Probably everyone now has, at least, heard about the EJC sentence called Shrems III that basically rules out the possibility to use Privacy Shield infamous agreement to allow data transfer between EU and USA based on the fact that the USA does not provide enough guarantees EU data will be protected.
If you don’t know (but you should) here my previous article:
After the sentence one of the question was: what now?
Will a Grace period be offered to survive this? (lot of companies were transferring data using privacy shield to USA)
And most of all does SCC will be enough?
The answer my friend, is blowing in the wind...
er no actually there have been some FAQ form the EDPB that should call to action fel local authorities.
According to the new FAQs of the European Data Protection Board on #SchremsII decision, if you want to transfer personal data to the US under the SCCs or other means, you will have to notify the data protection supervisory authority. This approach will oblige companies to perform a massive amount of work since the notification will have to be definitely accompanied by an assessment as to the adequacy of the data transfer mechanism. Are companies and SA ready to handle this large amount of work?
While some Authorities do have not yet reacted (and this is not a surprise for Italians, I am afraid) some others (wonder who) have made a statement that clarifies the doubts that can eventually rise up and not solved by the EDPB’s FAQ.
The Conference of German Supervisory Authorities (DSK) issued its statement yesterday about the consequences of the #Schrems II judgment that, as we can imagine, is completely aligned with the EDPB position. There are some points that are critical on the matter:
This is a critical point since I am quite sure there are companies that do not even know their data were delivered to the USA under Privacy Shield. I would like to remind you that if an audit from the authority knock at your door something like: “I don’t know”, “I don’t remember” will not save you. GDPR requires that you, company, prove you have done your duty in a concrete, effective way, so not paper compliance here allowed. Just to make life easier I would love to remind you also that this is not just the German way, and sooner or later the other authorities will align with such requirements.
And here we have the headache since it is not “optional” the assessment is mandatory. This comes as an obvious consequence to the fact in the EDPB FAQ it is written to be allowed SCC’s transfer should be communicated to the authority. Now this means, for some of you so naive that was thinking, I can send a mail to the authority telling, “hey chap I use SCC do not worry” does not work like this. For some reason they want you to prove you did your duty.
And of course, if you send your data to a country that does not guarantee the privacy of EU citizens and residents, well, your duty is kind of complex. And let be clear and brutally honest (while usually I am obscure but kind rotfl) this will require the active cooperation of the vendors that offer you services because you need solid proofs and not just paperBS.
And this means you need to do this right fucking now.
And just for the sake of my Italian fellow countrymen, this means that even if our authority is under a sleeping spell and did not react yet, you have to act nevertheless because again an audit will knock and you will have show you’ve done the right thing. But the “garante” did not tell us nothing will not be an excuse to avoid non-compliance (with the relative consequences).
Time for DPO to start working and earn their money 😂🤣 (Is a joke I know many DPOs already do something)
I have been recently interviewed on 5G issues and this made me realize how confusing is the knowledge and understanding about 5G.
Most of the time, when I heard on mainstream media comment about 5G I find form one side apologetic wonders of how this or that vendor with 5G can solve all human problems, form the other side fears related strictly to the fact that 5G today means Chinese or European vendors, for the first time in years the USA is not leading technologically a strategic sector.
even lesser I heard about the link between 5G and IoT and what this means.
Generally speaking, most of the discussions on IoT are focused on devices and not as a system, as well in most of the case I seldom find consideration related to 5G implementation and security. This is quite annoying from my point of view since security in IoT (I wrote about that on The IoT files) is more than the single device security and 5G security issues are not related to Huawei spying us.
And to say the truth from my point of view (Italian and European) would not make much difference if the spy comes from China, Russia, the USA, or the UK.
The first problem I to understand if there is a relationship between IoT and 5G. Well, the relationship is kind of simple: with the current technologies, the IoT is hardly limited due to connectivity, IP and bandwidth issues. 5G aim is to overcome those limitations offering broadband connectivity that can support IoT needs. this will require investment, change of business models and…wait to read this go to my previous IoT articles, I called them the IoT files because there is so much thing to say an article can not cover everything.
Turning back to the point so, 5G is the technology that can glue IoT in terms of connectivity, but what does it mean? Well, when we listen to 5G we listen to how we can create smart cities, how we can connect cars together so they drive better and safer with autonomous drive and so on.
5G is exactly about this, allowing all this to happen.
All typos are because I never read slides back, lol forgive me
Almost everything you heard about IoT requires 5G to become reality because current mobile broadband would not be suited to cover those needs, we are not talking about a test with a few cars that can communicate over 4G but billion of devices somehow interconnected with different priority needs, bandwidth needs, security, and privacy needs.
Basically anything that is recently referred to as “SMART something” and IoT will be bound to a technology that will allow fast, secure and reliable data connections.
