cyber security in the era of internet of things · 4. identifying, implementing security controls...
TRANSCRIPT
5th National ICT SUMMIT
CYBER SECURITY in the Era of Internet of Things
– TRENDS and THREATS –Illegal devices and Legislation towards their Management
16th October 2018
Mr. Philip HIKUMWAH
Syntex Technologies®2018
1
AGENDA• What is IoT (Internet of Things)
• Components of IoT
• Why IoT ?
• Application of IoT
• Challenges faced by IoT
• IoT Security • Top 5 Security Challenges
• IoT Security Management – SECURITY FRAMEWORK - COMPLIANCE
• GLOBAL CYBERSECURITY INDEX (GCI) – AFRICAN RESULTS ANALYSIS
• GCI STANDARDS
• LEGAL, TECHNICAL, ORGANIZATIONAL, CAPACITY BUILDING, COOPERTION
• AFRICAN ANALYSIS
• SADC ANALYSIS
• NAMIBIA Vs TOP AFRICANS COUNTRIES
• NAMIBIA Vs SADC
• CyberSecurity and IoT: What Role for GOVERNMENT?
• CONCLUSION
Syntex Technologies®2018
2
Syntex Technologies®2018
3
What is IoT (Internet of Things)
The Internet of Things (IoT) is the network of
physical objects—devices, vehicles, buildings and other items
embedded with electronics, software, sensors, and network
connectivity—that enables these objects to collect and exchange data.
Syntex Technologies®2018
In simple words, Internet of Things (IoT) is an ecosystem of
connected physical objects that are accessible through the internet.
THINGS CONNECTIVTY DATA ANALYTICS
4
Syntex Technologies®2018
1st
• Mechanization, Water Power, Steam Power
2nd
• Mass Production, Assembly Line, Electricity
3rd
• Computer and Automation
4th
• Cyber PhyscialSystems
What is IoT (Internet of Things)
IoT is a catalyst for the
4th Industrial Revolution
5
Components of IoT
Syntex Technologies®2018
Smart Systems and Internet of Things are driven by a
combination of :
SENSORS
CONNECTIVITY
PEOPLE & PROCESSES
IoT
SENSORS
CONNECTIVITY
PEOPLE and PROCESSES
6
WHY IoT ?
• IoT IS ENABLING A NEW WAVE IN DIGITAL BUSINESS TRANSFORMATION
Dynamic control of industry and daily life.
Improves the resource utilization ratio.
Integrating human society and physical systems.
Flexible configuration.
Acts as technology integrator.
Universal inter-networking.
Syntex Technologies®2018
7
Current status & future prospect of IoT
Syntex Technologies®2018
World Population
Connected Devices
Connected DevicesBy Person
6.3 Billion 6.8 Billion 7.6 Billion
500 Million 12.5 Billion 23.14 Billion
7.6 Billion
50 Billion
0.08 1.84 4.25 6.58
2003 2010 2018 2020
More Connected
Devicesthan
People
8
Syntex Technologies®2018
APPLICATION
of
9
Application of IoT
Syntex Technologies®2018
10
Syntex Technologies®2018You name it, and you will have it inIoT!
