1 year ago

Government Security News February 2017 Digital Edition

Federal experts agree

Federal experts agree that ‘Internet of Things’ demands simple baked-in security By Tom O’Keefe As the federal government begins to incorporate mobile devices and the Internet of Things (IoT), security must be “baked in,” not “sprinkled on” as an afterthought to avoid hacking. That’s the verdict from experts in government and the contractor community, who recently met for a panel discussion on “Uniting Cybersecurity, Mobility and the Internet of Things” at immixGroup’s annual government summit on federal budgeting. The risk of cyber attack through IoT-enabled devices made headlines late last year when a highprofile internet-monitoring and traffic-routing company was hacked in a distributed denial of service (DDOS) attack. A simple malware called Mirai infected consumer DVRs, flooding the company with millions of bogus information requests. The company’s servers were overwhelmed, temporarily knocking out some of the nation’s most visited websites. Old security precautions don’t fit IoT Among federal agencies, current security requirements don’t necessarily fit in the new IoT environment. According to Jose Padin, sales engineering director, Federal Civilian & SI for Citrix, the fed’s approach to security “doesn’t always translate into consumerbased electronics.” The answer is for government organizations to develop or purchase new mobile and IoT solutions with security built in, said Michael Theis, with the CERT Insider Threat Center Software Engineering Institute. “I don’t think anyone’s really widely codified how you go about making sure that things are secure from the beginning,” said Theis. Padin noted that hardware, firmware and software for IoT-enabled products is “the wild west.” He said government must add security controls into procurement processes for these devices. He also acknowledged that industry must make investments in applying these requirements to all devices, rather than creating government versions. 26 Bad actors, Padin said, “realize that the weakest link is the consumer.” By building security provisions to products from the start, consumers will no longer be a vulnerability when they buy IoT-enabled appliances. At a more technical level, the challenge for government is to have the appropriate identity management requirements for mobility and IoT, according to Donna Dodson, director of the IT laboratory and chief cybersecurity advisor for NIST. A personal identity verification card, for example, “works nicely in a laptop or desktop but in a mobile device, not so much.” “The end users really matter here,” Dodson said. “We need to give them answers that are easy for them to do the right thing, hard to do the wrong thing and easy to back up if the wrong thing is done.” It’s important to think about identity management in the IoT space, she added. In many cases that may start “at the silicon level,” said Ashish Parikh, vice president of software and solutions at Arrow’s systems integration business. Silicon vendors are More on page 41

Farpointe warns access control channel to suggest customers add anti-hacking measures, as Federal Trade Commission is now insisting on cyber security protection SUNNYVALE, CA – February 14, 2017 – Farpointe Data, the access control industry’s trusted global partner for RFID solutions, is notifying its access control manufacturers, distributors, integrators and dealers that hacking of access control systems has become a threat far bigger than most think. Protecting their end-users from hackers is imperative for channel partners. “The U.S. federal government suffered a staggering 61,000 cybersecurity breaches, that it knows of, last year alone,” reports Farpointe Data President Scott Lindley. “Several recent events highlight the importance of why the access control channel must work with their customers to deal with accelerating hacking attacks.” According to Lindley, the most important is that the U.S. Federal Trade Commission (FTC) has decided that it will hold the business community responsible for failing to implement good cyber security practices and is now filing lawsuits against those that don’t. An appeals court has backed its lawsuit against the hotel chain operator Wyndham Worldwide for not protecting consumers’ information and, just recently, the FTC filed a lawsuit against D-Link and its U.S. subsidiary, alleging that it used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers. “Prospective penalties go beyond FTC threats, though,” Lindley warns. “A luxury hotel in Austria, the Romantik Seehotel Jaegerwirt, recently had to pay hackers a ransom after they managed to access its electronic key system and lock all the hotel guests in their rooms. Approximately 180 people were staying at the hotel on that day. Many were locked in their rooms, while others were locked out of theirs. The hackers demanded €1,500, about $1,600. The hotel decided to pay, explaining that they felt that they had no other choice, especially because neither police nor insurance could help them.” Adding to the problem, states Lindley, is that Wiegand, the industry standard over-the-air protocol commonly used to communicate credential data from a card to an 27 electronic access reader, is no longer inherently s e c u r e due to its original obscure and non-standard nature. For this reason, Farpointe has introduced features such as potting all readers and options that can be added to the readers. The first is MAX- Secure, which provides a higher-security handshake, or code, between the proximity or smart card, tag and reader to help ensure that readers will only accept information from specially coded credentials. The second is Valid ID, a new anti-tamper feature available with contactless smartcard readers, cards and tags. It can add an additional layer of authentication assurance to NXP’s MIFARE DESFire EV1 smartcard platform, operating independently, in addition to, and above the significant standard level of security that DESFire EV1 delivers. Valid ID lets More on page 40