As of now, 5G is the answer but, there is a problem, the champions of 5G technology aren’t from the USA and the biggest player is Chinese (Huawei holds the highest number of patents on 5G technology).
All typos are because I never read slides back for proofreading, lol forgive me 😂
This thing that can be irrelevant is actually the big issue at the moment, so big that all serious consideration on 5G is demanded as an afterthought in a second-level line of consideration.
Geopolitical technology and economic issues are at the moment the rising stars, make enough rumor to cloud judgment and to move attention to serious issues.
I am not saying that those are no problems, and I agree nations should try to defend themselves, but targeting the wrong point on 5G will not help to address correctly “ab Initio” the complex problem that 5G will bring home. and the main reason behind this is that if you ask what is 5G, the answer is…just a faster mobile network.
If speed would be the only reason behind 5G I would kindly agree that geopolitical issues are the obstacles, but 5G is not just “speed” is way more and the 5G security issue goes beyond the specifics of the connectivity offered at broadband level but goes into the core of what 5G has been designed for: services.
All typos are because I never read slides back, lol forgive me
we use to think that broadband mobile develope was only more speed, but actually, speed has never been the only target, speed and services always have developed hand in hand.
from a mobile perspective, 1G was offering 2.4 kbps and was designed to allow mobile phones, it was no less, no more than an extension of your home wired phone. Basic voice services and an analog protocol, low bandwidth was all we needed. issues were more at the infrastructure level so no time to bare with things that were not even in customer imagination at that time.
the real revolution arrives with 2G, it’s broadband, it’s digital (GSM, CDMA), can carry data, more stable…a revolution. we were able to send text, see caller number who was not enjoying it? and some mobile phones start to offer even a graphic screen and games (like “snake”). who really care about speed, that actually moved from 2,4 kbps to an astonishing 64 kbps?
The nice thing about 2G is the introduction of the idea that mobile phones can be so much more than a simple device to phone, and text messaging was there to prove it.
You see when the consumer space sees the opportunity for cool kinds of stuff that can make the market big, the vendor will follow. With the pressure of the internet and the new services a new need for data rise up and here you have 3G.
3G was not only tremendously faster than the predecessor but was designed with the need to transfer data.no simple text messages, you can have internet in your phone now.
Again the real difference with 2G was not “speed” but the kind of services you were bringing on board. so as a natural evolution from the old internet we moved to the new one with video, streaming, chatting and so on. A new class of services was required here the need for something more, something new 4G.
And as a matter of fact, besides the speed, the real need for 4G (or the not so cool but hey better than nothing 4.5G) was video capability.
The services drive the speed so the speed is just a consequence of the needs the technology has to address.
But if we limit to consider just the usual way we use the internet (facebook, youtube, YouPorn, LinkedIn, wechat-weixin, WhatsApp, Instagram, ticktock and so on) we could just add some megabytes more to our 4G (is what 4,5G does by the way) but here comes IoT.
IoT brings way more devices on the internet, with their needs in terms of bandwidth, connectivity, quality of services. all of this requires new technology, and being ambitious why then not thinking to make this technology able to address even the LAN\WAN realm?
This is not so stupid, the telcos have always tried to gain space in the LAN\WAN market, money can be a huge driver, the telco activities with the enterprise was related to offering connectivity to internet and voice service. The revenues for analog voice services were hight but VoIP lower dramatically the incomes since it was cheaper putting Telcos in a difficult position. If internet broadband services for home users have been a good business it requires substantial infrastructure investments that are not always covered by the revenues, hence the digital divide.
But 5G can turn all this upside down, justifying the investment that was not so cool, because 5G means all in telcos hands!
All typos are because I never read slides back, lol forgive me
If 5G is the backbone of IoT and Smart X this means an incredibly big market for telcos, since telcos will provide 5G connectivity. this is why telco vendors are so interested in 5G, alas this is a world also where security has always been a secondary issue if not a neglected one, so we cannot expect that security will be addressed correctly if other players will not put their nose in.
From this point of view governments and regulators could play a key role in leveraging security and privacy by design and by default in the 5G world design, alas at the moment all seems to be more focused on boring geopolitical issues than the real stuff
All typos are because I never read slides back, lol forgive me
In the 5G challenges, there are a few that are easy to spot if we understood that 5G is the IoT backbone. Without the lousy arrogance to think to be exhaustive here some that should, at least, taken into serious consideration:
1) fast connectivity between devices, this accordingly to the device\service need. not all IoT devices are born equal in terms of bandwidth, data processing, quality and sensitivity of data an so on, being able
2) segregation of traffic, that means every group of device that are under a specific service instance should have its traffic isolated and protected from the other ones. I would not enjoy my personal photo shared everywhere if the IoT device is my home HDDstorage where I put them. segregation of traffic is the minimum level of security we have to think of when we plan a broadband multiservice environment.
