Archive for January, 2019

Nearly Half of Organisations Can’t Tell If Their IoT Devices Were Breached, Finds Study

Wednesday, January 16th, 2019


The Internet of Things (IoT) is on the rise. According to Statista, the number of IoT devices are expected to increase from 23.14 billion to 30.73 billion in 2020. By 2025, that number is expected to more than double to 75.44 billion.

Such projected growth highlights the need for organizations to harden their IoT devices. But are companies adequately prepared to meet the challenges of IoT security?

To answer that question, Gemalto surveyed 950 IT and business decision makers globally for its report, The State of IoT Security.

On the one hand, we found that many organizations consider IoT security to be a priority. Nearly a quarter of survey respondents said they think IoT security constitutes a secure foundation for offering new services, for example. That figure was down from 32% a year earlier. At the same time, nearly two-thirds (57 percent) of survey participants said that their organizations had adopted a security by design approach for creating their own IoT devices, while slightly less than that (46%) said they thought that security is the main consideration for their customers when choosing an IoT product or offering.

On the other hand, the international digital security company discovered that many companies are struggling against several challenges to adequately secure their IoT devices. Thirty-eight percent of companies admitted that they struggled to ensure data privacy when trying to secure their IoT products and services, for instance. Approximately a third (34%) of IT and business decision makers said that their employer struggles under the large amounts of data collected by IoT devices, while slightly less than that (31%) revealed that they struggle to balance security with the user experience.

These challenges have subsequently shaped organizations’ IoT security posture. With less than 14% of IoT budgets currently going towards security, it’s no surprise that less than two-thirds (59%) of respondents said their organization encrypts all of the data they capture or store via IoT. It’s also no wonder that companies have a difficult time detecting a security incident with respect to their IoT assets. Indeed, just forty-eight percent of survey respondents said that their organizations could detect when an IoT device had been breached.

Reflecting on the security gaps identified above, many IT and business decision makers do see a way forward for IoT security. A majority of respondents (59%) specifically said it’s “very important” that there be regulations in place regarding IoT security. The same percentage of survey participants said that those regulations should make clear who is responsible for securing data at each stage of its journey as well as identify what methods should be used for data storage. Sixty-percent of individuals also noted that IoT security providers and cloud service providers should be responsible for abiding by IoT security regulations when implemented, with nearly 80% of respondents vocalizing support for government intervention.

Interested in learning more about the state of IoT security? Download Gemalto’s report today.

View the original post from Gemalto.

Johnson Controls latest CEM Systems AC2000 release goes beyond security to help mitigate H&S risks

Tuesday, January 15th, 2019

Johnson Controls announces the release of CEM Systems AC2000 v10.1, which contains a number of new features that improve functionality and the user experience, and help to mitigate health and safety risks. Support for a range of new third-party products that increase the performance and scope of the CEM Systems AC2000 access control system has also been added.

The Health and Safety (H&S) Induction Check application for CEM Systems emerald intelligent access terminals allows cardholders to self-certify with a card swipe on the emerald terminal once they have completed H & S induction training and before they are provided access to a site. The application automatically records induction completed date on the CEM Systems AC2000 system, helping mitigate the risk of health and safety incidents and report on who has and hasn’t completed training.

Another H&S feature now available with AC2000 v10.1 is the Emergency Responder Remote application which helps improve emergency response times during incidents. This application allows system users to quickly find emergency responders (Fire Marshalls, First Aiders and/or First Responders) via CEM Systems emerald terminals.

Functionality at the edge has been improved with enhancements to the Local Access Remote application on the CEM Systems emerald terminal. This allows ‘Extra Access’ to be added, amended and removed via the app on the CEM Systems emerald terminal and provides potential cost savings for remote sites where a workstation client may not be feasible.

Support has been added for the MorphoWave™ Compact frictionless biometric access reader, SimonsVoss SmartIntego wireless locking solutions and STid Architect® range of RFID readers. This builds on the range of biometric, wireless lock solutions and RFID reader options that available to CEM Systems AC2000 system users.

View the original press release by CEM.

Phishing at the confluence of digital identity and Wi-Fi access

Friday, January 11th, 2019

When we think of phishing, most of us imagine a conventional phishing attack that begins with a legitimate-looking email. It might appear to come from an e-commerce site with which you happen to do business. “We’ve lost your credit card number. Please follow the link to re-enter it,” the email says. But the link leads to a malicious site where you enter your credit card number, press submit, and you have just been phished by hoody-clad hackers.

