Internet of Things jpeg

By Wilgengebroed on Flickr [CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons

Last week, as part of NCSAM, there was a Twitter Chat on the widely-used term and concept of the “Internet of Things.”

So what does the “internet of things” really mean? There are a lot of different perspectives one could answer this questions from. The term or concept came up, it seems at least, as a way to label the proliferation of devices that were being developed and introduced into the market that connect, in one way or another, to the internet. More succinctly, it can be used to refer to all our interconnected devices. These devices range from refrigerators that can see when you are low on milk and send you an email, to lightbulbs that are connected to your smartphone through an app to help you conserve energy.

So why would this be something to talk about as part of a cybersecurity awareness discussion? Simply to increase awareness. As covered in the chat, “[a]ccording to Cisco, there will be 50 billion Internet-connected devices by 2020.” If this prediction comes true, that would be 3 times the devices today. The more devices that connect to the Internet, the more devices that need to be kept up-to-date and protected against the threats we face on the web.

Here are a few things to consider to better secure all your “Internet of Things” devices:

  1. Understand what your device is capturing and what it shares. Many devices collect information and then upload it to a service that your associated app then connects with. Read and make sure you are looking out for what information is captured, what if any is shared with a third party, and how securely is the information transferred/stored between the device(s) and the service provider.
  2. Keep your device software up to date. Like all your “smart” devices, make sure that the application it runs on is kept up to date with patches, fixes, updates, and upgrades from the manufacturer or trusted application provider. The more devices out there, the more vulnerabilities that will eventually be found, so keep them current.
  3. Use separate networks at home. If you have multiple devices at home that are interconnected through your wireless router or access points, consider running a separate, dedicated network for those devices. This way, a compromised lightbulb or treadmill will not propagate malware or otherwise compromise devices on your other network where you would connect your laptop, smartphone, or tablet. Reasoning is that the devices you may store sensitive data on, smartphone or laptop. These “smart” devices are made with the main focuses being interconnectivity and ease of use, which means there may be some security tradeoffs.

Feel free to comment with any of your suggestions.

As part of National Cyber Security Awareness Month, there are Twitter chats taking place throughout the month of October on various topics. The topic of yesterday’s chat, was on the #ClickSmart awareness effort spearheaded by Intel.

#ClickSmart aims to promote best practices when faced with links, whether in an email, on a blog, or sent to you via text messaging. Understanding what these best practices are crucial to avoiding attacks against your system and will help you to protect your data. A great resource available from Intel is their  “Should I click this link?” flowchart. While you’re there, take the #ClickSmart Challenge and tweet your score.

For a transcript of yesterday’s chat, check out this blog on staysafeonline.org. To learn more about this month’s NCSAM Twitter Chat series, visit http://stopthinkconnect.org/get-involved/twitter-chats/. To join the next chat, use #ChatSTC on Twitter.

Recently, there’s been some news coverage regarding a vulnerability found on USB devices. The vulnerability involves the small computer chip on USB devices that allows the attached device, usually a computer, to detect the type of USB device that was attached and then connect it for use. This is done rather quietly and in the background on your computer. The small embedded computer ship onboard these USB devices has an operating system (a small version that has a set of information and instructions to facilitate the detection and connection) that is referred to as its firmware. The vulnerability involves this firmware, more specifically that this firmware can be changed or updated on some USB devices.

What does this mean for you? Well, this means that the firmware on USB devices can be altered with potentially malicious software that can harm your computer or expose sensitive information. This malware, using the fact that USB devices are allowed to automatically run the onboard firmware on your computer, can infect a vulnerable machine without needing any additional interaction from the user (plug-in and auto-execute malware).

There is a silver lining to this vulnerability. It takes a vulnerable machine to be infected by a compromised USB device. So make sure you keep up with operating system and application patches and updates for all your devices. (See yesterday’s blog for more on the importance of keeping your machine up-to-date with patches.)

In addition, we would like to share some good advice from Symantec and McAfee (security software providers) as covered in an article posted on Mashable.com on how you can avoid being a victim of a BadUSB attack.