3) Quality of service is a key factor here, even if the bandwidth is incredibly hudge this does not mean that there will be no latency or bandwidth bottlenecks, and some services have to be granted no matter what, telemedicine, telesurgery just to name a couple should be prioritized upon watching youtube.
4) authentication and authorization are not less important, we need in a heterogeneous environment bein able to authenticateand authorize with the correct level of permission every single device on every single service it needs to access and with its user ownership. failing this point will means access to anyone…
5) multivendor environment, this can seem a minor issue but in an ever-growing connected devices-users-services environment being able to reassure all the stuff will work seamlessly is not so easy. maybe someone remembers issues with a famous leading network gear vendor and the nic auto speed detection protocol? standard not always mean standard, but this can open a serious breach to operativity and security if not addressed correctly.
6) not all will be 5G at the beginning, and probably when the legacy world will end we will be on 6G (which will rid of part of the infrastructure leveraging peer to peer connection directly at the device level), 7G with 5G as the old stuff. so 5G will have to deal with ethernet as well as 4G as well as what will come in the future. A gateway between the different technologies is not so simple since service definition can differ.
7) in particular, the existing mobile environment and LAN/WAN battlefield should be carefully considered, form one side we still have 3G, form the other side LAN\WAN vendor will fight back to keep their domains intact. so will be an interesting battle where again, standards and regulators could drive a little light at the end of the tunnel (hoping it is not the train)
and more could be mentioned but if I want to continue better to stop with this list.
if you are here to read means you are interested in the subject, I am impressed and thankful 🙂
So the backbone for IoT will be, at least at the beginning, 5G network wich, just to be clear, is still on implementation. If we think of what is IoT definition:
The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.
we can try to assume then that internet connectivity will be more and more 5G
All typos are because I never read slides back, lol forgive me
which should now clarify why speed is just one of the many issued of 5G and why 5G is not just bare connectivity but something should manage services. so now we should understand what this “service” word means here.
Basically a service is a mix of devices, connectivity, data, process and users that can be grouped somehow. There can be thousands, millions, billions of services under this simple definition (i know is mine but worth everyone to understand the point).
the main point is that services are not all the same: HTTP browsing can be a service under 5G and video broadcasting as well, the 2 are different in nature and in terms of requirements.
All typos are because I never read slides back, lol forgive me
different services require different needs and for once speed can be a good example to understand the point: what is speed?
the very concept of speed can vary from service to service, so consider the automotive and smart road ideas. In this scenario, we will have a small piece of critical data exchanged from one car to another and/or the infrastructure that has to be processed and transmitted as fast as possible. seems easy but we should consider that the cars are moving and the traffic can be largely unpredictable (I don’t know when someone will decide to get into the car to go somewhere, I can not predict if external issues will modify viability as crossing pedestrian, not in the dedicated areas, problems with the state of the road, holes, weather, flood, heartquake, superman vs batman and so on)
So here speed means very low latency, quick authentication and authorization, fast address resolution, and reliability at least. probably I should add geolocation and other critical missing point but I think we have an idea.
On the same hands if I have to move a big chunk of data, well speed means mainly bandwidth, QoS and conflict resolution if more agents/objects/users are trying to move the same os nearby data. so if you are trying to align your data center with your new cloud one and you want to move some Coperbyte of data and as well your neighborhood want to do this well we have to manage the bandwidth somehow…
Of course, if the need is just to browse and watch movies your needs are focused (remember we are in 5G) on DNSresponse and video-voice sync.
But since in a billion IoT devices there can be billions of services that at the moment do not exist, we need to create an environment able to define the need in advance (or wait for 6G for new services implementation).
so broadening the argument here 5G for IoT should, at least:
1)Segregate different services
A different class of services should be independent one to the other
Services should be arbitrary and the service set required should be one of the services definition parameters
2)Allow QoS for critical ones
Not all services are the same, internet browsing is not a running truck on a highway, a surgical operation is not like watching porn on your phone
•Smart devices like smartphones use a double connection wifi internal/sim external
•…
We know if we want to see what we have in our local storage we move data internally (At least we hope so) our gateway to the internet is our router which (should) provide some basic security stuff as firewalling and a minimum authentication at least for wifi internal connectivity. We live in a private network where connectivity is basically ethernet and wi-fi and we go on the internet with a natted address shared by all devices. Probably we have some devices that do not have a real internet exposition, other that goes just to search updates, some that connect to a web service to allow you to check and configure things and finally some that go to the internet by themselves for unknown reason (Alexa like, ROTFL). Ah, do not forget your smartphone that has both wi-fi and your 4G\4.5G connection with apps to manage both your internal LAN and the web interfaces of your LAN devices.
what 5G will change here? of course everything absolutely everything.