Application of IoT ● Facilities
○ Building Temperature Control Systems○ Electrical Systems○ Lighting Systems○ VoIP Phones○ Trash Cans○ Water Sensors for Floods○ Building Equipment Monitoring
■ Motors, Pumps, Boilers, etc.● Safety
○ IP Video Surveillance○ Fire Alarm and Life Safety Systems○ Security Alarms○ Electronic Door Access○ IP enabled Police and Security Teams○ IP Enabled Police Vehicles
● Classroom Technologies○ Clickers in the Classroom○ Projectors○ IP Streamed Audio○ Computer Presentation Integration
● Tutoring Spaces○ Check in / out for Tutoring○ AV equipment○ Scheduling Devices
● IP Connected Laboratory Equipment○ Refrigerators○ Microscopes○ Laboratory Probes (Frog Sensors)
● Research○ IP Connected Laboratory Equipment
■ Gene Sequencers■ Functional MRI Machines■ Irradiators
○ Refrigerators○ Microscopes○ Laboratory Probes (Frog Sensors)
● Staff Offices○ Multifunction Printers○ Coffee Makers / Microwaves○ IP connected mailboxes○ Conference Room Scheduling ○ Conference Room Presentation Systems○ Time Clocks
● Transit Services○ Vehicle Location Tracking & Reporting○ Rider Tracking and Verification○ Safety Monitoring○ Rider Entertainment / Information○ Parking Control and Wayfinding○ Parking Pay Stations
● Residential Services○ Entertainment○ Building Safety○ Utility Monitoring and Bill Back○ Building Access Control○ Laundry Services
● Disability Services○ Text to Speech○ Speech to Text○ Call for Help○ Health Monitoring○ ADA Route Wayfinding○ ADA Parking
● Sports and Fitness○ Wearable Fitness Trackers○ IP connected Sports Equipment
■ Treadmills, Bikes, etc.…○ Attendance / Admission Control○ Sporting Event Management / Fan
Interaction■ Microphones to measure cheering
levels during events■ Ticket / Seating Verification■ Venue Facilities Management
● Physical and Mental Health○ Appointment Scheduling○ Medical Appointment Notes○ Diagnostic Medical Equipment11
Syntex Technologies®2018
Challenges faced by IoT
At present IoT is faced with many challenges, like -
Scalability
Technical requirements
Technological standardization
Software complexity
SECURITY
12
Do you Trust your IoT Data & Collector?
• Do you trust the data you are collecting and/or using?
• Do you trust who is collecting the data from you?
Syntex Technologies®2018
13
IoT Security ?
• The BARCODE was designed to SHARE information
• The RFID TAG was designed to SHARE information
• NETWORKS were designed to SHARE information
• The IoT System was designed to SHARE information
• Security was an AFTERTHOUGHT (what are the security threats?)
(and it continues to be an afterthought today… )
Syntex Technologies®2018
What Went Wrong?
14
Syntex Technologies®2018
More Devices, More Data, More
Opportunities,
and More RISKS…
15
• The IoT technologies have been around for a long time
• Advances in communication and connectivity are allowing the “interconnectedness” needed for IoT
• The value is in the DATA not the connections
• The DATA allows you to make autonomous decision based on business rules closer to the edge
It’s all about the DATA!
Syntex Technologies®2018
16
IoT Security: New Things?
• In the era of IoT,• Do we need new concepts to describe IoT security ?
• Do we need new security models for IoT?
• AND• What is the gap between IoT security and existing security solutions?
• When cloud arrived, what did we do for new solutions?
• When smart phones and BYOD come, what did we do?
• What makes IoT different from the last two major waves?
Syntex Technologies®2018
17
• Problems and security challenges• New devices for endpoint security
• New firmware, embedded OS, new software.• It is not possible to support AV on every device.
• New transport protocols for making network security DIIFICULT!
• Much more network traffic for security analysis• Bad news for large enterprises as network security is already
complex and cumbersome
Syntex Technologies®2018
IoT Security: New Things?
18
Syntex Technologies®2018
ATMa((Automated Teller Machine)
Airline Check-in Machines
Connected Cars
Digital Sensing
Computing
Communication
New Devices with New Capabilities : For example
Year 2020
Existing Connected Things
…
IoT Security: New Things?
WHAT IS NEW ??
19
Syntex Technologies®2018PLATFORMS
SECURITY TECHNOLOGY
IoT SECURITY means new opportunities for a security professional i.e (SYNTEX
TECHNOLOGIES) to develop Novel Security SOLUTIONS!
ENDPOINT Security
GATEWAY Security
MOBILE Security
CLOUD Security
SNS Security
SDN Security
IoT Security
IoT Security: New Field?
