What are IoT devices?

The Internet of Things (IoT) is a network of physical items implanted with sensors, software, and other technologies that act on the collected data via machine learning. They are devices created to adapt to users’ daily needs and improve daily repetitive tasks. It can be anything from intelligent kids’ toys or smart home appliances to healthcare devices, vehicles, etc.

However, businesses use IoT technology on a larger scale, starting with smart office systems that include smart locks, remote security cameras, and climate control, and ending with complex solutions, such as digital financial modeling, AI-based management solutions, intelligent factory systems, autonomous agriculture, etc.

How IoT is transforming businesses

Research shows that companies who utilized IoT devices for a year noticed these positive trends: improved productivity, reduced labor, increased worker safety, etc.

Here are a few examples of how IoT improves business solutions:

1. They help you manage and track your inventory by providing various remote control choices.

2. They are becoming smarter with every connection to the device – the more they track, the more they learn about the patterns, and by doing so, they optimize the user’s experience.

3. They innovate businesses with the help of predictive maintenance. For example, these devices will help monitor your harvest if you work in agriculture.

4. They reduce waste by improving power management and water consumption, making businesses more eco-friendly.

5. They reduce human labor by automating repetitive tasks and helping to allocate workforce resources to more complex tasks.

6. They automatically schedule and control various production tasks, increasing productivity.

7. They assist in maintenance. For example, IoT devices measure temperature, humidity, and other indicators to achieve necessary storage conditions.

8. They can even prevent diseases or health issues by tracking necessary health data, such as blood sugar levels, and reminding about insulin injections.

The hidden dangers of IoT

The advantages are outstanding, but many IoT devices still don’t meet the minimum cybersecurity standards. If not secured, they’re sensitive to cyberattacks, such as an incident with a hijacked Tesla when the attackers gained access to car control while it was driving.

The number of cyberattacks on IoT devices is growing at alarming rates. In the first half of 2021, it was twice as high as the total number of attacks in 2020. Here are the most frequent types of threats carried out against IoT devices:

• DoS (denial-of-service) attacks are carried out to take down company online assets and steal their sensitive data.

• Brute-force password attacks lead to criminals gaining access to a particular device.

• Firmware hijacking is used to access a device when software is downloaded from an illegitimate source.

• Eavesdropping attack occurs when a hacker intercepts, deletes or changes data sent between two devices.

Top causes making IoT devices insecure

A recent study addressed the most common IoT security issues: lack of personal information privacy, unprotected software, insecure web, weak passwords, and lack of encryption. In general, many people and businesses don’t prioritize security simply because they are unaware of why they need it. Unlike laptops and other types of consumer electronic hardware, many of these devices don’t have built-in security that provides regular security updates.

Another issue is that people don’t change the initial default settings and leave them as they were after setting up IoT devices at their home or office. Many off-brand IoT producers manufacture devices with fewer resources and cheaper components that usually are insecure, creating an ever-increasing threat to the device owners.

How to secure your business IoTs

The main problem for businesses is that they have too many devices and don’t usually supervise them. That creates security gaps in your cybersecurity and opens the doors for eager cybercriminals. So, here are 10 steps for how you can secure your business IoT devices:

1. Understand the current IoT assets. Run an internal audit to determine how many and what kind of IoT devices you have and who has the access.

2. Monitor ALL the devices. Keep an eye on all of your devices to protect them from being infected – utilize a tech solution to automate this process.

3. Apply a tracking system. Implement an identity and access management (IAM) solution that will allow you to track which IoT devices are active and when they go online and offline.

4. Build an internal security system. Block any potential threat by using network access control (NCA) technologies that authenticate and authorize network users to access your company’s information.

5. Remove all data from old devices. Pay attention to the devices that aren’t in use anymore, as they may store important information. After removing all data, consider returning them to manufacturers for recycling.

6. Choose reliable suppliers. Pay attention to the manufacturer of your IoT devices, because it’s very important to know whether the device comes with built-in security and how you should update it from reliable sources in the future.

7. Keep the devices up-to-date. Various software updates bring bug fixes and security patches, so it’s essential to be updated regularly.

8. Make unlockable passwords. Build strong password combinations consisting of various symbols, letters, and numbers to make them hard to crack. Also, creating a master password would do the trick if the devices are connected to a phone, tablet, or computer.

9. Guarantee IoT security. Ensure that you are using port security, invest in a network intrusion detection system, disable port forwarding, and use security solutions like VPN and firewalls.

10. Secure the Wi-Fi. Last but not least, ensure the Wi-Fi router’s safety – strengthen the router firewall, deactivate WPS, and enable the WPA2 protocol. And, as always, use a strong password for it!

First, could you tell us a bit about yourself and what you do here at Nord Security?