Everything is already on the internet
•All devices are able to connect directly to the 5G network and have public addresses
•Providers of 5G connectivity can be different and bound to users and/or device
•Devices need to know their «internal» realm in order to understand which device can be trusted or not for internal communication
•Different 5G providers have to guarantee device interoperability, segregation and security as devices were in a segregated LAN
•Internet communication should be controlled and monitored as it was a single one
Autonomous driving and smart roads are actually as fun as home networks but for the opposite reason, here we are talking about something does not exist yet, and the few test and implementation, by all means, are not a serious example of what means interaction of IoT vehicles.
the reality at the moment is simple:
•Cars do not talk to each other
•Cars do not talk to the road infrastructure
•Roads use sensors for limited scope (traffic light, street light)
•Limited information is provided by broadband connectivity (as Radio Traffic where available)
•Internet connectivity provided by car SIM or smartphone
•Some app can connect to the internet and provide indications as navigators do
•Some apps can provide autonomous analysis of traffic
•Different car-service interact with road infrastructure
•Cars and car devices are equipped with 5G capabilities from different 5G providers
•They need to be bound with the owner\owners
•They need to recognize trustable information data source
•They need to interoperate independently from the 5G provider
•They need to cover the services even when crossing country borders
•…
with 5G is clear the need for fast reliable ubiquitous and vendor\provider independent connectivity.
maybe we should expect virtual sim configured to comply driver need, but what if 2 or more people share the same car? and what kind of interaction with your smartphone and other smart devices?
let explore some consideration on the most slippery of the 3rd example, trying to move from LAN\WAN to 5G (the telcos’ dream)
What we have today (more or less):
•There is an internal (LAN) and an outside
•internal services are protected by firewalls and other security technologies
•Connectivity is provided through NIC or WI-Fi using TCP/IP protocol leveraging usually private addressing and natting to reach outside resources
•Internal resources are accessible directly internally or through a web service\web interface externally
•Resources external to the LAN are accessible trough router/firewall upon natting and authentication/authorization
•Users external to the LAN connect to the internet through mobile broadband or through Wifi
•To connect to internal resources users are identified and connected through VPN or other secure means to the LAN
•…
do I really need to describe what is the current situation? lol 🙂
what would change with 5G?
•Almost all devices are 5G connected
•Connectivity is provided by different 5G providers and can be public (using public infrastructure) or private (5G infrastructure is local)
•Interoperability has to be guaranteed regardless 5G provider or device manufacturer
•Interoperability has to be guaranteed with LAN/Ethernet previous environment
•Segregation of the internal devices has to be guaranteed as in a LAN
•Security devices should be able to work seamlessly regardless of the hybrid LAN/5G environment
•Mobile users should be able to be part of the internal network for the services in use even if they are using their own device
•…
this scenario requires a careful understanding since we have all the security problems we have in a normal network implementation plus the fact all devices can reach the internet directly and are directly exposed because of their addressing, segmentation requires multiple levels since some segment can be internally nested to others (something like we today use VLAN) and all this should communicate with the legacy world, since it is not credible an immediate takeover of 5G against LAN\WAN. Moreover, all legacy security world should be able to interoperate with the new one.
this kind of scenario is compatible with a full cloud adoption less agile with hybrid or full local implementations.
Here security and privacy issues rise up to the next level since the disintegration of the concept of LAN, started with the introduction of mobile users and BYOD, extend to almost every node but with less clear control of what is going on.
5G security, if we understand some of the implications I mentioned before, embrace a way larger concept than what people generally think. Here we are not just thinking how to secure an encrypted communication channel, which is, by the way, a clear basic requirement, but extend on how to broker, manage and control services that run on 5G.
I do not have an easy answer to this, I have seen different proposals to address such problems, as an example a central security service broker that takes into account all the request and, accordingly to rules, AI, magic and tricks solve everything.
ok, do you know those beautiful phishing emails claiming a bad guy hacked your email and take pictures or videos of you doing bad stuff?
I receive tons on my personal accounts, and usually, I answer to them asking to share the videos so I can publish on my socials as well and become famous, rotfl, alas the bad guys never react…. (I know I am so childish)
so let me share with you last one:
Analyzing the headers I saw my friends sent the email from a chinese address (how nice to be renown from such a distant place) well this means it is a not so advance spoofing and did not take on my account, disappointing, but, hey, we cannot be too picky isn’t it?
Source IP Address
125.65.255.28
Source IP Hostname
28.255.65.125.broad.ls.sc.dynamic.163data.com.cn
Country
China
State
Sichuan
City
Liangshan Yizu Zizhizhou
Zip Code
undefined
Latitude
27.8816
Longitude
102.267
ISP
Chinanet
Organization
Chinanet SC
Threat Level
high
and here the email, sorry my email client is in Italian but the meaning should be clear, lol
08/08/2019– on this day I hacked your OS and got full access to your account antonio.ierano@ierano.it
You can check it – I sent this message from your account.