20
• IoT Security Top 10 Vulnerabilities (OWASP Source):• I1 Insecure Web Interface
• I2 Insufficient Authentication/Authorization
• I3 Insecure Network Services
• I4 Lack of Transport Encryption
• I5 Privacy Concerns
• I6 Insecure Cloud Interface
• I7 Insecure Mobile Interface
• I8 Insufficient Security Configurability
• I9 Insecure Software/Firmware
• I10 Poor Physical Security
Syntex Technologies®2018
IoT Security - Vulnerabilities
21
• Seven IoT security Risks:1. Disruption and denial-of-service attacks2. Understanding the complexity of
vulnerabilities3. IoT vulnerability management4. Identifying, implementing security controls5. Fulfilling the need for security analytics
capabilities6. Modular hardware and software
components7. Rapid demand in bandwidth requirement
Syntex Technologies®2018
IoT Security: Risk Management
22
Syntex Technologies®2018
IoT Security: CYBER ATTACKS Threats
23
Top 05 IoT Security Challenges
• The security of the “thing” is only as secure as the network in whichit resides: this includes the
• People,
• Processes,
• and technologies involved in its development and delivery
Syntex Technologies®2018
/!\/!\
24
• IoT technology requires a shift in mindset, particularly for devices that hold important financial and personal information.
• However, not all IoT devices are secure enough to prevent identity theft and security breaches
• What’s more,
Biometric authentication, such as fingerprint scans and voice recognition, canprovide a safer way of securing data, using tech that is already familiar to manymobile phone users.
Syntex Technologies®2018
1. Identity Theft & Unsecured End-Devices
87% Entreprise worry about Vulnerabilities
within IoT Devices
Even with increased security at the end-user level, hackers can still infiltrate your network or data centre
25
Syntex Technologies®2018
87%81%
75%
39%
2% 2%
0
10
20
30
40
50
60
70
80
90
100
Vulnerabilities in the DevicesThemselves (IoT Securiy Concern)
Data Leakage Access Control Asset Mangement IoT does not pose any SignificantSecurity Concern
Other
87 percent of enterprises worry about vulnerabilities withinthe IoT devices themselves
%
1. Identity Theft & Unsecured End-Devices
26
Syntex Technologies®2018
2. Insufficient Patching & Testing
One of the biggest IoT security challenges for
smart devices is also a common threat to all
software deployments:
Inefficient patching.Outdated devices may contain dangerous
bugs or vulnerabilities that hackers can target
and therefore pose a risk to the organisation’s
data security.
65%60%
90%
0
10
20
30
40
50
60
70
80
90
100
Concerned hackers will
control their IoT devices
Worried their IoT data will be
leaked
Believe there should be IoT
security regulation
Consumers Concerns %
27
• A recent security report recommends that vendors don’t sell IoTdevices with default credentials (such as the username‘admin’). However, these are only guidelines andmanufacturers don’t necessarily have to follow them.
Weak login details leave your financial IoT devices vulnerableto brute-force attacks.
Without the right security measures, the business assetsand customer information are at High risk!
Syntex Technologies®2018
3. Default passwords and brute-force hacking
28
• It’s vital that Organizations and companies invest in the appropriate safeguarding measures when processing IoTdata.
• For example, a financial organisation that processes masses of sensitive data, one breach could potentially ruin its reputation and customer trust.
• Although keeping the IoT data in sight seem to offer an added sense of physical security, processing the information on-premise is a big IoT security challenge.
• Without the right expertise or physical hardware, compromised or stolen infrastructure puts you at great risk
Syntex Technologies®2018
4. IoT Data processing
29
• More than 70 percent of organizations admit that the rapid deployment ofnew technologies - such as the cloud, big data and IoT – is a larger priority thansecuring their infrastructure and network.
Syntex Technologies®2018
5. Multi-layer Data Management & Security
But, while the Internet of Things is a trending business
investment for organizations, it should never come at the
expense of weakened defenses.
To keep the business and customers safe, security need to
be placed at the heart of all investments, ensuring to keep
IoT security challenges in mind across all layers of the
network:
30
5. Multi-layer Data Management & Security
• Investing in a compliant, transparent and secure IoT hub, on a safe platform, can ensure your data remains safe throughout your Internet of Things journey and can allow you to detect threats before they cause irreversible damage.
• There are IoT Security solution that allow to secure and manage billions of different IoT devices, with functions such as applying identities and credentials to individual devices.