Even more likely in modern phishing attacks, the email may trick you into giving up your digital identity—for example, your Gmail account. Many legitimate sites give you the option to log in using social login. What’s to stop a criminal site from asking for your credentials in the same way? The answer: nothing. (Best to be sure that you only use social login on sites that you’re sure you can trust.)

Not every phishing attack starts with a spam email, though. Wi-Fi phishing is analogous to conventional phishing, and the stakes are just as high—or even higher. To understand how this works, let’s begin at the beginning.

Rogue Access Points and Evil Twins

A rogue access point is an AP that someone has installed on the network without the approval of IT. It could represent something innocently misguided, like a user trying to extend Wi-Fi range. (Users should contact IT teams for that.) Or a rogue AP could be set up with malicious intent.

An “evil twin” access point is a special variety of rogue access point that attackers can use for nefarious purposes. Every evil twin is a rogue, but not every rogue is an evil twin. The evil twin impersonates a legitimate access point and helps attackers compromise your network. As with many cyber-attacks, user behaviour makes this possible.

Attackers can force users off the access point and trick them into associating with the evil twin. This is how a Wi-Fi phishing attack starts. The evil twin can ask them to enter the pre-shared key into a fake login portal. To be clear, the user enters the actual credential into a fake portal. This does not seem unusual to users, because they have probably experienced having to re-enter credentials for network access before. In this scenario, doing so means handing over the Wi-Fi password or user credentials to the attacker, who can then use it to gain access to your network.

Where Wi-Fi Phishing Meets Digital Identity

Attackers can easily use the same technique to compromise digital identity within any IT environment. Suppose that the attacker asks your end users to enter their enterprise single sign-on credentials to regain access to the network. As an IT professional, you probably wouldn’t fall for that, but some of your users might. The more users you have, the more likely someone will fall victim.

Once the user has handed over his or her credentials, a world of opportunities opens for the hackers. Organizations typically leverage cloud-based file sync and share services. Customer relationship management (CRM) systems live in the cloud. Enterprise SSO platforms allow users—or hackers that have compromised their credentials—to access both. So, what began with a Wi-Fi hack can easily end in a massive data breach.

This scenario can play out even with a garden-variety rogue that is not an evil twin. The AP doesn’t have to be impersonating a legitimate access point to get a user to compromise his or her digital identity. Have you ever wondered whether Wi-Fi sources in public locations are legitimate? This vendor video shows how attackers can compromise digital identities when they target unsuspecting users (in this case members of the U.K. Parliament—incidentally using a VPN service when accessing unsecured public Wi-Fi is a good tip). The same thing can happen in an enterprise environment when users connect to a malicious rogue AP, only the identity compromised might imperil your confidential data.

How Can You Combat Wi-Fi Phishing, Evil Twins and Other Rogue APs?

Fortunately, you can take steps to protect your users and data from these scenarios. Your first line of defence against rogue access points is the wireless intrusion detection and prevention capability provided as part of your wireless LAN.

You can also take steps to avoid SSID proliferation, which will make it easier to spot rogues in your environment. Many IT environments become cluttered with SSIDs as IT teams use this as a mechanism to provide differential levels of access to different users and groups of users. Best practice: don’t do this. Employ a system for centrally defining and managing policies for network access.

By taking steps to make sure that users can authenticate reliably and seamlessly to a legitimate source of connectivity, you can also make it less likely that they will seek out a malicious access point, should one be within range. Digital certificates as the basis for network authentication can help here. A certificate on the device can also protect against devices connecting to evil twin APs, should a sophisticated attacker try and spoof a legitimate AP. Ruckus Cloudpath Enrollment System is a great way to roll out digital certificates for your users. It also addresses the security shortcomings of default methods of authentication that you may be using now.

If there is no PSK to divulge, there is also no risk that your users will divulge it. A secure onboarding and authentication approach based upon digital certificates obviates the need for conventional PSKs as a mechanism for network access. You can also use dynamic pre-shared keys, which are unique to each user, for guest access. Guests typically get internet access only, with no access to sensitive internal resources.

Last, but not least, user education is always a key to avoiding any kind of attack on your network, users and data. Take measures to educate stakeholders to be careful about what Wi-Fi sources they connect to and what information they enter when they do.

