KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Okay. First thing, as in most presentations, the views that I will express are my own and not necessarily of anyone else that I work with or for, or alongside bit of background, if anyone's interested, I, I, one of the, I've got several roles that related and amongst those is that I'm on the board, executive steering board of the it security foundation. I won't go into detail cause I haven't got much time the agenda, what we're gonna cover very quickly. Cause there's only 20 minutes.
Some of the industry for challenges, some of the known knowns known unknowns, the undervalued knowns and the unknown unknowns and a quick response. So this means I'm gonna be going through my slides a very, very, very quickly. I'm not gonna be looking at every single point. I've tried to condense the slides down as much as I can.
I'm sorry, but there is too much and there's too much text and not enough images, but I will get through quickly. So first of all, some of the challenges, some of the expectations that I think people have and the actual reality of industry four, oh, are very, very different reaping the benefits.
We, we will take some time and the lifespans of when we are gonna expect to see things and the way things happen and how quickly some things move are very, very different. Those purchasing technology today in some respects may expect to invest in that technology and keep that investment for 10, 15, 20 years in some cases, however, the technology moves on very, very fast. We are still, its infancy.
Maturity will come at a cost at a cost and the cost could it either be not having security now and having it in afterwards or adding it in afterwards, either way, it will be a cost and the business models in some respects for software improvement, rollouts do actually exist right now, but they don't necessarily exist for hardware. Technology improvements, AI models for systems and data and security have got a long way to go before we, where we actually reap the real good benefits at the moment lot's been talked about.
Most of it's all marketing and the separation of the admin and user control of many of the four oh for tracing devices is, is lacking some of the known knowns. Some of the examples I'm, I'm not gonna go through the whole list. You will have access to presentation. So you'll be able to pick it up later. Manufacturing, first of all, is the second most attacked industry, which means that if you are in this sector, you really need to take security seriously and do something about it. Operational disruptions do take priority their cost a lot.
And, and that's very important. Some of the key things I'll, I think two things I'll pull out. One is networks are hostile. And in particular we're talking about wireless networks and wireless communication in many respects is only as good as a transmitter, but also as good as a receiver, meaning that in many cases, even nearfield communication, you may think it's very near nearfield, but if you've got an, if somebody's got an antenna and they want to Eves drop, they've just got to improve their, improve their listening device far greater than your transmitting device.
And they'll be able to pick things up. And that's a key theme I will follow later on. Misconfigurations exist much more than they acknowledged. I'll I'll stop there cuz I wanna lose some time for questions at the end. I know I might have much time to go through everything that I want.
So, so knowing the known unknowns for your threat model, basically, and I'm focusing on the threat model here, what are, you know, you know, the, the approach that you are taking towards your threat models, you know, who specifically would benefit most from attack, what they need to achieve? What are the attack points? What attack points, the hardest protect and getting this threat model, right?
And your organization's risk model that you are using and basing your risks on and everything you are gonna use to protect your, your technology is very important, but you do need to have a good threat model and you need to work on that fairly intensively before you can move on to a proper good risk model. Some of the undervalued knowns are that passwords are still not good enough to be the only approach to access devices and systems.
However, at the moment, it's, it's one of the main things that we are using password management, identity management for IOT is not good enough at the moment. You know, many organizations will talk about zero trust and some of them in those zero trust will also talk about identity management. Whether they talk about identity management, they're not just always talking about identity management for people. They are talking about identity management of software and hardware and applications and processes as well in many cases.
So lifespan of devices, OS protocols, data, configuration, data, user data are all very, very different. A couple years ago, we wrote a white paper where we mapped out each of those life spans and they take place in different times.
I, if you were to map them out and that's very important, they are known, but they're undervalued. It's important that you take them on board in terms of how you deal with the data and protect that data and get rid of that data and bring the data in, in, in, in your industries for implementation the supply chain security leaves a lot to be desired in many respects still today.