After that, I made a full dump of your disk (I have allyour address book, history of viewing sites, all files, phone numbers andaddresses of all your contacts).
This means that I have full access to your device andaccounts. I’ve been watching you for a few months now.
The fact is that you were infected with malware throughan adult site that you visited. If you are not familiar with this, I willexplain.
Virus gives me full access and control your devices.
This means that I can see everything on your screen,turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all yourcorrespondence.
Why your antivirus did not detect malware? answer: Mymalware uses the driver, I update its signatures every 4 hours so that your antivirusis silent.
I made a video showing how you satisfy yourself in theleft half of the screen, and in the right half you see the video that youwatched.
With one click of the mouse, I can send this video toall your emails and contacts.
If you want to prevent this, transfer the amount of $762to my bitcoin address (if you do not know how to do this, write to Google:“Buy Bitcoin”).
My bitcoin address (BTC Wallet) is:1Q2pVgd9YradB42risptr8tsydKrVDSD2A
After receiving the payment, I will delete the video andyou will never hear me again. I give you 48 hours to pay.
I have a notice reading this letter, and the timer willwork when you see this letter.
Filing a complaint somewhere does not make sense becausethis email cannot be tracked like my bitcoin address.
I do not make any mistakes.
If I find that you have shared this message with someoneelse, the video will be immediately distributed.
If I find that you have shared this message with someone else, the video will be immediately distributed.
Now I want to be sure the guy understands I shared his email so my videos will be shared as well and I will become famous, so please can you share it as well? LoL
NOTE: I suppose my phishing frined would be delighted if you send bitcoin at his/her/its address lol
NOTE on NOTE
I was kidding
NOTE on NOTE on NOTE
please do not fool yourself for those stupid scams attemtps
Firewall: Traditional, UTM and NGFW. Understanding the difference
One of the problem nowadays when we talk about firewalls is to understand what actually a firewall is and what means the acronym that are used to define the different type of firewalls. The common definition today recognizes 3 main types of firewalls:
• Firewalls • UTM • NGFW
But what are the differences (if any) between those things? Let’s start with the very basic: what a firewall is.
Firewall:
A firewall is software used to maintain the security of a private network. Firewalls block unauthorized access to or from private networks and are often employed to prevent unauthorized Web users or illicit software from gaining access to private networks connected to the Internet. A firewall may be implemented using hardware, software, or a combination of both. A firewall is recognized as the first line of defense in securing sensitive information. For better safety, the data can be encrypted. Firewalls generally use two or more of the following methods:
• Packet Filtering: Firewalls filter packets that attempt to enter or leave a network and either accept or reject them depending on the predefined set of filter rules.
• Application Gateway: The application gateway technique employs security methods applied to certain applications such as Telnet and File Transfer Protocol servers.
• Proxy Servers: Proxy servers can mask real network addresses and intercept every message that enters or leaves a network.
• Stateful Inspection or Dynamic Packet Filtering: This method compares not just the header information, but also a packet’s most important inbound and outbound data parts. These are then compared to a trusted information database for characteristic matches. This determines whether the information is authorized to cross the firewall into the network.
The limit of the firewall itself is that works only on the protocol side (IPTCPUDP) without knowledge of higher level of risks that can cross the network.
From virus to content filtering there is a hundreds thousands different technologies that can complement firewall works in order to protect our resources.
To address the more complex security environment firewall evolved into something new, that cover different aspect above the simple protocol inspection. Those devices uses different technologies to address different aspect of security in one single box, the so called UTM (Unified Threat Management)
Unified Threat Management (UTM)
Unified threat management (UTM) refers to a specific kind of IT product that combines several key elements of network security to offer a comprehensive security package to buyers.
A unified threat management solution involves combining the utility of a firewall with other guards against unauthorized network traffic along with various filters and network maintenance tools, such as anti-virus programs.
The emergence of unified threat management is a relatively new phenomenon, because the various aspects that make up these products used to be sold separately. However, by selecting a UTM solution, businesses and organization can deal with just one vendor, which may be more efficient. Unified threat management solutions may also promote easier installation and updates for security systems, although others contend that a single point of access and security can be a liability in some cases.
UTM are gaining momentum but have, yet, a lack of understanding of the context and the users, therefore are not the best suit to address the new environments. In order to drive those gap security researchers moved onto upper layer and form protocol moved to applications, where user behavior and context are key.