View the original post by Vernon Shure at Ruckus Networks.

Palo Alto Networks Joins Net-Ctrl on Stand C61

Thursday, January 10th, 2019

Net-Ctrl will be able to demo a range of Palo Alto Networks solutions on our BETT stand (C61).

Cyberattacks in the Education Sector are increasing year on year. This area is one that cybercriminals feel they can exploit more successfully as they know that IT teams are stretched. They know that due to tight budgets equipment is likely to be ageing and with the introduction of BYOD the attack surface is only increasing which has a knock-on effect adding even more pressure to schools to keep their students and their data secure.

Palo Alto Networks aims to help schools with this by putting in an Automated Security Platform that works without the need for human intervention, with their Threat Intelligence cloud they ensure that the system is constantly updated with the latest threats in the industry and with their TRAPS endpoint protection they can extend this protection out to endpoints and BYOD devices.

Outside of Core Security Palo Alto Networks are also able to assist Schools with Safe-Guarding with the following:

  • URL Filtering
  • Categorisation and Control of Websites
  • Application Control
  • Ensure that only authorised applications are in use on the School Network
  • Search Engine Alerts
  • Real-Time awareness of search queries
  • Visibility Reports
  • Show granular visibility of Network and web-based activity by user

Come and visit Net-Ctrl and Palo Alto Networks on stand C61 at BETT 2019 to learn more about how Palo Alto Networks can fit into your school’s infrastructure. We will have a dedicated team able to answer your questions and provide solution demonstrations.

BETT 2019 is going to be held at the Excel in London from the 23rd – 26th January. Book your free ticket now.

If you would like to book a meeting slot in advance email marketing@net-ctrl.com.

Ruckus join Net-Ctrl at BETT 2019

Wednesday, January 9th, 2019

Ruckus will be joining Net-Ctrl at BETT 2019 on stand C61 with their range of smart wired and wireless technology.

Ruckus – Wireless Technology

Ruckus has never relied on off-the-shelf, reference design radio technology—it doesn’t deliver the capacity, range or interference mitigation necessary to make real the dream of wireless that works everywhere, all the time. Ruckus delivered the industry’s first adaptive antenna technology to overcome RF interference on Wi-Fi networks.

Ruckus Wired Technology

The Ruckus ICX Family of fixed form-factor switches works together to simplify network set-up and management, enhance security, minimise troubleshooting and make upgrades easy. ICX switches work seamlessly with Ruckus Wi-Fi access points and Ruckus SmartZone network controllers to deliver the most performance and cost-effective unified wired & wireless access solutions on the market today.

What makes Ruckus, well, Ruckus..

  • Performance – Ruckus’ deep history of technical innovation means superior, dependable wired and wireless performance. Everywhere, all the time.
  • Simplicity – Ease of install and management for IT? Ease of use for end users? These are just a given.
  • Flexibility – Ruckus provides the utmost flexibility for all the wired and wireless networking scenarios a school or college might have.

Moving Beyond Wi-Fi

Ruckus Wi-Fi itself is now much more than super-fast connections, it’s a platform for a host of capabilities—like location analytics and engagement technology.

Visit Net-Ctrl and Ruckus on stand C61 to find out more about Ruckus’ portfolio of smart wired and wireless solutions.

BETT 2019 is going to be held at the Excel in London from the 23rd – 26th January. Book your free ticket now.

If you would like to book a meeting slot in advance please email marketing@net-ctrl.com.

Join Net-Ctrl and Partners at BETT 2019

Wednesday, January 9th, 2019

Net-Ctrl will be exhibiting at BETT 2019 on stand C61. Each year we bring a small selection of solutions from manufacturers in our portfolio. At BETT 2019 we have our best line-up yet.

Our Approach for BETT 2019

We have noticed a requirement for better access control and lockdown technologies in schools and colleges, to protect staff and students and comply with some of the latest standards.

The trouble with a lot of access control and lockdown technologies is a lack of integration. The end result is schools and colleges managing a number of different solutions individually.

At Net-Ctrl our focus is on integration. We want to make it as easy as possible for you to protect those on your site(s) and that is why this year we are expanding our access control and lockdown integration partners that will be on show. We will be demonstrating integration between access control, intruder alarms, fire detection, wireless door handles and IP speaker solutions, and also IP-CCTV.

In addition, we will be extending our security message to the network and endpoint with Palo Alto Networks. They have a highly advanced and secure portfolio to keep your users, and your site, protected for a more secure everywhere.