It, it, it going through and improving supply chain security is still not as valued, as important as it should be security out the box by sign and default still doesn't exist. It's it should be there. It's still not many devices you buy, whether it's an amusing devices that I'm very familiar with, CCTV camera or anything else to do with smart buildings or around a, a, an indu industrial site. What you find is that in many cases it's broken in so many ways where their defaults are not what they should be to help the user get things set up correctly.
And that's just 1, 1, 1 example, moving on some of the unknown unknowns, this is slide one on these. This is some of the basics, you know, unknown undisclosed vulnerabilities of product code, operating systems, APIs, core libraries, communication libraries. And they're just a few bits of code in many respects.
And, and the key thing there, there really is that if you look at some of the comms libraries and the example I often give, when I talk about comms libraries is the example that we had a couple of years ago with apple over three. I think it was three month period where one of the libraries to do with cons for iOS, there was a issue with that vendor's library where one, one particular bug or vulnerability meant that 5,000 or round about 5,000 other vendors who were using it, who were writing code for software. So it's not 5,000 end applications.
We're talking about 5,000 major vendors who were each writing, many, many other applications. Another vulnerability was something like 15,000 and another one was about 25,000. So all in all, we're talking about possibly around 50,000 applications plus that were sorry, vendors that were affected. And that means many, many more applications.
So, you know, the, these are some of the basics of the, in terms of unknowns. We don't know what's gonna come, come up and crop up. And that's, that's the major thing that we do need to be thinking about when we are implementing our installation. So incorrect configurations. I mentioned 'em earlier on, there's a challenge here and why I've put it in here as an unknown. Unknown is that several places I've worked as consultant.
We, we find that there, there is not rigorous confirming of, of, of installations and configurations and checking those. There are some technologies where a user can come along. Despite the fact that an administrator set certain things up, anyone can come along and there can make a change.
So the, the configuration has changed and no one's checked to confirm that it's still what it should be. Those are just what, you know, simple examples that, that we find the impact of any of these is, is gonna be fairly big. Those things are not known the impact of any one technology or another. So for example, you've got one supply providing one technology, another one, providing something else.
Some of the impacts of the two technologies working together are, are often unknown unknowns, the impacts of devices and systems from one vendor to that of another as well as one technology to another is also one of those in terms of internal networks. I mentioned thats earlier on the company, I work with work around airspace that, and, and the work around wireless communication. So that includes Bluetooth. That includes what network and airfield communication. It includes wireless networks, 5g.
It includes most bandwidths and really what we come across so often are unauthorized networks that exist within a site that claims that it knows of all the networks, that it has lots of unauthorized access points, unmanaged access points, and unmanaged access points basically means these access points haven't been updated for some time and they haven't been updated to secure ones or things like that. So there, there are examples of that. Non-compliant excuse me, one second. I do apologize. I know this is live, but our front door Bailey is ring and he's gonna carry on regular.
Sorry about My apologies for that. Right. Okay. Wifi direct is another example of uncontrollable bridge connection between a wide and an unwind connection. We don't often have a complete coverage of the maturity of the wide and wireless network network segments, and how far they're in force in terms of industry four to O. Now part of the reason why I've covered and separated the internal network from the external network is because of, of the fact that so many technologies around industry four, oh, do rely on wireless technologies and not wide technologies.
However, at some point they do connect between the wide and the wireless and the segmentation that you have on the wire. Doesn't always carry through on the wireless, and that can impact the security in a big way.
Peer tope, connecting devices are permitted with user level controls, and shouldn't be user connections for B YD, other devices we've seen, for example, Teslas connecting to corporate networks and even industrial manufacturing networks when we've done audits in the, in the past. So we have seen those in terms of external networks in, in any site, wherever you are trying to install your industry four, oh, you'll find that the external net surrounding network outside of your site in many cases is double if not five times as large.
So we have seen sites where, where, where it's a lot bigger than that open networks and devices are vulnerable to attack. And, and those open networks, I know this is an unknown unknown, but we've found in secured networks, we've often found open access points as part of the secured network. That's why it's there. And quite often, the, the, the site didn't actually realize that there had a single open access point on, on that particular network. So it's things like that.