Hey, my name is Aivaras, and I am the Head of Product at NordLocker. I lead the team who provides an encrypted cloud solution for anyone who wants to safely store their data and still be its original owner. I know it sounds similar to what usual cloud providers say, but, believe me, you lose control over your files the moment you upload them to the cloud. The simple truth is that many providers still have the decryption key and can access the files at any time. With NordLocker, it’s the opposite – we secure your data without the ability to see it, a.k.a zero-knowledge architecture. Together with a team of excellent Product Owners and Designers, we successfully lead the product’s vision, roadmap development, and new feature discovery.

Weakest nodes of security in business

From your experience, how likely are companies to protect their data and have a data protection policy in place? Why?

Well, this likelihood usually comes down to several different factors. First of all, it depends on the company size, the industry in which it operates, IT maturity, and more. Secondly, it’s also somewhat affected by the growing awareness of data security risks and the necessity to secure it through various data protection measures. And finally, the most impactful factor is the rising number of breaches and the fear of becoming one of the targets. As a result, companies tend to care more about their data security when they or someone close to them experience a breach. So, it’s still more “reacting to disaster” than preparing for it proactively.

In your opinion, what can cause more security breaches and damage – lack of security policy or employee carelessness? Why?

It is unquestionably both. Businesses that don’t have at least basic security policies in place often become easy prey for cybercriminals. Unfortunately, the same thing can happen due to the employee’s carelessness. A company with the most sophisticated, well-described, and thought-through security procedures can be compromised if employees keep their passwords written on sticky notes on their desks. In that case, no policy can help. Cybercriminals spend a lot of time looking for the weakest links in a company’s protection, and if there are any, it’s bound to be exploited.

Even though people are often a company’s weakest link in security, this doesn’t happen just because they are careless. Usually, our basic habits, knowledge of cyber threats, and understanding of security policies and tools differ, and we aren’t very aware of complex security measures. So to ensure that employees aren’t the cause of a breach, every business should ask itself whether it’s easy for people to use already applied security tools and what additional effort employees have to make to follow those security policies.

The growing scale of ransomware

Let’s talk a little bit about ransomware. How big of a threat to company security is it? Could you share a bit of data on that?

The truth is that nowadays, ransomware is one of the biggest and fastest-growing threats. Mainly because it causes two very harmful things for businesses – it steals sensitive data that can cause reputational damage if exposed and blocks business access to crucial data needed to run daily operations. This fear of disruption and data loss pushes company owners to pay ransoms, increasing the attackers’ desire to carry out even larger operations. In fact, in 2021 alone, ransomware attacks rose to 1,000 per day, mostly targeting industries such as construction, manufacturing, finance, and others. So no business is safe from ransomware and other types of malware unless they do data encryption to protect against these threats.

What is the more attractive target for cybercriminals – confidential business information or employee information?

At the end of an attack, attackers typically seek to gain access to confidential company information, which is the ‘highest tier’ in data value scales. However, this data is usually the most protected from hackers. So, this is where employee information comes into play: breaching employee data can lead attackers further and provide them with access to more important corporate data. Simply put, stealing employees’ information could be the start of a very complex and harmful data breach.

Evaluating the risks

Does the size of a company directly impact the effectiveness of its cybersecurity policy? Why? How should a company solve such a problem?

Well, the company size doesn’t necessarily affect the effectiveness of cybersecurity. Larger companies may seem more resilient to cyber-attacks because they have more resources and a greater number of dedicated IT specialists who can examine the company’s cybersecurity ecosystem. However, this is not the case. They may have much more flaws, and it is far more difficult to oversee the training and safety of thousands of people rather than 10 or 20. On the other hand, small businesses cannot dedicate large budgets to cybersecurity and employ IT security professionals. However, being small, they are less likely to attract the attention of criminals. Nevertheless, there is always a risk. So, no matter how big or small the company is, all businesses should think about potential cybersecurity dangers regularly.

Usually, a ‘what-if’ scenario helps to evaluate the scale of risk:

1. What if your business gets attacked?

2. How difficult would it be to continue business operations?

3. What are the costs of a potential loss of data?

4. What appropriate resources and attention should be dedicated to cybersecurity?

Practical tips to ensure your data is safe

How important is it to encrypt corporate information? How effective are NordLocker’s algorithms used to encrypt the company’s data?

Data encryption is one of the safest ways to protect corporate information from cyberattacks. Even if a file is stolen, the content is encrypted and cannot be accessed by anyone else. And this is where our NordLocker product succeeds – it combines data encryption with secure cloud storage and backup. So, in the event of a ransomware attack, the company’s data is protected and cannot be taken hostage, while the backups provide business continuity.

From your point of view – what steps should a company take to protect its information? What advice would you give to them?

1. First of all, a company should treat cybersecurity as a continuous business activity by making sure they are aware of the latest cyber threats. It is important to keep in mind that there is no one perfect solution or tool that could protect against all threats.