We also have Ruckus on our stand. Ruckus is leading the way in wired and wireless technology to keep your users connected even in the most challenging environments. Ruckus Smart Wi-Fi and wired technology redefines what’s possible in network performance with flexibility, reliability and affordability

We invite you all to come and see us at BETT 2019, we will have a number of demonstrations running and product experts on hand. We’re really excited for BETT 2019. Make sure you pay us a visit and stop by the Net-Ctrl stand – C61.

Over the next few weeks, we will be sending some additional emails with more information about each of our stand partners.

Partners at BETT 2019:

  • CEM:  Powerful Access Control and Integrated Security Management Systems with Fire Detection and Intruder Solutions
  • Mobotix:  High-Resolution IP-CCTV Camera and Video Door Entry Systems
  • Netgenium:  IP PoE Intelligent Audio and Lockdown Solutions
  • NEXUS: Rapidly Deployable, Battery Powered and RF-based, School Lockdown Solutions
  • Palo Alto Networks:  Next-Generation Firewalls and Endpoint Protection for Safeguarding
  • Ruckus:  Smart Wired and Wireless Solutions

BETT 2019 is going to be held at the Excel in London from the 23rd – 26th January. Book your free ticket now.

If you would like to book a meeting slot in advance email marketing@net-ctrl.com.

The Future of Cybersecurity – A 2019 Outlook

Friday, January 4th, 2019

From the record-breaking number of data breaches to the implementation of the General Data Protection Regulation (GDPR), 2018 will certainly go down as a memorable year for the cybersecurity industry. And there have been plenty of learnings for both the industry and organisations, too.

Despite having two years to prepare for its inception, some companies were still not ready when GDPR hit and have faced the consequences this year. According to the law firm EMW, the Information Commissioner’s Office received over 6,000 complaints in around six weeks between 25th May and 3rd July – a 160% increase over the same period in 2017. When GDPR came into force, there were questions raised about its true power to hold companies to account – with the regulation saying fines could be implemented up to £16.5 million or 4% of worldwide turnover. The latter half of this year has shown those concerns were unfounded, with big companies, including Uber as recently as this week, being fined for losing customer data. What 2018 has shown, is the authorities have the power and they’re prepared to use it.

In fact, the role of GDPR was to give more power back to the end user about who ultimately has their data, but it was also ensuring companies start taking the protection of the data they hold more seriously. Unfortunately, while the issue around protecting data has grown more prominent, the methods to achieving this are still misguided. Put simply, businesses are still not doing the basics when it comes to data protection. This means protecting the data at its core through encryption, key management and controlling access. In our latest Breach Level Index results for the first half of 2018, only 1% of data lost, stolen or compromised was protected through encryption. The use of encryption renders the data useless to any unauthorised person, effectively protecting it from being misused. Another reason to implement this is it is actually part of the regulation and will help businesses avoid fines as well. With such a large percentage still unprotected, businesses are clearly not learning their lessons.

So, moving on from last year, what might the next 12 months bring the security industry? Based on the way the industry is moving, 2019 is set to be an exciting year as AI gains more prominence and, quantum and crypto-agility start to make themselves known.

2019 Predictions

1. Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

2. Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users’ behaviours, and organisations systems. Adapting to its surroundings, the malware will unleash a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

3. Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role for the channel – the Cloud Migration Security Specialist. As companies move across, there is an assumption that they’re automatically protected as they transition workloads to the cloud. The channel has a role to play in educating companies that this isn’t necessarily the case and they’ll need help protecting themselves from threats. It’s these new roles that’ll ensure the channel continues to thrive.

A Boardroom Issue That Needs to Yield Results

With 2018 fast disappearing, the next year is going to be another big one no matter what happens, as companies still struggle to get to terms with regulations like GDPR. With growing anticipation around the impact of technologies like quantum and AI, it’s important that companies don’t forget that the basics are just as vital, if not more, to focus on. So, while 2018 has been the year where cybersecurity finally became a boardroom issue, 2019 needs to be the year where its importance filters down throughout the entire company. For an issue like cybersecurity, the company attitude towards it needs to be led from the top down, so everyone buys into it. If that happens, could next year see no breaches take place? Extremely unlikely. But maybe it could be the year the industry starts to turn the tide against the hacking community.

View the original post at gemalto.com.