Internet of Things OWASP Top 10

The Open Web Application Security Project (OWASP) is focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks and their OWASP Top 10 provides a list of the 10 Most Critical Security Risks. For each risk it provides a description, example vulnerabilities, example attacks, guidance on how to avoid and references to OWASP and other related resources. Many of you are familiar with their Top 10 Most Critical Web Application Security Risks. They provide the list for awareness and guidance on some of the critical web applications security areas to address. It is a great list and many security vendors point to it to show the types of attacks that can be mitigated.

Now the Internet of Things (IoT) has its own OWASP Top 10.

If you've lived under a rock for the past year, IoT or as I like to call it, the Internet of Nouns, is this era where everyday objects - refrigerators, toasters, thermostats, cars, sensors, etc - are connected to the internet and can send and receive data. There have been tons of articles covering IoT over the last 6 months or so, including some of my own.

The OWASP Internet of Things (IoT) Top 10 is a project designed to help vendors who are interested in making common appliances and gadgets network/Internet accessible. The project walks through the top ten security problems that are seen with IoT devices, and how to prevent them.

The OWASP Internet of Things Top 10 - 2014 is as follows:

• 1 Insecure Web Interface
• 2 Insufficient Authentication/Authorization
• 3 Insecure Network Services
• 4 Lack of Transport Encryption
• 5 Privacy Concerns
• 6 Insecure Cloud Interface
• 7 Insecure Mobile Interface
• 8 Insufficient Security Configurability
• 9 Insecure Software/Firmware
• 10 Poor Physical Security

You can click on each to get a detailed view on the threat agents, attack vectors, security weaknesses, along with the technical and business impacts. They also list any privacy concerns along with example attack scenarios. Good stuff!

ps

Related:

• The Icebox Cometh
• The Applications of Our Lives
• Standards for 'Things'
• Securing the Internet of Things: is the web already breaking up?
• 4 things that will happen in the Internet of Things space in 2014
• Tech's brightest unconvinced by internet of things
• OWASP Internet of Things Top 10

 

Technorati Tags: iot,things,owasp,security,top10,privacy,silva,f5,nouns

 

Connect with Peter:	Connect with F5:

The Cloud is Still a Datacenter Somewhere

Application delivery is always evolving. Initially, applications were delivered out of a physical data center, either dedicated raised floor at the corporate headquarters or from some leased space rented from one of the web hosting vendors during the late 1990’s to early 2000’s or some combination of both. Soon global organizations and ecommerce sites alike, started to distribute their applications and deploy them at multiple physical data centers to address geo-location, redundancy and disaster recovery challenges. This was an expensive endeavor back then even without adding the networking, bandwidth and leased line costs.

When server virtualization emerged and organizations had the ability to divide resources for different applications, content delivery was no longer tethered 1:1 with a physical device. It could live anywhere. With virtualization technology as the driving force, the cloud computing industry was formed and offered yet another avenue to deliver applications.

Application delivery evolved again.

As cloud adoption grew, along with the Softwares, Platforms and Infrastructures enabling it, organizations were able to quickly, easily and cost effectively distribute their resources around the globe. This allows organizations to place content closer the user depending on location, and provides some fault tolerance in case of a data outage.

Today, there is a mixture of options available to deliver critical applications. Many organizations have on-premises private, owned data center facilities, some leased resources at a dedicated location and maybe even some cloud services. In order to achieve or even maintain continuous application availability and keep up with the pace of new application rollouts, many organizations are looking to expand their data center options, including cloud, to ensure application availability. This is important since 84% of datacenters had issues with power, space and cooling capacity, assets, and uptime that negatively impacted business operations according to IDC. This leads to delays in application rollouts, disrupted customer service or even unplanned expenses to remedy the situation.

Operating in multiple data centers is no easy task, however, and new data center deployments or even integrating existing data centers can cause havoc for visitors, employees and IT staff alike. Critical areas of attention include public web properties, employee access to corporate resources and communication tools like email along with the security and required back end data replication for content consistency. On top of that, maintaining control over critical systems spread around the globe is always a major concern.

A combination of BIG-IP technologies provides organizations the global application services for DNS, federated identity, security, SSL offload, optimization & application health/availability to create an intelligent cost effective, resilient global application delivery infrastructure across a hybrid mix of data centers. Organizations can minimize downtime, ensure continuous availability and have on demand scalability when needed.

Simplify, secure and consolidate across multiple data centers while mitigating impact to users or applications.

ps

Related:

• Datacenter Transformation and Cloud
• The Event-Driven Data Center
• Hybrid Architectures Do Not Require Private Cloud
• The Dynamic Data Center: Cloud's Overlooked Little Brother
• Decade old Data Centers

Technorati Tags: datacenter,f5,big-ip,hybrid,cloud,private,multi,applications,silva,high availability

 

Connect with Peter:	Connect with F5:

Fear and Loathing ID Theft

Do you avoid stores that have had a credit card breach?