• With built-in cloud security, the IT team spends less time on routine patching and monitoring and more time analysing IoT data for business-driven insights:
Syntex Technologies®2018
End-point devices
Embedded software
Communications
Cloud platforms
Web, cloud and mobile applications31
• IoT will merge the following DOMAINS
Syntex Technologies®2018
INFORMATION SECURITY
OPERATIONAL SECURITYPHYSICAL SECURITY
INFORMATION TECHNOLOGY SECURITY
IoT
IoT Security Management
32
Internet of Things security spending ($)
Syntex Technologies®2018
Internet of Things security spending worldwide from 2016 to 2021 (in million U.S. dollars)
33
Cybersecurity
outcomes and
informative references
Enables
communication
of cyber risk across
an organization
Describes how
cybersecurity risk is
managed by an
organization and
degree the risk
management
practices
exhibit key
characteristics
Aligns industry standards and best practices to the
Framework Core in an implementation scenario
Supports prioritization and measurement while factoring in
business needs
Syntex Technologies®2018
34
IoT Security CYBERSECURITY Framework
• Compliance is a critical component of any security program. Compliance lives by the rule that states We Trust but Verify. The concept is that we must obtain evidence of compliance with stated policies, standards, laws, regulations, etc. in order to issue the proper attestations as required.
• REGULATORY COMPLIANCE FOR CYBERSECURITY
• ISACA SSH Audit Practitioner Guidance
• HIPAA Security Rule
• ISO/IEC 27001:2013
• NIST Cybersecurity Framework
• NIST IR 7966 on SSH Keys
• NIST SP 800-53 / FISMA Law
• PCI DSS Compliance
• SANS Top-20 Critical Security Controls
• Sarbanes-Oxley Act
• EU GDPR
• BASEL Accords for Banks
• Compliance, which is only a point in time, is directly impacted by the ever changing and always evolving rules and regulations which makes it quite challenging for organizations to maintain a sound compliance posture. The continuous expansion and extension of our production environments also adds to the compliance challenges we all face today.
Syntex Technologies®2018
35
IoT Security – COMPLAINCE
Syntex Technologies®2018
Case Study: Lessons Learned from Past Experiences
• All software can contain vulnerabilities
• Public not informed for months
• Vendors may delay or ignore issues
• Product lifecycles and end-of-support
• Patching IoT devices may not scale in large
environments
36
Syntex Technologies®2018
•Allow only designated people/services device or data accessTrust
•Validate the identity of people, services, and “things” Identity
•Ensure device, personal & sensitive data is kept privatePrivacy
•Protect devices and users from harmProtection
•Provide safety for devices, infrastructure and peopleSafety
• Maintain security of data, devices, people, etc.Security
IoT Security: Build TIPSSS Approach
37
Syntex Technologies®2018
GLOBAL CYBERSECURITY SCORES – AFRICAN RESULTS ANALYSIS
38
Heat Map of NatonalCybersecurity CommitmentsOut of the 193 Member States,
there is a huge range in
cybersecurity commitments, as
the heat map below illustrates.
Level of commitment: from
Green (highest) to Red (lowest)
Syntex Technologies®2018
GLOBAL CYBERSECURITY SCORES– WORLDWIDE RESULTS
The second edition of the Global Cybersecurity Index 2017, released by the International
Telecommunications Union (ITU), an agency of the United Nations, measured the commitment of ITU
Member States to cybersecurity and highlighted a number of illustrative practices from around the world.
39
• Out of the 44 Member States in Africa, a quite low general level of cybersecurity commitment can be observed.
