Two-Factor authentication solutions are based on the premise that the combined verification of (i) a thing possessed (a card) and (ii) a piece of information known to the user (a pin or password) provides a high degree of assurance to authenticate users. For financial and enterprise transactions it gives a high level of security. But 2FA is not a seamless solution – as the number and variety of services and devices for a user increases – it requires the user to carry a number of cards/tokens/devices and remember several passwords (that are unique, complex, updated). It is also not a foolproof solution as the identity theft continues to be a problem.

With the large number of IOT applications and devices appearing, the problem will become worse. Consider a health monitoring device that needs to periodically share information of a patient with her family members and doctor, while keeping the information safe from cloud attacks. Or consider keyless entry to vehicles or homes. For such common use cases entering complex passwords would be cumbersome.

With biometric authentication methods, as present with fingerprint based authentication on Apple and Samsung phones, there is a more direct identification of the user. But the way this is commonly used is not to eliminate passwords completely – it is typically used to

1. store existing passwords securely,
2. reduce repeated password entry by extending session created by an existing password
3. combined with a user identifier such as a phone number or email address
4. combined with a password (e.g. for byod deployments where multiple users can register fingerprints)

One can imagine a two factor auth where both factors are biometric, such as multiple fingerprints, or fingerprint and iris authentication. Such a two factor biometric approach could eliminate the need to remember passwords and reduce friction in accessing services securely. An example is the combination of facial recognition and fingerprint recognition.

Biometric authentication methods being worked on include gait recognition and voice biometrics. These can be included in a continuous authentication method.

IDC gave a good security landscape overview at the SecureAuth executive luncheon today in Palo Alto.

SecureAuth provides a flexible adaptive authentication system that balances security with user experience.

BehavioSec does biometric authentication based on user behavior such as the pattern of keystrokes when entering a password. It builds a statistical profile and them determines if the password is entered anomalously. It provides collector SDKs to collect this information from mobile apps and websites.

In case of a large difference between the expected pattern and the current pattern, the SecureAuth integration forces a step up auth to a second factor.

There is adoption of this kind of technology in banking, retail and other verticals.

Lancope, Viewfinity, Vormetric, LogEntries, Boxer, Secure Islands, Silanis

http://www.infoworld.com/article/3000479/security/security-acquisitions-reach-a-fever-pitch.html

Lancope – StealthWatch provides a visual representation of the network to detect anomalies that could signify an attack. In the event of an infection, StealthWatch analyzes traffic between servers to determine which hosts were affected. Acquired by Cisco, $453m.

Viewfinity – Endpoint security for windows. App control features and administrative privilege capabilities to protect against zero-day attacks, malware and threats.

Vormetric – Filesystem encryption, keeping metadata in clear and enterprise key-management for third party encryption keys. Acquired by Thales Security for $400m

LogEntries – machine data search technology to help security teams  investigate security incidents deeply. Spun out of University College Dublin (UCD). Acquired by Rapid7, $68m. 3k customers.

Boxer – Android email app, acquired by VMWare

Secure Islands –  IQProtector looks at content and wraps/protects it based with policy based DRM automatically. “Secure Islands’ Data Immunization uniquely embeds protection within information itself at the moment of creation or initial organizational access. This process is automatic and accompanies sensitive information throughout its lifecycle from creation, through usage and collaboration to storage.” Acquired by Microsoft.

Silanis – e-Signatures with strong crypto algorithmic and keys

Cloud processing of information affects existing information processing flows, controls and compliance standards. Cloud service providers show the level to which they support diverse compliance standards that are specific to verticals such as payments, health, finance, enterprise. A reference is https://aws.amazon.com/compliance/ .

CSA-CCM Cloud Security Alliance Cloud-Controls Matrix. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP. Part of Governance, Risk Management and Compliance (GRC) stack – CloudAudit, CCM, CAIQ, CTP.

PCI-DSS Payments Card Industry-Data Security Standards released guidelines for storing credit card data in the cloud. See https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

SSAE16 Statement on Standards for Attestation Engagements (SSAE) 16. SSAE 16 reporting can help service organizations comply with Sarbanes Oxley‘s requirement. It is not limited to financial reporting; it can also be applied to other sectors, and is useful for datacentres. SSAE 16 is one of the most widely known tools for providing assurances to data center customers. See discussion at http://www.datacenterknowledge.com/archives/2012/01/19/aicpa-fumbles-audit-standards-at-the-5-yard-line/ and related SOC1, SOC2.

ISO27001 Specification for an information security management system, released 2013.

FedRAMP U.S. federal agencies have been directed use a process called FedRAMP (Federal Risk and Authorization Management Program) to assess and authorize federal cloud computing products and services. See https://aws.amazon.com/compliance/fedramp/

UK G-Cloud Framework for faster procurement of IT Services over the cloud. See also CESG Communications-Electronics Security Group

IRAP Information Security Registered Assessors Program is an Australian Signals Directorate initiative to provide high-quality information and communications technology services to government in support of Australia’s security. A list of certified clouds – http://www.asd.gov.au/infosec/irap/certified_clouds.htm

HIPAA Health Insurance Portability and Accountability Act. The privacy rule ensures patients access to their health information and Protected Heath Information data (PHI) and de-identification of such data before health information being shared publicly. The security rule covers physical and technical safeguards such as control and monitoring of information against intrusions, encryption over networks etc.