2. The second step is to identify possible dangers and weak areas in your firm. Once you find thems, make sure you implement the best security measures to strengthen your company’s vulnerabilities.

3. Finally, keep in mind that even the most modern security policies and tools may be considered worthless if the company’s employees do not naturally apply them. Using security tools that are simple to deploy and easy to use by employees with different technical knowledge can help make their daily routines much safer.

Thus, it is important to maintain a holistic approach and use a wide range of security tools that are easy to use and do not stand in the user’s way. It will help build a security net over the business and make it more resilient to ever-increasing cyber threats.

 

Wake up time

WFH: 7.30 AM

Office: 7.00 AM

My usual routine is to wake up, shower, get dressed, and maybe fix my hair or do my makeup. However, that depends on my time and or my mood. Since I’m located in Berlin, and most of my team works in Lithuania, I’ve chosen to work different hours from 8.00 AM to 5.00 PM from the rest of the company (9.00 AM to 6.00 PM). It allows me to be more in sync and have more free time in the afternoon.

Breakfast o’clock

WFH: 8.00 AM

Office: 7.30 AM

I usually have German bread with cheese and ham for breakfast during the week since it’s fast and easy to prepare. And, of course, a nice liter of tea. I would say a cup, but I like to drink lots of tea. Not a fan of coffee, unlike most of the developers that I know.

 

Head to work

7.40 AM

When I go to the office, I usually take public transport because it’s better for the environment, and we have a monthly ticket compensation as a benefit.

It usually takes 20 minutes to reach the office with the U-Bahn.

 

Welcome to the office

8.00 AM

Two things that I do when I get to the office – wash my hands (crucial after the public transport) and get another cup of tea (also crucial for a productive day ahead).

 

First work portion

WFH: 8.00 AM – 2.00 PM

Office: 8.00 AM – 12.00 PM

Daily standup: 9.30 AM (5-10 minutes)

NordPass Update/Meeting: 10.00 AM – 11.00 AM

Normally I don’t have a lot of meetings. I know – the dream of every developer. I usually have my daily standup, and on Mondays, we have an update about what’s going on in the company or any other relevant theme.

Guild meetings happen once a month, where all the front-end developers from NordPass get together and talk about things: from cool tech we just read about to important information about upcoming changes.

 

So I usually check my emails and some merge requests before my first meeting. And afterward, I just work completely on any task or bug I choose from our sprint board.

 

WFH: 2.00 PM

Office: 12.00 PM

My lunchtime normally changes a lot when I work from home because I like to cook and eat with my husband. Therefore, we must agree on a time that suits both of us. We take turns preparing the food, but it normally happens after 1.00 PM.

We like to eat Mexican food because we’re from Mexico, so we try to include tacos and other foods with lime and chili on our menus.

 

WFH: 3.00 PM – 5.00 PM

Office: 1.00 PM – 5.00 PM

After lunchtime, I prefer to finish up my tasks and start testing and fixing anything that’s not working properly. If I haven’t finished my tasks, then I continue working on them, maybe pausing for a couple of minutes to stretch out and eat a snack. Especially if I’m at the office, where I get the chance to talk with people from other teams.

 

Getting my sweat on

My ideal schedule would include going to the gym after work every day. However, currently, I go only once a week or less. But it’s good to have a goal for improvement.

Sprechen sie deutsch?

I’m learning German because I want to be able to communicate better in Berlin. Even though almost everyone here speaks English or even Spanish, I still think it’s important to know the local language.

The classes are held online on Tuesday, Wednesday, and Thursday from 6.30 PM until 8.00 PM. At the moment, I’m learning B1 level – so not a complete beginner.

 

Family bonding

Both my and my husband’s family live in Mexico. Therefore, we have to wait until they have some free time to talk with us. We aim to have long video calls with everyone at least once a week.

Light dinner (mostly)

I usually have dinner around 8.00 or 9.00 PM while talking with our families. It makes me feel as if we’re sitting down together for a meal. I prefer something light for dinner, like cereal, but sometimes we spice it up with pizza or some Korean chicken.

Night night

I mostly go to bed around 11.00 PM after washing the dinner dishes and making all the preparations for the next day ahead.

 

Which one do you prefer, working from the office or home? Why?

I prefer working from home because I like cooking my own lunch. However, sometimes taking a break and going for lunch with people from the office is also nice.

At what time of the day do you feel most productive, and what tasks do you do then?

I think the time after my daily stand-up and before lunch is my most productive time – I do most of my work then. After lunch is more for testing, fixing, and other pending things.

Things that you like most about being a front-end developer at Nord Security?

My teammates, hands down. They are supporting me at all times and encourage me to learn more and be better.

