.

There are two main reasons to hire external penetration testers:

  1. Security breaches and interruptions in the performances of your services or applications can have long-term consequences. In addition to the financial aspect, it has an impact on your business’ reputation, with decreased customer loyalty, negative press, fines and penalties.
  1. Defensive security mechanisms such as user access controls, cryptography and firewalls are useful, but don’t offer a full protection against potential security risks. New vulnerabilities are discovered each day, and attacks become more and more sophisticated. White hat hackers eat, sleep and breathe this, so they are in the best position to show companies where they need to improve their defenses.

Hackers come in different shapes and sizes, and may wear different hats. We only wear white ones. Interested in finding out how we work? Let us know and send us an email.

,

7 recommendations to protect your systems

Cybersecurity is an issue for all of us. We need to improve cybersecurity risk management and better identify threats, vulnerabilities and risks. From the Centre for Internet Security (CIS), the Australian Signals Directorate (ASD), the American National Institute of Standards and Technology (NIST) to the British Government’s Communications Headquarters (GCHQ), they all have recommendations. But how do you see the forest through the trees? In this blog post, we provide you with our selection of 7 recommendations to protect your systems.

  1. Maintain an inventory of devices and software
    Do you know the systems that are active in your environment? And do you know which systems are authorised to be there? You need to know your IT environment like the back of your hand to ensure you know what you should be protecting.
  2. Maintain and apply secure configurations
    Default settings and out of the box configurations are a no go. They are often way too permissive, so they can easily be abused. Use the good practices you find online to create and apply security configurations for all devices and software you manage.
  3. Patch systems and software and manage vulnerabilities
    Security patches are made continuously available for nearly all software used in a business environment. Hackers know about a security problem if there is a patch for it. So you need to patch your systems before anyone abuses the holes you leave in your system.
  4. Monitor security logs
    Don’t wait for someone from the outside to let you know that you are breached. Be proactive and read the signs. Where? In your security logs. Allocate time for people to monitor the security logs and prioritise this task. Only then will you be able to notice suspicious activity and investigate.
  5. Use active and heuristic malware protection
    A lot of new techniques to fight malware are excellent additions to traditional measures. Use those new features in browsers, email clients, office suites and operating systems among others. Test new types of tools for fighting malware. But don’t let vendors fool you into believing that they have the silver bullet. Effectively fighting malware means betting on more than one horse.
  6. Use signature, known-bad and reputation based malware protection
    Do not write off your ‘old’ antivirus, because it still has a place in your defense strategy. Make use of the variety of complementing services that can feed you information that help to block dangerous network traffic, files, emails, websites etc. Don’t just do this using the protection software on your endpoints, but also filter and block on your gateways to the Internet.
  7. Restrict network communications
    Hackers don’t want anything more than to move around freely on your network. You have to make this as hard as possible for them. Move away from a network design that allows every system to communicate with every other system, no matter how convenient that may be. Use network segmentation and filter network traffic between systems and segments so you can block communications you don’t like. Segmentation also makes it possible to lock down segments if there is a localised breach.
    Introduce security levels in your network zones, so that you’re able to deploy security measures in the security zones that need them. That makes your measures more cost effective.
, ,

The youth is out there…

Have you read the research from Kaspersky Lab, on how a lack of guidance for youth results in their temptation to exacerbate cyber-crime instead of preventing it? At Toreon, we didn’t need an extensive and expensive study to realise that youth is the future and that the interest for IT and cybersecurity can’t be sparked young enough. That is why, at the end of the Cyber Security Awareness Month and in collaboration with BruCON, we met up with kids and students to teach them about IT, hacking and cybersecurity.

Hak4Kidz
During the second Hak4Kidz Belgium event, BruCON invited children and youngsters between 7 and 15 for Hak4Kidz Belgium. Six Toreon volunteers assisted in teaching how much fun IT and science are. The event was fully booked in no time.

A few of the things that the children learned:

  • Issues as a fun puzzle waiting to be solved
  • Failure means you get to try again
  • By sharing knowledge, you can focus on solving new problems instead of solving resolved issues over and over again.

slack-for-ios-upload-2 slack-for-ios-upload-1 14917096_10154698227818734_110096449645637643_o 14917084_10154698227018734_4754124548059580092_o 14883569_10154698226353734_5182076026402427068_o14714871_10154698227433734_6605774733114813769_o

Student CTF
During the Student CTF, we took it to the next level. For most CTF’s the gap between the skillsets needed and those taught in school is too large, making it impossible for students to participate. That’s why we created 39 challenges for some hundred students of both specialised and less specialised fields of study, from the University of Ghent and HOWEST. We didn’t expect them to just solve the challenges, but started with introductions on SQL Injection, Traffic analysis, Android reverse engineering and gave lots of tips and tricks.

brucon_ctf3 brucon_ctf

We learned a lot too!
The children and students were not the only ones who learned a lot during these days. We were able to reaffirm how important it is to reach and guide youth in time, but most of all: what an incredible amount of talent is getting ready to enter the real world. The winning team of the Student CTF was even able to solve 36 of the 39 challenges!

What do you think? Did we teach the right things? Would you handle it differently? Or are you interested in a next edition of one of these events? You can let us know in the comments!

,

7 steps to set up a cybersecurity program

To set up a good cybersecurity program, there are 7 steps you should take. They will make sure the cybersecurity activities that you define fit your business context, the particular risks your business faces and your level of risk-tolerance (how much risk you are willing to allow).

  1. Prioritise and scope

Identify overall business objectives and organisational priorities. This information helps you to make strategic decisions regarding cybersecurity implementations. It will help you to identify your most important processes and assets, so you know what you are protecting. And your attention can go to the most critical ones. Then, in further iterations of this 7 step approach, you continue including lower priority assets. In the long run, you should have all assets covered.

  1. Orientation

Once the scope of your cybersecurity program has been determined, the next step is to identify systems and information you want to target and find the relevant regulatory requirements. Identify threats and vulnerabilities related to those systems and information. Finally, define an overall risk assessment approach.

  1. Create a current profile

Now you can develop a current profile. Write down the outcomes you currently achieve compared to the list of NIST recommended controls. The current profile is basically an evaluation of your current security status.

  1. Conduct a risk assessment

Assess the current risk level. How do you determine risk? Keep it simple and start with a basic risk assessment process, which focuses on business impact rather than just highlighting IT security problems. Also, include an overview of existing security controls and the way they may already reduce risk.

  1. Create a target profile

Select the risks you want to deal with. Based on this selection, you determine your target profile. Down to what level of risk do you want to get your organisation? When you create a target profile, use the same techniques that you used for the current profile. The target profile will help you decide which additional controls you may want to implement.

  1. Determine, analyse and prioritise gaps

The difference between your current profile and the target profile indicates the gaps in security that you want to fill. Determine the actions that are needed to apply the security program. Prioritise these actions based on criticality or other more practical measures in order to determine which controls need to be addressed first.

  1. Implement your action plan

While the previous steps facilitate the implementation, in this last step you finally roll up your sleeves. The gap analysis provides you with a clear goal. You know what has to be done, and how. Now go get it done!

Do you want help setting up your cybersecurity program? Drop us an email. We would love to help you.

,

The NIST Cybersecurity Framework: what it is and why you should use it

The latest ‘RSA Cybersecurity Poverty Index’ – an annual maturity self-assessment completed by a variety of organisations all over the world – shows that 67% of organisations had incidents that negatively impacted their business in the last 12 months. Only 24% of those businesses were considered mature in their security strategy. That means that the chances of having incidents are very real, while companies are not able to improve maturity to reduce risks.

It’s high time for improvement. Companies need to get the basics right, but that is not sufficient. One of the most recent and pragmatic initiatives to support further improvement is the NIST Cybersecurity Framework (more on this in one of the next blog posts). It identifies and gives advise about different phases of cybersecurity: Identify, Protect, Detect, Respond and Recover.

A made-to-measure solution

The NIST Framework is based upon various standards that have proven to be successful. While it targets organisations with critical infrastructure, businesses across nearly all industries can benefit from adoption.

The NIST Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity risk. Organisations will continue to have unique risks: different threats, vulnerabilities and risk tolerances. How they implement the practices laid out in the Framework will vary as well. Organisations can determine activities that are important to critical service delivery and prioritise investments to maximise the impact of every cent they spend. Ultimately, the Framework is aimed at managing and reducing cybersecurity risks.

A common taxonomy

Building from standards, guidelines and practices, the Framework provides a common mechanism for an organisation to:

  1. Describe the current cybersecurity posture;
  2. Describe the target state for cybersecurity;
  3. Identify and prioritise opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state;
  5. Communicate among internal and external stakeholders about cybersecurity risk.

You see, the Framework provides you with risk-based guidelines. They are designed tot help you evaluate current capabilities and to create a plan toward improved cybersecurity practices.

Interested in more detailed information? Read more in our next blog, on the different steps of the NIST Cybersecurity Framework.