Today at the Black Hat 2017 cybersecurity conference, IBM Security announced the launch of a new security testing practice area focused on automotive security. The new service will be delivered via an elite team of IBM X-Force Red researchers focused on testing backend processes, apps and physical hardware used to control access and management of smart systems.
IBM X-Force Red worked with more than a dozen automotive manufacturers and third-party automotive suppliers to build expertise and programmatic penetration testing and consulting services. The formation of the automotive practice aims to help to shape and share industry best practices and standardize security protocols.
Earlier this year, Global Head of IBM X-Force Red, Charles Henderson, realized that he could still access a car he no longer owned. As a penetration tester, this led him to dig deeper and uncover security flaws in other connected vehicles which he outlined after notifying the manufacturers. This discovery evolved into a practice and led to the understanding that major automotive manufacturers often overlook the security vulnerabilities associated with connected cars. With the expectation that more than 250 million connected vehicles will be on the road by 2020, cybersecurity needs to be at the center of all vehicle development.
To address this need, IBM X-Force Red created an automotive practice dedicated to helping clients secure hardware, networks, applications, and human interactions. IBM X-Force Red worked with more than a dozen automotive manufacturers and third-party automotive suppliers to build expertise and programmatic penetration testing and consulting services. The formation of the automotive practice aims to help to shape and share industry best practices and standardize security protocols.
The new IoT services will be delivered alongside the Watson IoT Platform to provide security services by design to organizations developing IoT solutions for all industries. With 58% of organizations testing their IoT applications only during the production phase1, the potential for introducing vulnerabilities into existing systems remains unacceptably high. The Watson IoT Platform provides configuration and management of IoT environments, and the IBM X-Force Red services bring an added layer of security and penetration testing.
IBM X-Force Red marked its first-year anniversary with the addition of security specialists such as Cris Thomas (aka Space Rogue) and Dustin Heywood (aka Evil_Mog with Team Hashcat), who add to the team’s impressive roster of talent globally. To further optimize their engagements, IBM X-Force Red has also built a password cracker called “Cracken” designed to help clients improve password hygiene.
IBM X-Force Red has changed the delivery of security testing due to the perceived gaps in security of emerging technologies such as IoT and connected cars. Programmatic and on-demand security testing through the entire lifecycle of the products is emerging as the best way to find vulnerabilities in a proactive fashion. Watson IoT Platform customers will now be able to leverage the security expertise of IBM X-Force Red to assist throughout development and deployment.
“It’s not just about the technology, it is also about the global reach, investment, and collaborative approach which make IBM a trusted IoT partner for enterprise IoT solutions,” said James Murphy, Offering Manager, IBM Watson IoT Platform. “With IoT technologies permeating the farthest corners of industry, IBM is bringing our Watson IoT Platform and X-Force Red security talent together to address present and future concerns.”
The Watson IoT Platform approach is security by design, with security controls built-in, delivered as a cloud-based service with industry-recognized ISO27001 compliance. The Watson IoT Platform also has advanced security IoT service capabilities that extend Watson IoT Platform with Threat Intelligence for IoT. These features help customers visualize critical risks in the IoT landscape and create policy-driven automations to help prioritize operational responses for IoT incidents.
The skills and experience of the X-Force Red team alongside the Watson IoT Platform provide the vital components to help get clients off to the right start from design all the way through to go-live of their IoT solution.
In February 2017, IBM X-Force launched The Red Portal, a cloud-based collaboration platform for clients and security professionals that presents an end-to-end view of security testing programs. Clients can view real-time testing project milestones, vulnerabilities across all assets, reports of findings and the overall status of their managed testing program. The Red Portal centralizes and streamlines all communications with X-Force Red and provides a way to begin remediation immediately on the most critical items.
At this year’s Black Hat conference, X-Force Red will unveil the newest weapon in their arsenal. Cracken is a dedicated password-cracking cluster used by X-Force Red during penetration tests and security assessments. To illustrate the importance of password length and complexity, X-Force Red will let attendees test passwords against Cracken at Booth #616 during Black Hat USA 2017.