DIACAP DoD Information Assurance Certification and Accreditation Process.  United States Department of Defense (DoD) process to ensure that companies and organizations apply risk management to information systems. Aligns with NIST Risk Management Framework (RMF).

GLBA Financial Services Modernization act of 1999. Removed barriers in the market among banking companies, securities companies and insurance companies acting as one,  allowing them consolidate. GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.

NIST-SP800 30 NIST Risk Management Guide for Information Technology Systems

FISMA Federal Information Security Management Act of 2002. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.^[

UK Data Protection Act Governs the protection of personal data in the UK

EU Data Privacy Directive Officially officially Directive 95/46/EC. European Union directive adopted in 1995 which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. On 25 January 2012, the European Commission unveiled a draft European General Data Protection Regulation that will supersede the Data Protection Directive.

FIPS 140-2  Federal Information Processing Standard  Publication 140-2 is a U.S. government computer security standard used to accredit cryptographic modules.

Amazon proposes the following data flow for IOT. It is built with AWS and the recently acquired 2lemetry and its ThingFabric platform.

https://aws.amazon.com/iot/how-it-works/

https://www.linkedin.com/pulse/iot-aws-reinvent-quick-hits-matt-trevathan

Components: Rules Engine, Registry, Shadows (state tracking), Data based decisions, Integrations with AWS (Redshift, Lambda, S3, Kinesis, DynamoDB)

This conference has a focus on integration between technologies and is held with API World. A dominant theme was connected cars.

ActiveScaler demonstrated its Connected Car platform and API that delivers five types of information. It had a great session with visits from a number of car companies, partners, vendors advisors, investors and interested public.

The highlight was a visit by Maria Roat, CTO, US Department of Transportation where she and her colleague shared their views on the evolution of transportation technologies with ActiveScaler team.

ActiveScaler demonstrated an app that connects the car to the cloud to provide rich vehicle and driver analytics in real time.

At the Salesforce conference were several interesting IOT demonstrations.

One of them could Docker to be run inside a Raspberry Pi. This can be used for seamless OTA upgrade of IOT software. Another allowed instant analysis of the chemical composition of a drug and the information is connected to an app.

Another interesting demo was Built.io, which is like an IFTTT for different apis and IOT flows – a virtual circuit diagram allows inputs to be cascaded together in a flexible manner to achieve a variety of outcomes.

Salesforce made the announcement of the IOT Cloud which is built on Salesforce Thunder, a massively scalable real-time event-processing engine. Business can create alerts or filters to identity important data from event streams. This can be used to send alerts from manufacturers to customers or customers to manufacturers, for instance for a malfunctioning device or for a car recall.

Marc Benioff – “The Salesforce IOT Cloud will empower businesses to build proactive 1:1 relationships with their customers to deliver a new kind of customer success”.

Here’s a review of this announcement with the opinion that it is currently more of a positioning statement than a real capability – http://www.zdnet.com/article/dreamforce-2015-salesforce-thunder-unavailable-2016/

A CAN is a Controller Area Network. Electronic Control Units (ECUs) are networked together in a car using a bus based on the CAN standard. A car will have one more CAN buses which are typically accessible via the Onboard Diagnostics (OBD II) port.

The CAN allows a distributed network of micro-controllers and devices to do real time messaging with each other with CAN packets, to exercise real time control. It is used in industrial control systems, vechicles such as airplanes and ships, and automotive systems.

ECU examples are Airbag, HVAC, ABS and Engine Control Unit.

Some CAN related security resources –

1. Hopping on the CAN bus. https://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On-The-Can-Bus.pdf
2. Charlie Miller, Chris Valasek.  http://illmatics.com/car_hacking.pdf
3. Craig Smith, opengarages. http://opengarages.org/handbook/
4. Original Spec by Bosch. http://www.bosch-semiconductors.de/media/pdf_1/canliteratur/can2spec.pdf
5. http://www.instructables.com/id/Exploring-the-Tesla-Model-S-CAN-Bus/?ALLSTEPS
6. http://tucrrc.utulsa.edu/DodgeCAN.html

A podcast interview with Chris Valasek: https://securityledger.com/2015/07/podcast-interview-with-car-hacker-chris-valasek-of-ioactive/

Most cars do allow CAN access via OBD. Tesla does not, but the CAN information is still accessible via another port.

It may sound unusual that the OBD port meant for diagnostics should allow sending commands to the CAN bus, but this is in fact possible, in part because there is no source identifier or authentication build into CAN packets.

What if an ECU itself has some kind of problem or degradation ? This can increase vulnerability when combined with open CAN bus access.

For example, there were two independent recalls in early 2015 related to defective airbag deployments. The Jeep recall was due to software that detected rollover aggressively and deployed the airbags. The NHTSA recall was due to Takata airbags with faulty inflators.

As we bravely head to an IOT world where various devices and controllers are networked to external entities, such concerns will increase.

There are attacks on other car interfaces such as bluetooth, telematics unit and remote key. Recently (July) there was an attack on Jeep which caused an update to fix the bug. The Israeli media reported a couple startups, Argus and TowerSec could have prevented this attack.   Update Jan 2016: TowerSec is acquired by Harman – CES 2016 announcement.