Internet of “Bad” Things?

The IoT industry expansion has been innovative, immersive, and impressive. The direct-to-consumer IoT device market has also faced incredible growth, however with increased access and cheaper solutions, device security is not always prioritized.

IoT products aren’t limited to just one consumer audience- in fact, you can find products directed towards any demographic. Not only are the devices sold as a singular solution, but they can also be incorporated into existing technology. Often, they are fairly inexpensive and this is what makes unsecured IoT devices a goldmine to hackers; as they are now able to infiltrate and disrupt any consumer industry. From children’s toys, home assistants, connected cars, etc; IoT devices have begun to incorporate themselves within our everyday lives.

Protecting consumer data isn’t difficult, but it is a step that many overlook in a quest for convenience or excitement in adopting the new technology.

IoT specific security standards haven’t been ratified, which means that it is up to the consumer in most cases to ensure that they are taking every precaution in securing their devices.

Here is your basic IoT Device Securing Checklist:

1. Identify which of your devices have communication abilities, and ensure that the hardware/software/firmware is up to date on both the IoT device and whatever device you are establishing a connection with.
2. Upon your first use of the IoT device, update your user credentials. Do not just keep the credentials on the factory/default setting.
3. Disable any Universal Plug and Play (UPnP) option, and disable any automatic connections to the device.
4. Check to see if there is a competing product that has gone through the security certification process. A FIPS 140-2 certification shows that the product has undergone extensive testing and that the crypto functionality of the solution is up to NIST/government standard.

If you are unsure of whether or not your IoT solution could benefit from obtaining a security certification like: FIPS 140-2, Common Criteria, or DoDIN APL; contact Corsec to discuss your options.

Subscribe to Corsec emails!

The post IoT Device Security – What You Need To Know appeared first on Corsec Security, Inc.®.

World class security companies make strategic investments in tools, people, processes, and infrastructure to ensure that IP is protected. When it comes to selecting a security partner, it’s imperative that you know exactly what to look for and ensure security standards and requirements meet the highest criteria for IP protection. Asking the right questions around physical security, access control, environmental controls, and supply chain are essential. Without taking proper precautions, you could be leaving your IP vulnerable to risks that could dismantle your organization from within.

Not sure what type of security measures to require of your partner? Here are a few good questions to start with:

• Does the security certification firm use two-factor authentication to mitigate the risk of any individual accessing sensitive account information?
• Does the partner perform background checks on project team members?
• What kind of information control does the partner employ (i.e., is information only shared on a “need to know” bases, keeping your IP and sensitive information within a limited pool of personnel?
• Where is the lab located and who has access to the building?

Here are the areas Corsec discusses with our partners to ensure we are completely protecting their IP through Infrastructure Support:

Security Questionnaire

Is your partner covering your assets?

We are happy to help you answer any questions and assist you as you look towards product hardening and security certification – mitigate the costly risks associated with the process for FIPS 140-2, Common Criteria, and listing on the DoDIN APL.

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

The post IP Protection: Are You Asking The Right Questions? appeared first on Corsec Security, Inc.®.

Avoiding these scenarios with proper product certifications is fundamental. For software, hardware, and firmware solutions, a FIPS 140-2 validation, Common Criteria evaluation, or listing on the DoDIN APL helps harden product security, BUT cutting corners on your certifications could still cost you.

When you work with a partner or lab, you’re extending your workforce, augmenting your engineering, and entrusting your development to others during each phase of your certification effort. This partner will play a large role in the security of your brand – asking the right questions upfront ensures protection of your product and your company:

• Are you in a secured facility and how do you enforce controlled access?
• Is your staff properly trained, including cleared background checks?
• What is your supply chain policy for IP protection and qualify assurance?

These are just three of the larger issues that could put your brand at risk. Remember, you get what you pay for.

Corsec offers all of our partners the highest level of IP protection. Our Turnkey Solution to certifications and state of the art Infrastructure Support ensures your certification is done once, and done right.

Connect With Us:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe

The post Your Security Strategy – Are You At Risk? appeared first on Corsec Security, Inc.®.

Corporate exposure occurs when partners don’t properly protect assets they have been trusted to keep safe. Would you pursue a partnership with a company without knowing their policies and practices on protecting your IP?

Vet the firms that hold your company’s assets in their hands, learn from the experience a colleague of ours recently detailed:

—

“All it took to jeopardize my entire company—all my hard work and investments- was a selfie. A selfie!”

When an old colleague of mine said that, I was probably as confused as you are right now. He wasn’t much for social media, aside from an obligatory LinkedIn account. Honestly, as he sat at the helm of a multi-million dollar entity, I couldn’t see him taking a selfie.

As it turns out, it wasn’t his selfie that left his company in ruins, it was one captured by an “employee” for a vendor he had recently hired to do some security testing on a new and unreleased product. Under the stress of budget limitations and time constraints, his product engineer contracted with a poorly vetted vendor that didn’t have a proper facility or office space- he worked out of his basement.

As one could imagine, the security consisted of little more than a standard locking door, and background checks for those coming and going were non-existent. In retrospect, his legal team should have been more involved, but “who would have thought that a security ‘firm’ could operate like that?”

All it took was an innocent, “Friday is finally here!” photo that was shared on Facebook, Twitter, and of course Instagram, and BOOM. The supply chain was breached, and his company’s IP was globally available in a poorly captured photo.

The IP, along with any potential revenue amassed from their product, was compromised, and here he was left grappling with his board of directors, who now wanted him to fire one of his many respected employees, and ultimately left to pick up the pieces created by the vendor’s poor security. Poor security that, if he or his legal teams took the time to educate those making the decision, could have been completely avoided.

As it turns out, he came to ask me if our company provided any unlimited liability in the case of a security breach.

The truth is, I knew we could offer him completely vetted employees and unparalleled IP security. Knowing how vulnerable the supply chain is, we take every precaution to create and maintain a supply chain security policy. We limit portal access, have dedicated laboratory staff, and employ a FIPS 140-2 and CC evaluated Unified Threat management system including VPN, firewall, and intrusion prevention.

No one is gaining access to our client’s IP.

Unfortunately, it may be too late to really salvage his product. He may never know the full extent of the breach or how it could aid his competitors or jeopardized his customer base. The only thing he can do is work with his internal decision makers to create, disseminate, and enforce policy and procedures to ensure that all future vendors are vetted.

Learn How To Protect Your IP

The post Are Your Partners Putting Your IP at Risk? appeared first on Corsec Security, Inc.®.