This moved from UTM to the so called Next Generation Firewall or NGFW
next-generation firewall (NGFW)
A next-generation firewall (NGFW) is a hardware- or software-based network security system that is able to detect and block sophisticated attacks by enforcing security policies at the application level, as well as at the port and protocol level. Next-generation firewalls integrate three key assets: enterprise firewall capabilities, an intrusion prevention system (IPS) and application control. Like the introduction of stateful inspection in first-generation firewalls, NGFWs bring additional context to the firewall’s decision-making process by providing it with the ability to understand the details of the Web application traffic passing through it and taking action to block traffic that might exploit vulnerabilities
Next-generation firewalls combine the capabilities of traditional firewalls — including packet filtering, network address translation (NAT), URL blocking and virtual private networks (VPNs) — with Quality of Service (QoS) functionality and features not traditionally found in firewall products.
These include intrusion prevention, SSL and SSH inspection, deep-packet inspection and reputation-based malware detection as well as application awareness. The application-specific capabilities are meant to thwart the growing number of application attacks taking place on layers 4-7 of the OSI network stack.
The simple definition of application control is the ability to detect an application based on the application’s content vs. the traditional layer 4 protocol. Since many application providers are moving to a Web-based delivery model, the ability to detect an application based on the content is important while working only at protocol level is almost worthless.
Yet in the market is still not easy to understand what an UTM is and what is a NGFW
UTM vs NGFW
Next-Generation Firewalls were defined by Gartner as a firewall with Application Control, User-Awareness and Intrusion Detection. So basically a NGFW is a firewall that move from creating rules based on IPport to a firewall that create its rules based on User, Application and other parameters. The difference is, basically, the shift from the old TCPIP protocol model to a new UserApplicationContext one. On the other end UTM are a mix of technologies that address different security aspect, from antivirus to content filtering, from web security to email security, all upon a firewall. Some of those technologies can require to be configured to recognize users while seldom deal with applications. In the market the problem is that nowadays traditional firewall does not exist anymore, even in the area of personalhomesoho environment. Most of them are UTM based.
NGUTM
Quite most of the firewall vendors moves from old firewalls to either UTM or NGFW offering, in most of the case NGFW offer also UTM functions while most of the UTM added NGFW application control functions creating, de facto a new generation of product changing the landscape with the introduction of Next Generation UTM
UTM vendors and NGFW vendors keep fighting on what is the best solution in modern environment, but this is a marketing fight more than a technical sound discussion.
The real thing is that UTM and NGFW are becoming more and more the same thing.
NOTE it’s all about rules.
Why security devices become so comprehensive and try to unify such a lot of services? Management is the last piece of the puzzle. In two separate studies, one by Gartner and one by Verizon Data’s Risk Analysis team, it was shown that an overwhelmingly large percentage of security breaches were caused by simple configuration errors. Gartner says “More than 95% of firewall breaches are caused by firewall misconfigurations, not firewall flaws.” Verizon’s estimate is even higher, at 96%. Both agree that the vast majority of our customers’ security problems are caused by implementing security products that are too difficult to use. The answer? Put it all in one place and make it easy to manage. The best security in the world is USELESS unless you can manage it effectively.
— Data Privacy Asia (@dataprivacyasia) December 10, 2016 from http://twitter.com/dataprivacyasia http://twitter.com/dataprivacyasia/status/807542383512588288
In the previous IoT flies tried to outline what are, from my point of view, some key factor that have to be taken into account when talking about IoT.
The last, but not the least, point I would like to put some notes is culture.
Since IoT is something that will shape out way of life on many aspect, we have to convene that culture is a key element in order to positively and safely embrace it.
Culture refers to billions of things, from language structure to literature, from how we share information to how we get them. In any of those aspects IoT will have a great impact and relevance.
From a cultural point of view embracing IoT means, first of all, the awareness of IoT is and its implication.
This awareness and understanding will be shaped while IoT will growth and become part of our life, but if we start to talk about cultural impact of something when it is already there, it is too late.
If we weight our experience nowadays we still do not have coped, from a cultural point of view, with all the technological advantage. Sometimes we simply refuse to accept them and label as bad, ot we use it without a real comprehension.
The result is under everyone’s eye, from the rise of cybercrime to the rise of internet dependencies and the apparent shrink of interpersonal relationships literature is full of example on how we still badly cope with the new technology.
Laws also are affected by this difficult to comprehend the new environment, as management culture as well.
IoT awareness is therefore way more important since is way more pervasive than our actual technology.
IoT will be so pervasive that will change dramatically our perception of privacy. as a matter of fact in the IoT world there is nothing like privacy at all, somehow there is always a sensor monitoring you, and this could drive to unexpected behavior reactions. But for sure a new approach to privacy will be necessary, as well as a new approach to privacy protection. In a world where all is turned on data, those data becomes the paradigm of our reality and so we will have to deal with that accordingly.