Things you wouldn’t miss being a front-end developer?

The fun issues with CSS.

What are the front-end stereotypes that you’d like to break?

That we don’t know anything about the back-end. In fact, I worked as a full-stack developer before. And, of course, we need to know how the back-end works to do our jobs better.

What challenges are you currently working on, and what have been the most interesting ones you had to deal with at Nord Security?

Developing new features is always challenging, but it’s the most interesting part of the job. So figuring out how to implement new stuff while ensuring everything else still works fine is the most stimulating thing about being a developer.

Also, migrating to newer versions of libraries and other tools is always a way to keep learning while suffering a bit. However, when everything works in the end – it’s truly awesome.

Please, briefly describe your team? What kind of people work there, and how do you collaborate?

My team is the best. Everyone is always eager to help. We always have the best team buildings. And even if we’re located in different countries, we still keep in touch and are close to each other.

Monitoring vs. Observability

“Monitoring” and “observability” are often used interchangeably, but these concepts have a few fundamental differences.

Monitoring is the process of using telemetry data to understand the health and performance of your application. Monitoring telemetry data is preconfigured, implying that the user has detailed information on their system’s possible failure scenarios and wants to detect them as soon as they happen.

In the classical approach to monitoring, we define a set of metrics, collect them from our software system, and react to any changes in the values of these metrics that are of interest to us.

For example:

Excessive CPU usage can indicate that we need to scale it up to compensate for increasing system loads;

A drop in successfully served requests after a fresh release can indicate that the newly released version of the API is malfunctioning;

Health checks process binary metrics that represent whether the system is alive at all or not.

Observability extends this approach. Observability is the ability to understand the state of the system by performing continuous real time analysis of the data it outputs.

Instead of just collecting and watching predefined metrics, we continuously collect different output signals. The most common types of signals – the three pillars of observability – are:

• Metrics: Numeric data aggregates representing software system performance;

• Logs: Time-stamped messages gathered by the software system and its components while working;

• Traces: Maps of the paths taken by requests as they move through the software system.

The development of complex distributed microservice architectures has led to complex failure scenarios that can be hard or even impossible to predict. Simple monitoring is not enough to catch them. Observability helps by improving our understanding of the internal state of the system.

Metrics

Choosing the right metrics to collect is key to establishing an observability layer for our software system. Here are a few different popular approaches that define a unified framework of must-have metrics in any software system.

USE

Originally described by Brendan Gregg, this approach focuses more on white-box monitoring – monitoring of the infrastructure itself. Here’s the framework:

• Utilization – resource utilization.

  • % of CPU / RAM / Network I/O being utilized.

• Saturation – how much remaining work hasn’t been processed yet.

  • CPU run queue length;

  • Storage wait queue length;

• Errors – errors per second

  • CPU cache miss;

  • Storage system fail events;

Note: Defining “saturation” in this approach can be a tricky task and may not be possible in specific cases.

Four Golden signals

Originally described in the Google SRE Handbook, the Four Golden signals framework is defined as follows:

• Latency – time to process requests;

• Traffic – requests per second;

• Errors – errors per second;

• Saturation – resource utilization.

RED

Originally described by Tom Wilkie, this approach focuses on black-box monitoring – monitoring the microservices themselves. This simplified subset of the Four Golden Signals uses the following framework:

• Rate – requests per second;

• Errors – errors per second;

• Duration – time to process requests.

Choosing and following one of these approaches allows you to unify your monitoring concept throughout the whole system and make it easier to understand what is happening. They complement one another, and your choice may depend on which part of a system we want to monitor. These approaches also don´t exclude additional business-related metrics that vary from one component of the software system to another.

Logs

System logs are a useful source of additional context when investigating what is going on inside a system. They are immutable, time-stamped text records that provide context to your metrics.

Logs should be kept in a unified structured format like JSON. Use additional log storage/visualization tools to simplify interaction with the massive amount of text data the software system provides. One very well-known and popular solution for log storage is ElasticSearch.

Traces

Traces help us better understand the request flow in our system by representing the full path any given request takes through a distributed software system. This is very helpful in identifying failing nodes and bottlenecks.

Traces themselves are hierarchical structures of spans, where each span is a structure representing the request and its context in every node in its path. Most common tracing visualization tools like Jaeger or Grafana display traces as waterfall diagrams showing the parent and child spans caused by the request.

Building an observable software system lets you identify failure scenarios and possible risks during the whole system life cycle. A combination of metrics, extensive log collection, and traces helps us understand what’s happening inside our system at any moment and speeds up investigations of abnormal behavior.

This article was just the first step. We’ve covered the standard approaches to metrics and briefly discussed traces and logs. But to implement an observable software system, we need to set up its components correctly to supply us with the signals we need. In part 2, we’ll discuss instrumentation approaches and modern standards in this field.