Level of commitment: from Green (highest) to Red (lowest)
Syntex Technologies®2018
GLOBAL CYBERSECURITY SCORES– AFRICAN CALISSIFICATION
40
• Disintegration at the international level and low commitment in Africa may be caused by conflicts in the past and the lack of capacity building in the region
GCI Heat Map by AFRICAN sub-region
Level of commitment: from Green (highest) to Red (lowest)
Syntex Technologies®2018
GLOBAL CYBERSECURITY SCORES– AFRICAN CALISSIFICATION
41
LEGAL
CybercriminalLegislation
CyberSecurityRegulation
CyberSecurityTraining
TECHNICAL
National CIRT
Government CIRT
Sectoral CIRT
Standards for Organizations
Standards and Certifications for
Professionals
Child Online Protection
ORGANIZATIONAL
Strategy
Responsible Agency
CyberSecurityMetrics
CAPACITY BUILDING
StandarizationBodies
Good Practices
R&D Programmes
Public AwarenessCampaigns
Professional Training courses
National Education
Programmes and accademiccurricul
a
Home-grownCyberSecurity
Industry
COOPERATION
Intra-State Cooperation
MultilateralAgreements
International fora participation
Public-PrivatePartnerships
Inter-Agency Partnerships
Conceptual frameworkThe five pillars of the GCI are briefly explained below:
1. Legal: Measured based on the existence of legal institutions and frameworks dealing with cybersecurity and cybercrime.
2. Technical: Measured based on the existence of technical institutions and frameworks dealing with cybersecurity.
3. Organizational: Measured based on the existence of policy coordination institutions and strategies for cybersecurity development at the national level.
4. Capacity Building: Measured based on the existence of research and development, education and training programmes; certified professionals and public sector agencies fostering capacity building.
5. Cooperation: Measured based on the existence of partnerships, cooperative frameworks and information sharing networks
GLOBAL CYBERSECURITY SCORES– CONCEPTUAL FRAMEWORK
Syntex Technologies®2018
42
GCI Groups Report
African’s Member States were classified into three categories by their GCI score
Leading stage refers to the 6 countries (i.e., GCI score in the 50th percentile and higher) that
demonstrate high commitment.
Maturing stage refers to the 11 countries (i.e., GCI score between the 20th and 49th
percentile) that have developed complex commitments, and engage in cybersecurity
programmes and initiatives.
Initiating stage refers to the 27 countries (i.e., GCI score less than the 20th percentile) that
have started to make commitments in cybersecurity.
Syntex Technologies®2018
GLOBAL CYBERSECURITY SCORES– AFRICAN CALISSIFICATION
43
00.10.20.30.40.50.60.70.80.9
GCI GLOBAL SCORE – AFRICAN REGION
Syntex Technologies®2018
AFRICAN REGION SCORES
44
Mauritius South Africa Botswana Tanzania Zambia Mozambique Zimbabwe Seychelles Madagascar Lesotho Malawi Angola Namibia SwazilandDR of the
Congo
GCI Global score 0.83 0.502 0.43 0.317 0.292 0.206 0.192 0.184 0.168 0.094 0.084 0.078 0.066 0.041 0.04
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9G
CI I
ND
EX
GLOBAL CYBERSECURITY INDEX SCORE & WORLD RANK- SADC REGION -
Syntex Technologies®2018
SADC REGION SCORES
45
Mauritius South Africa Botswana Tanzania Zambia Mozambique Zimbabwe Seychelles Madagascar Lesotho Malawi Angola Namibia SwazilandDR of the
Congo
GCI Global score 0.83 0.502 0.43 0.317 0.292 0.206 0.192 0.184 0.168 0.094 0.084 0.078 0.066 0.041 0.04
6
58
69
8891
109 113 115 121
143 145 146 151160 161
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9G
CI I
ND
EX
GLOBAL CYBERSECURITY INDEX SCORE & WORLD RANK- SADC REGION -
Syntex Technologies®2018
SADC REGION SCORES
46
Mauritius South Africa Botswana Tanzania Zambia Mozambique Zimbabwe Seychelles Madagascar Lesotho Malawi Angola Namibia SwazilandDR of the
Congo
GCI Global score 0.83 0.502 0.43 0.317 0.292 0.206 0.192 0.184 0.168 0.094 0.084 0.078 0.066 0.041 0.04
6
58
69
8891
109 113 115 121
143 145 146 151160 161
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9G
CI I
ND
EX
GLOBAL CYBERSECURITY INDEX SCORE & WORLD RANK- SADC REGION -Leading
Stage
MaturingStage
InitiatingStage
Syntex Technologies®2018
SADC REGION SCORES
47
0
0.2
0.4
0.6
0.8
1
1.2
Mauritius South Africa Botswana Tanzania Zambia Mozambique Zimbabwe Seychelles Madagascar Lesotho Malawi Angola Namibia Swaziland DR ofthe Congo
SADC SCORES - ALL PILARS (Legal , Technical, Organization, Capacity, Cooperation)
Legal Score Technical Score Organizational Score Capacity Score Cooperation Score
Syntex Technologies®2018
SADC REGION SCORES
48
Syntex Technologies®2018
49
NAMIBIA Results Vs TOP 3 AFRICAN COUNTRIES
0.83 0.85
0.96
0.74
0.91
0.7
0.6
0.6
0.7
1
0.7
9
0.6
6
0.2
8
0.5
7
0.7
5
0.7
3
0.3
6 0.4
1
0.6
0.066
0 0 0
0.169 0.158
GCISCORE
LEGAL TECHNICAL ORGANIZATIONAL CAPACITYBUILDING
COOPERATION
NAMIBIA VS TOP 3 AFRICAN COUNTRIES
Mauritius Rwanda Kenya Namibia
Syntex Technologies®2018
50
Rwanda, ranked second in Africa,
• Scores high in the organizational pillar and has a standalone cybersecurity policy addressing both the public and private
sector.