Communication Issues
But the changes are also related to the way we will communicate. New jargon comes out every moment, millennial have different language from generations X or baby boomers, and so IoT will developed its own language. How we will incorporate it and drive it is still to be defined, but in IoT the wide level of communication and data interchange will move all this to a worldwide scale. Language will not become a local issue anymore just because to exchange data it is needed a common communication framework. As for privacy without a common understanding of the rules will soon be turn this into a chaos.
Censorship and cultural constrain
One of the main issues IoT will bring with it is how to deal with communication restrictions, or in other words censorship. We have already mentioned censorship as one of the big issues that can affect IoT, to stress more the idea it will be not only a business problem but also a cultural problem. A world of sensor that are monitoring everything (this is the downside of IoT) can affect heavily systems believes and force some culture to close up into themselves. If we will not understand how to cope with it all relationships could be bring to the extreme.
We see it nowadays with the rise of Hate speeches, bullies, urban legends, fake stories on social media how difficult is to cope with more open communication channels, can you imagine what IoT will bring back? We have to assume that the number of data will be way more, and so the way people will interact with those data.
Who is left behind?
And the cultural issues will affect more the technology illiterate, and the ones will be left behind, marking a wider distance between the IoT world citizens and the one left behind. The digital divide is already a cultural problem, IoT will widen it up. Without the proper tools to understand this world the level of non comprehension will rise up dramatically, widen tensions.
And this is not just a problem from rich and poor countries, even inside rich countries the difference and the level of familiarity with technology vary dramatically in social groups or areas.
Illiteracy today is not just referred to not be able to write or do math, but also use internet and technology as computer or Smartphone. Just wide it up the gap with the introduction of new technologies….
How to teach all this
The root of the problem will become: how to teach all this?
Today a scholar system does not approach, generally speaking, the actual technology environment. Schools is, roughly, a century behind the modern world. Access to technology, how to deal with technology, is not common in most of the worldwide scholar system. Is not just a problem of technology in place (give a computer to every student) but also how to teach with the new tools and what to teach?
Cyber security basics, as an example, should be a mandatory introduction in any school of any grade, considering the age our children approach the technology without the proper mindset. But schools are slow to cope with the new world.
But also at corporate level illiteracy about cyber security, technology use, implication between technology and communication are the common reality, and this lack of knowledge spread at every level from the lowest to the highest. a very few exception here can be done.
This issue should cover all the aspect of educations, from first grade to university, to corporate training. We can not afford anymore children that does not know how to protect themselves from the cyber world, of university graduate that face the real world as completely illiterate of what they will find in the real corporate environment, of developers that has not the slightest idea what means privacy and security, of management that is not able to evaluate the impact of technology in their business and so on.
Not to be able to deal with this will means to be overwhelmed by the impact of those technology and, in last analysis, to be ruled out as dinosaurs.
And the list could go on and on. We can make prediction but we can’t see clearly the future (unless using a crystal ball). We need to have new cultural, linguistic, philosophical tools to help us to cope with the new reality.
What to do?
We should start it now, not waiting for some higher action. Share knowledge, awareness, talk and think about those issues is the first step to find a solution and address them.
This is also a call to be active in associations, think thank group or whatever you can to help rising awareness. and where you feel gaps in your own knowledge you can try to discuss them asking from support.
I will start a series of posts on the IoT (Internet o Things) since it seems me that most of the talking about IoT are missing some key aspects.
I will start with a general introduction, taken from a webinar I delivered recently.
There is a lot of rumors around IoT lately. It seems the new holy grail of the technology industry, the panacea that will solve every business pain and will drive us to the next point.
All those talking are interesting, but somehow a little bit apologetic, since there is a lot of things still to be evaluated in an IoT world, and some could give us some headache and concerns.
so let us start trying to understand what we are talking about when we talk about IoT.
IoT,internet of things is the extension of the consumerization of connected device, that will cover much more than we are used nowadays. the key target of the IoT is the User and its world.
This does not means that IoT is not about scada systems or industrial contol systems, or e-government or smart cities. is all about this and more, but the focus point will be the user, the new hyperconnectd guy: mr Guy Smart.
But aren’t we already hyperconnectd with our always present smartphones, tablets and now smartwatch?
What is the difference between us now and mr Smart?
The difference rely on the level of devicesystems connected that are related to the new user. Way more than the simple phone and watch; we can think of wearable devices, medical devices, glasses for augmented reality, smart shoes that tell us how we walk or belt that monitor pour waste and diet.
But My Smart is not only using those stuffs he wear, he is also living in a hyper connected world. driving a smart car (autonomous and more…) on smart roads, with intelligent traffic lights, in a smart city where he find its smart home.
All connected, all sharing information, all dynamically changing status upon the user request and the context.
A way to live quite different from our actually way of life, since everything can modify the behavior related to the heat of the moment.
