By Rob Boles, BLOKWORX
This is the third of a three-part cybersecurity series authored by Rob. Click here for part one and click here for part two.
As referenced in part two of this series, though hacks and data breach are daily news, rarely do we read or hear of any consequence to the company or leadership responsible. Adding insult to injury, after the Equifax breach — you know, the one which exposed over 145 million individual’s information — Equifax was providing identity theft monitoring and protection to affected users.
Ugh, ok, you couldn’t protect my data the first time, and now you are responsible for monitoring? There seems to be a lack of common sense around protecting user data, and perhaps that starts at the top? If the captain does not go down with the ship, is he as concerned in the quality and integrity of the ship and its crew? It’s a fair question.
With T&C’s frequently extending 4,000 words and some approaching 20,000 words, does anyone know anyone who’s read an entire T&C? Is there any sense of privacy, or have people merely given up and adopted the “everything is out there already anyway” mentality and given up?
Enter the EU General Data Protection Regulation, or GDPR. Initiated in 2012 and put into effect May of 2018, GDPR is a set of rules designed to provide EU citizens more control over their personal data. The legacy rules around data and privacy were grossly insufficient, and the reforms better reflect the world we live in today, providing law and obligation around personal data, privacy and consent, with real financial consequences.
With fines potentially in the tens of millions of euros, and a reach outside of the European Union, the regulation has some bite. In the states, there is a potential light at the end of the tunnel. With the elements of recent Facebook behavior, and Uber, Google, and others, people are beginning to pay attention. Though California may be on the fringe of the country in many ways, recent legislation around consumer privacy signed into effect by Governor Brown is potentially game changing.
The California Consumer Privacy Act has some provisions which will be interesting to see how all plays out. There are four basic rights within the CCPA: the right to know what personal information is being collected, the right to opt out of allowing a business to sell personal data, the right to have business delete personal data, and the right to equal service and pricing even if the individual opts out. In the state with Facebook, Google, Twitter, and Apple, grab your popcorn and prepare to watch this one play out.
The S In IoT
What does the S in IoT stand for? Security, and as you’ve already surely recognized there is no S in IoT. Security cameras, doorbells/door locks, thermostats, refrigerators, entertainment systems, home routers, all in a race for market share!
The opportunity in IoT is tremendous, and there are infinite benefits to streamlining, optimizing, and better managing our daily lives. The challenge is within this race for adoption most manufacturers and products have approached security as an afterthought.
What does this mean? It means the camera you have at your business, so you can remotely watch your shop, may also be providing access to those you seek to protect against. Example: Earlier this year I received a call from a client, concern in her voice, asking if I happened to be in the neighborhood and would stop by as something didn’t “look right” with a third-party video security system. “Absolutely,” I said, “Be by after lunch.”
Upon arrival, my client showed me the administrative interface of the workstation within the DVR used for administering the system. There were 11 admin sessions active, none of which my client recognized and each with all sorts of colorful activity taking place — websites including dating, travel, and cryptocurrency … you know, business stuff.
Anticipating some undesirable outcome based on the expertise and professionalism of the household name security monitoring service provider, we had fully segmented the DVR and cameras away from the business network. While the business owner was happy the core network was secure, the idea of someone else actively accessing the video feed of the business was an absolute concern. Trust me, this happens all the time with inappropriately secured DVR/Video Security Systems.
While this is an example of a specific vulnerability, the headlines for IoT attacks may be more familiar. The original IoT attack, and still brilliant in its execution and outcome, is Stuxnet. If you are not aware of its history, visit the Stuxnet Wikipedia page now.
The Marai botnet in 2016, having taken down a significant amount of internet resources including Netflix, Twitter, Reddit, and CNN, remains the largest DDoS attack to date. A casino was even hacked via vulnerability in an internet connected fish tank, all made possible by vulnerable IoT devices. Connecting and enabling these devices with 5G networks will provide a whole new level of challenges.
Technology is evolving so quickly with infinite opportunities and potential pitfalls. Blockchain, quantum computing, 5G, and self-driving cars — here we go, enjoy the ride!
About The Author
Rob Boles is a cybersecurity expert and privacy advocate. He created BLOKWORX in 2006 to further his passion for creating fast, secure networks. From day one BLOKWORX focused on security, reliability, and positive user experience by understanding how things work, extensive research and testing, alignment with vendors, partners, and clients, and the experience of thousands of nodes managed and monitored, all supported by a mature delivery model built from years of operational experience.