• It is also committed to develop a stronger cybersecurity industry to ensure a resilient cyber space.
Kenya, ranked third in the region,
• Provides a good example of cooperation through its National Kenya Computer Incident Response Team Coordination
Centre (National KECIRT/CC).
• The CIRT coordinates at national, regional and global levels with a range of actors.
• Nationally this includes ISPs and the financial and educational sectors; regionally it works with other CIRTs through the
East African Communications Organization;
• and internationally it liaises with ITU, FIRST, and bi-laterally with the United States and Japan CIRTs among others.
Syntex Technologies®2018
GCI TOP 3 AFRICAN COUNTRIES ANALYSIS (RWANDA & KENYA)
51
• MAURITIUS Among WORLD TOP 10 in CYBERSECURITY Preparation!
0
0.2
0.4
0.6
0.8
1
1.2
Singapore United States Malaysia Oman Estonia Mauritus Australia Georgia France Canada
TOP 10 GCI SCORE IN ALL PILARS
GCI Score Legal Technical Organizatonal CapacityBuilding
Cooperaton
GCI TOP 3 AFRICAN COUNTRIES ANALYSIS (MAURITIUS)
Syntex Technologies®2018
52
Mauritius is the top ranked country in the Africa region And Ranked 06th WORLWIDE
• It scores particularly high in the legal and the technical areas.
• The Botnet Tracking and Detection project allows Computer Emergency Response Team of
Mauritius (CERT-MU) to proactively take measures to curtail threats on different networks within
the country.
• Capacity building is another area where Mauritius does well.
• The government IT Security Unit has conducted 180 awareness sessions for some 2000 civil
servants in 32 government ministries and departments.
GCI TOP 3 AFRICAN COUNTRIES ANALYSIS (MAURITIUS)
Syntex Technologies®2018
53
CyberSecurity and IoT: What Role for GOVERNMENT?
The cyber community is seeing an increase in dialogue between legislators and companies developing IoT devices about the
need for regulatory oversight and whether government intervention to secure IoT is needed — or should be feared.
What is government’s role in securing the IoT (Internet of things)?
Government cannot solve the entire problem, so it first needs to understand its role and make the most of it.
Government as IoT end user. Like Public Administrations and Utilities, Universities, Schools, law enforcement, and
other government functions can take advantage of the new technologies to break traditional trade-offs and find
innovative ways to serve the public.
Government as infrastructure provider. Just as governments are responsible for building and maintaining their
countries’ highways for vehicles, they may be called upon to provide the infrastructure for the IoT.
Government as regulator. New technologies necessarily bring with them new uncertainties about their use. These
uncertainties represent a risk to the public, which governments at all levels are responsible for ameliorating.