So where you see things that theoretically we would say, you know, with a hand on our heart, thinking that we knew about those, or, or we should know about open networks, why I've put this in here is quite often in different sites. We see things that we shouldn't see because no one is monitoring these sorts of things. So monitoring of open unpatched, vulnerable networks and devices needs to take place.
Doesn't always, when we go in and we do some work on these, we find lots of lots of things that are a surprise, both to the, the client we are working with and, and to ourselves, because we're surprised that these sorts of things happen. There are hostile. You need to start looking in, in your, around your networks, hostile ratings of the hostility of the surrounding networks, maybe even ratings of the change on a daily, weekly basis around about the surrounding network that you have.
Some things change, some things don't, but the rate of change is quite important to monitor the connection attempts and the rating of those connection attempts is another thing that, that it's an unknown, unknown monitoring. Those things is very important as well, spoofing and everything else related to that also is very important.
So in terms of networks, internal, external, they are both important and they need to be looked at separately rather than as a whole other categories of unknown unknowns include the impacts to legacy, legacy systems and connections to legacy systems, what they may or may not open up the impacts of the connections to building control systems. Again, any connection to those mean that however, secure your main system is basically you are opening up loads, more holes due to connecting with loads of other systems, unless they are completely secure.
And you know, that everything is vulnerabilities of process models, industrial control systems. Again, that we've come across. Some of these where the process models that are being used have got vulnerabilities in them capabilities of, of vendors into different types of vulnerabilities.
Again, we've seen vendors abilities to respond, to change where some have got great capabilities, will they respond within certain number of weeks? Others may take months. And so on threat models of these vendors in terms of when they develop the products is also key. What we encourage our clients often to do is to make sure that they are understanding what the different risk models are around their products and how those products fit into the, the solution that you're trying to put together. There are a whole range of these.
I'm gonna move on fairly quickly to, to the next slide, which I believe is the last slide, main slide that I've got, but important areas next year for are around data. Whether it's sort of data protection, identity, data, whatever data it is, orchestration, you know, AI data, big data, whatever it is, all of those things are very, very important.
So in terms of responding, cause I've thrown lots and lots of challenges, risks, and things that need to be considered really what, what I think is important in the time that we, we we've got is to think about, you know, developing threat and risk models. I, I sort of mentioned that earlier on that is key keeping up to date and creating a internal maturity in how, you know, you, you use that information and how you use the threat and risk models in decision making and expanding your, your industry for implementation.
Basically also creating requirements and specifying, whatever you are buying based on the threat and risk models and, and, and the risk model you have for your, you know, whatever it is that you're trying to set up your project that you've got. So, and also purchasing systems devices based on that, understanding the impacts of changes in terms of connected technologies.
So really what I'm saying there, and the understanding impact of the connect system is making sure that once you've got your risk models, things change is keeping those update models updated continuously and alongside that is tester test and test making sure that you are testing those, whether it is.
And when I say test, I do also mean monitor because while you're monitoring and what I covered earlier on about internal and external wireless networks, it is understanding what those changes are, the environment that you're in and what's happening within you and the models, thereof, adapting, your threatened risk models. As I've mentioned, participate in user groups, be more demanding.
One last thing I'll say before I move on from that a friend of mine from Germany once said to me, when I asked him, how is it Germans have great car manufacturing bases and the UK doesn't his response was that in the UK, you are far more inventive than we are. I said, what do you mean?
He said, I I've noticed that when your colleagues, what you do is you put something underneath to capture the oil in Germany. When our cars leak, we complain to the manufacturers. And what we were talking about, there was basically the more demanding user asks more from their vendor and they get more and they get better results. As a result of that. If you're not very demanding from what you've got, you're not gonna get the best out of your vendor is really what I'm talking about. So we need to be complaining more. We need to be sharing more.
We need to make sure we're encouraging others into and adding to the knowledge pool. I think that's my last slide. That's it. So I'm open for questions. I think I've, I've kept two time-ish.
