Tag Archives: national institute of standards and technology

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

12 Issues Inhibiting the Internet of Things

While the Internet of Things (IoT) accounts for approximately 1.9 billion devices today, it is expected to be more than 9 billion devices by 2018—roughly equal to the number of smartphones, smart TVs, tablets, wearable computers and PCs combined. But, for the IoT to scale beyond early adopters, it must overcome specific challenges within three main categories: technology, privacy/security and measurement.

Following are 12 hurdles that are hampering the growth of the IoT:

1. Basic Infrastructure Immaturity

IoT technology is still being explored, and the required infrastructure must be developed before it can gain widespread adoption. This is a broad topic, but advancement is needed across the board in sensors themselves, sensor interfaces, sensor-specific micro controllers, data management, communication protocols and targeted application tools, platforms and interfaces. The cost of sensors, especially more sophisticated multi-media sensors, also needs to shrink for usage to expand into mid-market companies.

2. Few Standards

Connections between platforms are now only starting to emerge. (E.g., I want to turn my lights on when I walk in the house and turn down the temperature, turn on some music and lock all my doors – that’s four different ecosystems, from four different manufacturers.) Competing protocols will create demand for bridge devices. Some progress is emerging in the connected home with Apple and Google announcements, but the same must happen in the enterprise space.

3. Security Immaturity

Many products are built by smaller companies or leverage open source environments that do not have the resources or time to implement the proper security models. A recent study shows that 70% of consumer-oriented IoT devices are vulnerable to hacking. No IoT-specific security framework exists yet; however, the PCI Data Security Standard may find applicability with IoT, or the National Institute of Standards and Technology (NIST) Risk Management Guide for ITS may.

4. Physical Security Tampering

IoT endpoints are often physically accessible by the very people who would want to meddle with their results: customers interfering with their smart meter, for example, to reduce their energy bill or re-enable a terminated supply.

5. Privacy Pitfalls

Privacy risks will arise as data is collected and aggregated. The collation of multiple points of data can swiftly become personal information as events are reviewed in the context of location, time, recurrence, etc.

6. Data Islands

If you thought big data was big, you haven’t see anything yet. The real value of the IoT is when you overlay data from different things — but right now you can’t because devices are operating on different platforms (see #2). Consider that the connected house generates more than 200 megabytes of data a day, and that it’s all contained within data silos.

7. Information, but Not Insights

All the data processed will create information, eventually intelligence – but we aren’t there yet. Big data tools will be used to collect, store, analyze and distribute these large data sets to generate valuable insights, create new products and services, optimize scenarios and so on. Sensing data accurately and in timely ways is only half of the battle. Data needs to be funneled into existing back-end systems, fused with other data sources, analytics and mobile devices and made available to partners, customers and employees.

8. Power Consumption and Batteries

50 billion things are expected to be connected to the Internet by 2020 – how will all of it be powered? Battery life and consumption of energy to power sensors and actuators needs to be managed more effectively. Wireless protocols and technologies optimized for low data rates and low power consumption are important. Three categories of wireless networking technologies are either available or under development that are better suited for IoT, including personal area networks, longer-range sensors and mesh networks and application-specific networks.

9. New Platforms with New Languages and Technologies

Many companies lack the skills to capitalize on the IoT. IoT requires a loosely coupled, modular software environment based on application programming interfaces (APIs) to enable endpoint data collection and interaction. Emerging Web platforms using RESTful APIs can simplify programming, deliver event-driven processes in real time, provide a common set of patterns and abstractions and enable scale. New tools, search engines and APIs are emerging to facilitate rapid prototyping and development of IoT applications.

10. Enterprise Network Incompatibility

Many IoT devices aren’t manageable as part of the enterprise network infrastructure. Enterprise-class network management will need to extend into the IoT-connected endpoints to understand basic availability of the devices as well as manage software and security updates. While we don’t need the same level of management access as we do to more sophisticated servers, we do need basic, reliable ways to observe, manage and troubleshoot. Right now, we have to deal with manual and runaway software updates. Either there’s limited or no automated software updates or there are automatic updates with no way to stop them.

11. Device Overload

Another issue is scale. Enterprises are used to managing networks of hundreds or thousands of devices. The IoT has the potential to increase these numbers exponentially. So the ways we currently procure, monitor, manage and maintain will need to be revisited.

12. New Communications and Data Architectures

To preserve power consumption and drive down overall cost, IoT endpoints are often limited in storage, processing and communications capabilities. Endpoints that push raw data to the cloud allow for additional processing as well as richer analytics by aggregating data across several endpoints. In the cloud, a “context computer” can combine endpoint data with data from other services via APIs to smartly update, reconfigure and expand the capabilities of IoT devices.

The IoT will be a multi-trillion industry by 2020. But entrepreneurs need to clear the hurdles that threaten to keep the IoT from reaching its full potential.

This article was co-written with Daniel Eckert. The article draws on PwC’s 6th Annual Data IQ Survey. The article first appeared on LinkedIn.