  1. Only use USB devices from reputable retailers. Make sure you are purchasing new, sealed devices.
  2. Avoid using “pre-owned” or used USB devices.
  3. Do not leave USB devices, and computers, unlocked and unattended in public places. It is always a good practice, regardless of whether a usb storage is vulnerable to this attack or not, to  keep external storage in a secure location.

Learn more about BadUSB at the linked articles below.

“BadUSB” – what if you could never trust a USB device again?: https://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/

BadUSB – now with Do-It-Yourself instructions: https://nakedsecurity.sophos.com/2014/10/06/badusb-now-with-do-it-yourself-instructions/

How You Can Avoid a BadUSB Attack: http://mashable.com/2014/10/03/how-can-you-avoid-badusb/

It is week two of National Cyber Security Awareness Month (NCSAM). This week’s topic is “Secure Development of IT Products.”

So, what is involved in the secure development of IT products? Security is not something to be considered after a product has been engineered or software has been written. In fact, adding security after development can be costly. Despite all efforts to educate developers and product engineers, security is still not considered during the development phase. There have been studies conducted to determine the benefits of incorporating security in the development over bolting on security after development.  (See below for reference article.)

Screen Shot - BrowserCheck Results

Truth is, sometimes even with the best efforts to incorporate security in the development of hardware and software, there are occasional flaws found and exploited. Therefore, it is our advise that you make sure to keep software up-to-date with the latest patches, fixes, and versions, whenever possible. To make sure you are surfing safely, utilize tools to quickly analyze your computing device to make sure you’re running the latest browser and plug-ins. One such tool is BrowserCheck from Qualys. (Image to the right shows results from a quick scan.) This tool checks for most common plug-ins, office suites, OS versions, and browser versions to ensure you are running the latest software. Give it a try  – it’s free – at: https://browsercheck.qualys.com.

 

Note for Java users: Although we would prefer that everyone run the latest version of Java, some software does not work with the newest releases of Java. If you need to use Java-based software, try using a different, dedicated, browser for applications that require Java. This way, you can disable Java on the browser you use for browsing the web and another, dedicated, browser that has Java enabled for use with the application(s). Just make sure that the separate, Java-dedicated browser is only used for the application that requires it to limit your exposure to potentially malicious Java software.

Reference: “Estimating Benefits from Investing in Secure Software Development”, from https://buildsecurityin.us-cert.gov/articles/knowledge/business-case-models/estimating-benefits-from-investing-in-secure-software-development.

ncsam

Celebrated every October, National Cyber Security Awareness Month was created as a collaborative effort between government and industry to ensure everyone has the resources needed to stay safer and more secure online. As an official Champion, Wentworth Institute of Technology recognizes its commitment to cybersecurity and online safety.

Throughout the month, we will be sharing cybersecurity tips and best practices that you can use at home and at work. We encourage you to follow us by subscribing to our Information Security Newsletter, on Twitter @InfoSec_WIT, and visiting us on the web at http://www.wit.edu/dts/security.

For Wentworth faculty and staff, we are proud to announce the launch of our Information Security and Compliance Training program. For more information on this new service, visit us on the web at http://www.wit.edu/dts/security/training-awareness/training/index.html, where you can sign in through the link provided with your Wentworth credentials (username and password used for LConnect and email).

For more information on NCSAM, visit http://www.staysafeonline.org/ncsam.

Join us this month and be a Wentworth Cybersecurity Champion!

NCSAM-Champion Icon

What is “Shellshock”?

Shellshock is the name given to a collection of vulnerabilities present in a widely distributed component of Unix-based operating systems, called Bash. The vulnerable component is present in all Linux and Mac OS distributions as well as they use the same component to process commands within the operating system. It does not appear to, in general, affect Windows-based systems as they use a different program.

These vulnerabilities allow someone to inject commands on the specified platforms. This can be exploited in a variety of ways and can led to fairly significant compromises to the confidentiality, integrity, and even availability of data.

Who is affected?

As stated, these vulnerabilities are present on systems that use a Mac OS X, Linux and Unix system platform. For the small segment of Wentworth systems that had the vulnerable component, these vulnerable components were not necessarily exposed to the public in an exploitable fashion. To be safe and sure we mitigated the risks further, we have done the following:

  1. Updated our firewall threat detection capabilities. Before patches were available for the individual systems, we were able to successfully detect and block attempts made to exploit these vulnerabilities on our internet-facing systems.
  2. Applied all available patches and updates to the affected systems to fix the vulnerable component.