All this look wonderful, a personalized environment that follow our needs and provide us a completely new experience. A new industrial revolution able to shape our needs and think and way of life.
But is this real? how far are we from this?
To understand what all this means we should start from the definition of Internet of Things. A good definition is the following:
The Internet of Things ( IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.
According to most of the analyst this is the main trend we should expect in the next years.
All analysts forecast billions of devices connected, a great hope for a growing business….
But is this coming without a price?
Is this so easy to achieve?
What are the consequences?
IoT is a great opportunity, but is also something should make us think about the consequence. as every thing there is always a price to pay, and we should understand what is this price.
I will try to give a short description of 5 aspects related to IoT we should take care of:
I know that security is on everyone mouth recently, the rising of cyber crime and the warfare has put security under everyone attention.
But yet we are far away from a real understanding of what security really is, and what means make security. We usually focus on particular aspect of the security domain, or on specific technologies, forgetting that make security is a complex affair that cope with behavioral science as well as technology. Is more a process than a product or service.
What should be put us on alert is that in a IoT world the dependency of our lifestyle and life from the devices will be so tight that security will assume a completely new meaning for the normal user. We are not talking about an annoying virus on our laptop, but something that can literally kills us as in the case for medical device or smart drive systems.
IoT bring a lot of security concerns, some quite easy to understand, other alas too often neglected. Let us try to name a few:
Hacking
This is something everyone knows, every years the knowledge about hacking rise up as well as hackers ability. Is a never ending run. But can we try to imagine what would happen in a world where the number of hackable devices is in the range of billions?
This is something we should take into serious consideration, no OS is secure (sorry Linux, Unix and Mac guys) and we are talking of billions of objects that exchange data, transmit data, manipulate data, collect data through sensors. the attacking surface will become incredibly wider, and the result unpredictable.
The classical reactive approach of OS designer have to be radically modified, since this can be the door for a hell. A new security design approach is needed. And don’t think for a moment that IoT device will have few lines of code and therefore easy to be secured. Even the smallest simplest device will have its sensor and will have to communicate data and receive orders (otherwise wold not be SMART). so there is nothing like a simple OS here. beside the smaller the OS the herder can be to secure and patch it. in bigger environment it is a common operation to wrap the vulnerability into something that solve somehow the problem, will this be possible in the smaller IoT OS?
Cyber Criminals
And if the hacking surface will grow, we can expect also criminal activities to grow and find new way to monetize the risks.
For the ones who works in the Cyber Security arena, it is well known that Cyber criminality move more money than drug and weapon illegal market. this can only grow, making cyber crime more important than ever. And when something is so important, corruption and collaboration between the underworld and the official ones is to be expected.
So IoT brings with him a great concerns from this point of view.
Cyber Warfare
But if it is not a criminal organization, can be a government. Do we really think that this will be an area where government will not play the part? Do we realize that IoT will be tied to our life, and our productive environment. So targeting the IoT could harm a country more than a conventional war, blocking its productive system.
Science Fiction? Try to remember stuxnet and may be we can agree that this is a plausible scenario: a country that attack the IoT infrastructure in order to harm another country.
And if it is not a state, a government can be a terrorist organization, activism …..
Geopolitical Issues
And if it is not on purpose, may be the system can be harmed by geopolitical issues. In an Hyperconnected world damage can be done even targeting something else.
Censorship
Let’s take censorship as an example. we can not realize that censorship can harm the functionality of a device, at the end we are not talking about nor twitter nor facebook, but…
Take your android phone and go to China, as an example, and you will see directly the effect of censorship on IoT. Your wonderful android functions and services will not work since Google has be banned for censorship reasons from china. (Sure you can use VPN, but please, try to see the picture here).
Errors and Incidents
And even if it is not on purpose, accident and errors can anyway harm the system. probably in ways at the moment we still don’t see, due the complex nature of the various interrelationships between the objects.
Compatibility
And if will be not error or incidents the harm can be done by compatibility issues. At the end you will like to change object or location from time to time. some IoT objects will travel with you, compatibility will become a great issue.
What if you change medical device provider and the new does not support vital data taken from the old one? or if you go in place that does not allow the same level of communication? (may be because encryption is not allowed there).
What More?
Many other scenarios can be recalled related to IoT and security, this is not an exhaustive list, but it is good to make the point. Security is a serious issue in an IoT world.
The classical approach that consider security an “Add ON” of IT and a business weight to avoid have to change dramatically. Security Must become part of normal thinking because the risk is higher than ever.
When consider IoT and security ask yourself:
Would you drive or feel safe in a easy to hack car, in a easy to hack road.
Would you like to depend on easy to hack medical device?
Would you like to count on a hackable safe city system?
….
We have to realize that Security is important in all realms.
It is not just a product add on §(the antivirus….) but we will have to deal with new things like: