Find news and information for the executive corporate security director, CSO, facility manager and assets protection manager on issues of policy, products, incidents, risk management, threat assessments and preparedness.
Issue link: http://sdi.epubxp.com/i/941796
32 Security Dealer & Integrator / www.SecurityInfoWatch.com February 2018 Manufacturers releasing a security update to KRACK is just the first step. Getting each of these devices patched is another challenge. Many customers who own these products are simply unaware that their products are at risk of compromise from the vulnerability – never mind even thinking about apply- ing an available patch. Many of these users do not moni- tor device vulnerability reports, and without product registration, there are not many ways for manufacturers to inform consumers. On the flip side, for more sophis- ticated organizations, patching may involve delays because, for many, there is oen a significant internal change management process required to apply patches and updates to sys- tems to ensure no negative impact to business operations. Steps to Take KRACK can be found on the US-CERT website (the U.S. Computer Emer- gency Readiness Team, an organization within the Department of Homeland Security that reports on these types of vulnerabilities) is listed as Vulnerabil- ity Note VU#228519. e site shows individual manufacturers and products along with their current reported status in regards to resolving the issue. Even months aer the discovery, there are still many devices affected without updates available to address KRACK. It is expected to be much lon- ger for many of them to be able to fix the problem. e US-CERT site is quite detailed, but it is still recommended to contact manufacturers directly to get confirma- tion of affected systems and updates on the status of mitigation. speakers – really, any kind of wireless internet-connected device. e KRACK method is not some- thing that can be accomplished from the other side of the country, but rather requires the attacker to be in wireless range and positioned as a Man-in-the- Middle (MitM) – meaning they must have communication range (i.e. phys- ically in the proximity) between the device and the wireless network. When the vulnerability was made public in October, a handful of man- ufacturers were already notified of the problem and had solutions in place; others just began to work to solve the discovered weakness. e rec- ommended solution, per Vanhoef 's report, is for each manufacturer to develop and release security updates/ patches to their products. Cybersecurity The Cybersecurity Legal Plot Thickens When it comes to cyber vulnerability and liability, integrators are often stuck in the middle between manufacturers and customers By Siddharth "Sid" Bose IoT devices present new challeng- es to traditional warranty and liability analysis. The law and legal precedence is still developing, and it may be difficult for parties involved in the "stream of commerce" – manufacturers, sellers, distributors, integrators, installers, etc. – to fully comprehend the liability and warranty issues. In most if not every state, there is an implied warranty of merchantability and warranty of fitness for a particular pur- pose. This means there is body of law from each state that must be accounted for in a manufacturer's warranty and liability considerations. Even if a device is sold 'as is,' or the manufacturer otherwise indicates in writing that no war- ranty is given, there still are limitations to such disclaimers of warranty. Some states explicitly forbid 'as-is' sales. Individuals may also seek to hold device manufac- turers liable under traditional product liability theories. While the specifics of product liability law vary by state, a basic underlying issue is whether a securi- ty vulnerability is a 'defect' that renders the device unreasonably dangerous under applicable law. Of course, demonstrating 'defect' and 'unreasonably dangerous' in IoT devices is still new and evolving. In addition to traditional products liability law, manufacturers must be aware of regulatory liability as well. For example, the Federal Trade Commission (FTC) sued TRENDnet over security flaws, alleging that TRENDnet "failed to use reasonable security to design and test its software, including a setting