Syntex Technologies®2018
54
Government as RegulatorGovernment cannot take action to regulatefast-moving technology
InnovatorsLack of regulatory calrity hinders techoptions, further delaying Final formats/users
Government acts in its role as:• USER• Infrastructure Provider
InnovatorsKnow the parameters of responsible use; have goods examples and right tools to do it
Syntex Technologies®2018
CyberSecurity and IoT: What Role for GOVERNMENT?
SOLUTION
55
Syntex Technologies®2018
CyberSecurity and IoT: What Role for GOVERNMENT?Common Bottleneck to information Flow GOVERNMENT ACTION NEEDED to
support responsible development of IoT
WAYS AHEAD
COMMUNICATECompetition for Limited bandwidtch can slow
development
GOVERMNET must act as
INFRASTRUCTURE PROVIDER to
ensure effective bandwidtch
AGGREGATELack of Common Standards can limit
aggregation of Data
Industry is leading, NO GOVERMNET
action is needed
ANALYZEAnalyse of such volumes and new types of
Data can create Privacy issues
GOVERNMENT must act as
REGULATOR to protect consumers
Use Role of GOVERNMENT as USER of IoT to set
GOOD EXAMPLES
Use Role of GOVERNMENT as INFRASTRUCTURE
PROVIDER of IoT to reduce FUNCTIONS CREEP
Use Role of GOVERNMENT as BOTH USER of IoT
and INFRASTRUCTURE PROVIDER of IoT to enable
TRANSPARENCY GOOD
56
The government needs to identify and protect systems with a cyber-shield
— rather than the piecemeal, element-by-element approach
Government also has an important role when it comes to convening and
leading forums to establish best practices for the creation of a secured
ecosystem, including infrastructure frameworks that contain IoT within
them.
If there’s one thing government can do better than industry, it is to
assemble the best brains and talent in the country, from a cross-section of
disciplines — software, hardware, manufacturing, AI — to focus their
expertise on the challenges we face and to ask the right questions.
Another role government can play is to be the national educator — this will
put pressure on vendors to start investing more on the security side of
their devices.
That said, if
done prudently, best
practices and
processes should be
able to balance the
need for cyber-
creativity within a
rules-based
framework that the
public can trust.
So, no strict
standards, but
This means it needs to work strategically and top-down, starting with assuring that the whole system is
secured. Call it a “systemic strategy.”
Syntex Technologies®2018
CyberSecurity and IoT: What Role for GOVERNMENT?
57
Syntex Technologies®2018
Threat vs. Opportunity
• If misunderstood and misconfigured, IoT poses risk to our data, privacy, and safety
• If understood and secured, IoT will enhance communications, lifestyle, and delivery of services
59
INTERNET OF THINGS & CYBERSECURITY
NAMIBIA METRICS
Syntex Technologies®2018
60
NAMIBIA CYBERSECURITY METRICS
Syntex Technologies®2018
The following general information was noted from the participating
entities.
23 respondents across 6 industrycategories participated Size of respondents’ staff complement
61
Syntex Technologies®2018
78% of entities allocate responsibility for the monitoring
and management of cyber risk at managerial level or
below.
In 76% of all entities, a single person was reported
to be responsible for the monitoring and
management of cyber risk and incidents
NAMIBIA CYBERSECURITY METRICS
IoT security is often beyond the average IT leader’s skill set, as it involves managing physical devices and objects rather than virtual assets
62
Syntex Technologies®2018
NAMIBIA CYBERSECURITY METRICS
70% manage cyber actively, but on 52% include a business continuity plan as part of this management
63
Syntex Technologies®2018
NAMIBIA CYBERSECURITY METRICS
65% of respondents test their business continuity plans;
with 48% testing at least annually, in line with best
practice
By contrast, only 52% of respondents had a
documented and disseminated business continuity
or disaster recovery plan
64
Syntex Technologies®2018
NAMIBIA CYBERSECURITY METRICS
65% of entities feel insufficient skills exist in within
their entity
35% of entities did not conduct user training on
information security at all
65
Syntex Technologies®2018
NAMIBIA CYBERSECURITY METRICS
39% of entities have never performed a vulnerability
assessment penetration testing or software code
review to determine potential exposure
66
67
@onghass6 – TwitterEmail:[email protected]+264 61 309 171+264 811 223 926