We will continue to apply any additional patches and updates as new vulnerabilities are reported.

What do I need to do?

If you use a Mac, there is a potential that your operating system may be vulnerable. To fix this vulnerability, we advise that you visit the Apple Support page, located at http://support.apple.com/downloads/. Download and install the OS X bash Update that matches your operating system (OS X Mavericks for 10.9, OS X Mountain Lion for 10.8, and OS X Lion for 10.7).

 

 

 

This year marks the 11th anniversary of National Cyber Security Awareness Month (NCSAM). NCSAM is observed throughout the month of October to increase the awareness of cyber security threats and techniques to safeguard against them.

As a NCSAM Champion, Wentworth will be providing frequent tips and articles throughout October on how you can better protect your data and computing devices from security threats such as malware, phishing emails, and identity theft. Throughout October, the Information Security Office we will share an article that is relevant to you. Topics will range from recognizing a “phishing” email to best practices for protecting your privacy on social networking sites. In addition, we will be launching the Information Security & Compliance Training Program available to all staff and faculty. Finally, we would like to take this show on the road with presentations on cyber security threats, data privacy, and information security best practices. If you would like to have Wentworth’s Information Security Officer come to your department or group, please email infosecurity@wit.edu to schedule a presentation.

Follow us on Twitter @InfoSec_WIT for more on NCSAM, security news, and resources for improving your information security practices.

ncsam

Fall Projects – 2014

John Knights —  September 5, 2014 — Leave a comment

The Information Security Office (ISO) will be working with others within Technology Services and across Wentworth to continue our efforts to improve the information security posture. Below are a couple of initiatives and projects we will be working on this Fall.

National Cyber Security Awareness Month

October is the 11th Annual NCSAM. As a NCSAM Champion, we will be providing cyber security awareness materials throughout the month to our entire community via Twitter, the Information Security Blog, and ISO website.

In conjunction with NCSAM, we will be launching the Information Security & Compliance Training Program for staff and faculty.

Identity & Access Management

This fall, we will launch a multi-year project to improve the overall approach to identity and access management. The IAM project will both increase the protection of institutional data and information systems and improve the overall end-user experience when logging into the various systems and services available to the Wentworth community.

For more information on these and other initiatives, make sure to visit our ISO website.

Summer Projects – 2014

John Knights —  September 5, 2014 — Leave a comment

Along with the rest of Technology Services, the Information Security Office (ISO) has been busy working on projects to improve the overall information security posture at Wentworth. As we start the new academic year, we want to share some of what we have been working on.

Data Management

Over the course of the summer, members of the Information Security Compliance Committee (ISCC) have worked to put together a set of policy documents to set the requirements for improving data governance and security. Once approved these policies we will send out a notice as well as publish them on the Technology Services Policy Page.

In addition to the policies, the ISO has worked with other members from Technology Services to provide all staff and faculty with a data loss prevention tool, Identity Finder. This tool is available to all staff and faculty for use on their institutional Windows or Mac-based desktops and laptops. For more information, please visit our Data Loss Prevention “Top Topics” page or go straight to the Identity Finder Tool page for instructions on obtaining, installing and using Identity Finder.

Information Security Awareness & Compliance Training Program

In an effort to improve awareness of information security and regulatory compliance requirements, we have worked with the ISCC and our training video service provider WeComply to provide our staff and faculty with a set of comprehensive educational videos on various topics (Information Security, Data Privacy, FERPA, and others). Visit the ISO’s Training page for more information on the program launching this October.

 

Over the last few months, a frequently referenced site caught the attention of many security professionals as it provides an interesting visualization of the cyber attacks that traverse the globe every second of every day. The site is a map put together by Nosre Corp.

Norse Corp provides cyber security appliances and services that aim help organizations block attacks. One interesting use of all the intelligence they collect from their devices is the Norse live attack map, which they state is “a visualization of a tiny portion (<1%) of the data” they process every day. Take a look at the Norse Live Threat Map.

Norse's Live Threat Map - 10:40a on 9-5-14

WARNING: The Live Threat Map is an interesting application and can quite entrancing!