Story image

IBM Security opens four secure IoT testing facilities globally

07 Aug 2018

IBM Security today announced X-Force Red Labs, a network of four secure facilities dedicated to testing the security of devices and systems including consumer and industrial IoT technologies, automotive equipment, and Automated Teller Machines (ATMs).

IBM X-Force Red also has launched a dedicated ATM Testing practice in response to increased demand for securing financial transaction systems. 

The new Labs will be operated by X-Force Red, an autonomous team of hackers within IBM Security.

The X-Force Red Labs offer secure locations where X-Force Red's seasoned hackers will work to find vulnerabilities in devices (hardware and software) before and after they are deployed to customers.

The four Labs will be in Austin, TX; Hursley, England; Melbourne, Australia; and Atlanta, GA.

IBM X-Force Red Labs

IBM X-Force Red has grown its penetration testing client base by over 170 percent in the last year.

This growth has also led IBM Security to increase the number of X-Force Red practitioners, doubling over the past year across multiple domains.

Some of the recent additions to the X-Force Red team include global hardware security lead Ivan Reedman, European and automotive practice leader Thomas MacKenzie, and X-Force Red global research director Daniel Crowley.

"IBM X-Force Red has one mission – hack anything to secure everything," says IBM X-Force Red global managing partner Charles Henderson.

"Via X-Force Red Labs, we have the ability to do that in a secure and controlled environment. Whether it's the newest smartphone that hasn't been released, an internet-connected refrigerator or a new ATM, we have the capability to test, identify, and help our clients remediate vulnerabilities before the bad actors can exploit them."

X-Force Red Labs: Hack anything to secure everything

Fixing software vulnerabilities and flaws after production can cost organisations more than 29 times the cost of identifying and fixing them during the design phase, according to the Ponemon Institute.

IBM X-Force Red, through the new four global testing labs, assists engineers and developers with building in security throughout the development lifecycle of hardware and software, including IoT-enabled devices and ATMs.  

The service includes:

  • Documenting product requirements: Mapping product objectives, stakeholders and systems involved, skillsets available, and other product requirements with product engineers.
  • Technical deep dive: Analysis of product design documentation, security requirements, risk management information, and any other data to scope the penetration test.
  • Threat modelling: Disclosure of potential threats and risks to the product and company including threat actors likely to target their product, how and why they would compromise it, and the potential risk to the company.
  • Generating security requirements: Create and implement a list of security requirements for engineers as they build products.
  • Penetrating testing: Hacking into products using the same methods that real-world attackers would use. Through the X-Force Red cloud-based portal, the team provides real-time updates on vulnerability findings. Since X-Force Red hackers report findings as they test, customers do not have to wait until the full test is completed to begin remediation.

Demand for ATM testing

With more than 300 million ATMs in the world, financial institutions need to protect these targeted machines from attackers.

In early 2018, law enforcement alerted financial institutions of increased threats targeting ATMs in the US that allow criminals to "jackpot" the machines and steal their contents on demand.

These attacks have been known to use both malware and physical access to the ATM device to empty all of the cash from the machine.

Since 2017, X-Force Red has experienced a 300% increase in requests for ATM testing due to these emerging threats.

Many financial organisations are also still running dated operating systems on these devices that they cannot adequately patch to harden the machine.

By identifying vulnerabilities in these machines in advance, before a criminal gains access, financial institutions can address and help protect against future compromise.  

The X-Force Red ATM Testing service includes a global team of experienced penetration testers that can identify and help remediate physical, hardware and software vulnerabilities within banks' ATMs, before an attacker gets their hands on them

Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.