Modernizing Authentication — What It Takes to Transform Secure Access
By Nazar Tymoshyk and Stanislav Breslavskyi
Today technology is interwoven into our daily lives as never before, but how secure is the data that we feed into our devices? With the progress of wearables knowing no limit, we often forget that with great power comes great responsibility: protection of personal information, no matter if you are a vendor or a user.
Keeping track of heart rate, burnt calories and even steps taken, wearables' game-changing influence is felt not only in the health care industry, but also within the world of security. Personal information will become bread-and-butter not only for users and health care professionals, but also for attackers.
In addition, enterprises are discovering business use cases for wearable technology, which means security teams must implement plans to protect corporate data on wearables and educate users about risks and best practices.
When talking about wearables security, the following aspects should be on the radar:
- Wearable devices themselves
- Any mobile devices that connect with wearables
- The cloud
- Users as the "almighty rulers" of the above items
Here's what you should keep an eye on to mitigate the most common threats wearables pose to personal information.
The main problem of wearables is the existence of hundreds of models with different custom operating systems and programs. If the amount of operating systems is not minimized, it will be tough to make security progress since every wearable device requires a separate approach. Variety is a spice of life, but too much spice is not healthy!
What's more, wearable devices should ensure secure mechanisms of communication with a smartphone. As showcased by Symantec and its recent experiment, information from wearable device systems is often broadcasted unencrypted.
In most cases, Bluetooth protocol is used for communication with a smartphone. Even though the latest version Bluetooth 4.0 is secure, most vendors still utilize an older version that can contain many outdated defects. Another easy-to-follow piece of advice is to switch off Bluetooth when it's not in use: This way you kill two birds with one stone, saving your battery's energy and avoiding potential danger.
Securing Mobile Devices
Typically, wearables are connected to mobile devices; that's why the security of a phone is no less important than that of a smart gadget. However, tips to protect your mobile device from unwanted intrusion are as easy as one-two-three. Since it's no use crying over spilled information, make sure you follow these uncomplicated pieces of advice:
- Don't connect to public Wi-Fi spots without a password
- Regularly update the software and OS
- Make sure your screen is locked and your password is not "1111" or a similarly easy-to-guess combination
- Give up the bad habit of having a one-fits-all password, no matter if it's your connected email account or system login: Adding a symbol or capitalizing a letter does make a difference
- Never leave your phone unattended
Securing the Cloud
Sometimes what drums up attackers' interest is not the wearable device itself, but the cloud, which contains a pool of a user's personal information. Cloud hacking can lead to the revealing of their most private data; the most loud–speaking example is a buzzing nude pictures scandal. To avoid having your private data stolen, get the hang of implementing the following four cloud security controls:
- Deterrent controls
- Preventive controls
- Detective controls
- Corrective controls
Corrective implementation of these mechanisms maximally protects systems owners from massive information leaks. Find more about cloud security guidance here.
Raising Security Awareness
Wearables are not all about technological aspects, but the human factor as well: More than we think depends on the users themselves. Hunting self-tracking with fervid enthusiasm, customers forget about personal information security and their own safety, which lets hackers act under users' noses. The main preventive measure for wearables' users is awareness, but even the trust-but-verify rule is not fully applicable here.
Never trust a service provider or a device with 100 percent of your personal information, because the cost of losing or revealing it may be too high. Customer security awareness mechanisms should let users understand that even a seemingly harmless check-in or sharing data on a timeline may cause more troubles than we think.
Wearable technology is a relatively new trend on the market that pushes the IT industry forward and launches new business development directions, but also raises new security issues. These problems are not skin-deep, since attackers' imagination in choice of attack vectors is limitless. Proper security requires a holistic and cautious approach.
Nazar Tymoshyk and Stanislav Breslavskyi are security engineers at SoftServe Inc, and regular contributors to the SoftServe United blog. Nazar is an IT security and network infrastructure expert who specializes in many security disciplines including computer forensics, malware analysis, intrusion detection and mobile application security assessments. Nazar holds a Ph.D. in information security from the State University, Lviv Polytechnics. Stanislav focuses on network solutions development and specifically focuses on security–related challenges for SoftServe, Inc. He holds a bachelor's degree in information security from the State University, Lviv Polytechnics.