You are not alone. About 52% of people avoid merchants who have had a data breach according to a recent Lowcards survey. They surveyed over 400 random consumers to better understand the impact of identity theft on consumer behavior. 17% said they or a family member was a victim of identity theft over the last year with half the cases being credit card theft. 94% said they are more concerned or equally concerned about ID theft. They estimate that there were 13.5 million cases of credit card identity theft in the United States over the last 12 months.

These concerns are also changing the way some people shop.

Over half (56%) are taking extra measures to protect themselves from identity theft. Some of these behaviors include using a debit card less (28%), using cash more (25%), ordering online less (26%) and checking their credit report more (38%). These are all reasonable responses to the ever challenging game of protecting your identity and is important since 89% of security breaches and data loss incidents could have been prevented last year, according to the Online Trust Alliance's 2014 Data and Breach Protection Readiness Guide.

The game is changing however, and mobile is the new stadium. Let's check that scoreboard.

Most of the security reports released thus far in 2014, like the Cisco 2014 Annual Security Report and the Kaspersky Security Bulletin 2013 show that threats to mobile devices are increasing. We are using them more and using them for sensitive activities like shopping, banking and storing personally identifiable information. It is no wonder that the thieves are targeting mobile and getting very good at it. Kaspersky's report talks about the rise of mobile botnets and the effectiveness since we never shut off our phones. They are always ready to accept new tasks either from us or, a foreign remotely controlled server with SMS trojans leading the pack. Mobile trojans can even check on the victim's bank balance to ensure the heist is profitable and some will even infect your PC when you USB the phone to it.

Distribution of exploits in cyber-attacks by type of attacked application

I guess the good news is that people are becoming much more aware of the overall risks surrounding identity theft and breaches but will the convenience and availability of mobile put us right back in that dark alley? Mobile threats are starting to reach PC proportions with online banking being a major target and many of the potential infections are delivered via SMS messages. Sound familiar?

Maybe we can simply cut and replace 'PC' with 'Mobile' on all those decade old warnings of:

Watch what you click!

ps

Related

• Some consumers changing habits because of data breach, ID theft worries, report finds
• LowCards Exclusive Study: Identity Theft Concerns Shifting Shopping Habits of Americans
• Kaspersky Security Bulletin 2013. Overall Statistics for 2013
• Mobile Payments and Devices Under Attack
• An SMS Trojan with Global Ambitions
• Mobile Malware Milestone
• Mobile Threats Rise 261% in Perspective
• Nine Security Best Practices You Should Enforce

 

Technorati Tags: mobile,shopping,breach,malware,idtheft,behavior,silva,trojan,security

 

Connect with Peter:	Connect with F5:

Apps Driving Attention

The mobile platform, meaning tablets and smartphones, now account for 60% of total digital media time spent according to comScore. This is a 10 point jump from 50% just a year ago. On top of that, mobile apps accounted for 51% of all digital media time spent in May 2014. Many of the content categories like radio, photos and maps are becoming almost exclusively mobile. Digital radio and photos both generate 96% of their engagement from mobile while maps and instant messaging get 90% of interaction from mobile devices.

You might be wondering, like I did, where do social networks come in since it seem like almost everyone updates their social feeds through mobile. Social is actually the #1 category for overall digital engagement taking about 20% of overall digital time spent and gets 71% of it's activity from mobile. It, social media engagement on mobile, has grown 55% over the last year and has accounted for 31% of all growth of internet engagements.

So who is driving the mobile app explosion? Teenagers. About 60% of 12 to 17 year olds had a smartphone in 2013, topping even the 45+ crowd for smartphone ownership, according to Arbitron and Edison Research. The app money makers are not the initial charge for the program but all the in-app purchases along with the ads attached to the app.

Mobile is clearly the new way we consume digital content and continues to grow. We are also interacting with specific apps rather than browsing and those apps are growing at an amazing pace. Today's infrastructure needs to be even more flexible, intelligent and resilient to handle the surge. And ultimately, the apps and the content/experience they provide need to be highly available and delivered quickly and securely to the person...just like any other typical application.

ps

Related:

• Major Mobile Milestones in May: Apps Now Drive Half of All Time Spent on Digital
• Who's driving the mobile app economy? Our kids
• Invasion of Privacy - Mobile App Infographic Style
• The Applications of Our Lives
• What's in Your Smartphone?

Technorati Tags: mobile,apps,tablet,smartphone,social media,humans,society,silva,security

 

Connect with Peter:	Connect with F5:

Will the Cloud Soak Your Fireworks?

This week in the States, the Nation celebrates it's Independence and many people will be attending or setting off their own fireworks show. In Hawaii, fireworks are shot off more during New Year's Eve than on July 4th and there is even Daytime Fireworks now.

Cloud computing is exploding like fireworks with all the Oooooooo's and Ahhhhhhh's of what it offers but the same groan, like the traffic jam home, might be coming to an office near you.

Recently, Ponemon Institute and cloud firm Netskope released a study Data Breach: The Cloud Multiplier Effect, indicating that 613 IT and security professionals felt that deploying resources in the cloud triples the probability of a major breach. Specifically, a data breach with 100,000+ customer records compromised, the cost would be just over $20 million, based on Ponemon Institute’s May 2014 'Cost of a Data Breach'. With a breach of that scale, using cloud services may triple the risk of a data breach. It's called the 'cloud multiplier effect' and it translates to a 3% higher risk of a data breach for every 1% increase in the use of cloud services. So if you had 100 cloud services, you would only need to add 25 more to increase the possibility of a data breach by 75%, according to the study.

69% of the respondents felt that their organizations are not proactive in assessing what data is too sensitive to be stored in the cloud and 62% said that the cloud services their companies are using are not fully tested to make sure they are secure. Most, almost three-quarters, believed they would not even be notified of a breach that involved lost or stolen intellectual property/business confidential or even customer data. Not a lot of confidence there. The security respondents felt around 45% of all software applications used by the company were cloud based yet half of those had no IT visibility.

This comes at a time when many organizations are looking to the cloud to solve a bunch of challenges. At the same time, this sounds a lot like the cloud concerns of year's past - security and risk - plus this is the perception of...not necessarily the reality of what's actually occurring. It very well could be the case - with all the parts, loss of control, out in the wild, etc - that the risk is greater.

And I think that's the point. The risk.

While cloud does offer organizations amazing opportunities, what these people are saying is that companies need to do a better job at the onset, in the beginning and during the evaluations, to understand the risk of the type(s) of data getting sent to the cloud along with the specific cloud service that holds it. It has only been a few years that the cloud has been taken seriously and from the beginning there have been grumblings about the security risks and loss of control. Some cloud providers have addressed many of those concerns and organizations are subscribing to services or building their own cloud infrastructure. It is where IT is going.

But still,as with any new technology bursting with light, color and noise, take good care where and when you light the fuse.

ps

Related

• Cloud computing triples probability of major data breach: survey
• Cloud Could Triple Odds of $20M Data Breach
• Cloud Triples A Firm’s Probability of Data Breach
• The future of cloud is hybrid ... and seamless
• CloudExpo 2014: Future of the Cloud
• Surfing the Surveys: Cloud, Security and those Pesky Breaches
• Cloud Bursting Reference Architecture

Technorati Tags: f5,cloud,security,risk,silva,survey,breach,fireworks,july 4

 

Connect with Peter:	Connect with F5:

Velocity 2014 – That’s a Wrap!

I wrap it up from Velocity Conference 2014. Special thanks to Dawn Parzych, Robert Haynes, Cyrus Rafii and John Giacomoni for joining us on camera along with Robert, Courtney, and Natasha behind the lens. Also learn what the top questions were this week at F5 booth 800. Reporting from the Santa Clara Convention Center, thanks for watching!

ps

Related

• Velocity 2014 - Find F5
• Velocity 2014 - Acceleration Reference Architecture (feat Haynes)
• Velocity 2014 – LineRate Storefront (feat Rafii)
• Velocity 2014 – HTTP 2.0 Gateway (feat Parzych)
• Velocity 2014 – TMOS & LineRate: A Tale of Two Proxies (feat Giacomoni)
• Velocity 2014 – BIG-IP Image Optimization (feat Parzych)
• F5 YouTube Channel
• #velocityconf

Technorati Tags: f5,big-ip,velocity,optimization,performance,video,silva,trade show

 

Connect with Peter:	Connect with F5:

Velocity 2014 – BIG-IP Image Optimization (feat Parzych)

Dawn Parzych, F5 Sr. Product Manager, returns to demo BIG-IP’s Image Optimization solution. Web images can consume up to 60% of a site load and BIG-IP can significantly reduce the image file size and deliver those pictures much faster to the viewer.

 

ps

Related

• Velocity 2014 - Find F5
• Velocity 2014 - Acceleration Reference Architecture (feat Haynes)
• Velocity 2014 – LineRate Storefront (feat Rafii)
• Velocity 2014 – HTTP 2.0 Gateway (feat Parzych)
• Velocity 2014 – TMOS & LineRate: A Tale of Two Proxies (feat Giacomoni)
• The Image Format Wars
• F5 YouTube Channel
• #velocityconf

Technorati Tags: f5,big-ip,images,optimization,compression,aam,velocity,silva,video

 

Connect with Peter:	Connect with F5: