Security Shaming the Security Ostrich – Let’s Make It A Thing
By Bob Gourely, ex-Chief Technology Officer for the Defense Intelligence Agency, and Babak Pasdar, CEO and CTO for Acreto IoT Security
We recently had a conversation with the CEO of an IoT manufacturing company to learn more about their strategy for IoT security. The conversation started with his immediate declaration, “Our IoTs are secure!”
“You see” The CEO continued, “we use encrypted connections for all of our IoTs”.
Given his bold tone, we waited to hear the rest – it never came.
We then inquired how he controls access – validates the integrity of the communication – verifies the integrity of data – validates the exchange of functional commands – and handles privacy and identity of the devices.
He responded, “You have to understand that our devices aren’t smart enough to be hacked.”
It was a dumbfounding response! We asked if his IoT devices use IP. “Yes,” he replied. Are they on the Internet? Again, “Yes”. Respectfully, is it possible they are just not smart enough to know they’ve been hacked?
We went on to explain that even “dumb” IoTs are susceptible to and have been involved in many recent high-profile attacks. We even offered two examples of vulnerabilities that impacted devices like his.
However, he was dismissive and unconvinced.
This technology CEO is a security ostrich choosing to bury his head in the sand rather than educate himself, hear different perspectives, and accept input from others.
In another instance, at an event with Maciej Kranz, we met a CTO for a solution provider exclusively focused on building custom IoT-centric applications. We asked this CTO how the organization handled IoT security, the CTO’s answer was simple: “We use the certs from Amazon”. We dug further and asked how these certs secured his customer’s IoTs and applications. He said, and I quote: “Not sure. It’s what Amazon offers — they wouldn’t sell something insecure”.
Though the exact opposite of the CEO above, this CTO is also a security ostrich. He had no curiosity about what happened to the platforms they developed for their customers.
We have seen many other examples where savvy security officers take what they believe to be prudent steps to help mitigate risk for their newly developed IoT infrastructure. This is a difficult problem, and we empathize with any technologist trying to optimize their IoT security. Their challenge — utilize enterprise security tools and approaches for IoT Security.
A case in point is an effort by a CISO of a Fortune 500 company who tried very hard to segment his industrial IoT devices into separate networks – a very prudent step.
He then acquired a commercial software product that operates at the network level specifically to help improve security. It acted a bit like the old Kerberos solution in computer security, where a separate server gives permission for devices to join and communicate on the network. The problem with this approach is that we have not seen these enterprise security methodologies and technologies scale to the size IoT infrastructure requires.
But a bigger problem is that even if it works, it does not prove that a device operates securely once it is allowed on the network. Until now, that kind of magic has not existed.
This is a case where the CISO was trying to use yesterday’s security tools to solve a next generation problem, because that’s all that was available. When the only tool you have is a hammer, you have to treat everything like a nail.
We exist in a time of unparalleled connectivity. With all the good that this connectivity serves, it also creates exposure. Exposure today is greater than ever and modern countries – especially the US – are the most exposed. Cyber attacks don’t just impact systems, data, publicity, and stock prices – attacks today impact economies and democracies.
IoTs are driving a dependency compute model where each IoT, their dependent applications and associated management platform all exist on many different public and private networks. Customers no longer control the the entire infrastructure on which their IoTs and applications operate.
This is why traditional enterprise security tools and approaches, designed to protect concentric networks, just don’t work for IoT security. Especially when multiple IoTs exist on a shared network – where each has a different function, for different use-cases and each using different remote applications, operated by different entities. When different applications that are owned by different organizations service IoTs sharing a common customer network, all the different networks, IoTs and applications become exposed and vulnerable.
It’s not only that these devices are susceptible to compromise. Or that a compromised IoT impacts the integrity of the application and dataset it serves. It’s not even that the company’s customers and the customer’s customers are impacted. By putting these vulnerable devices on the Internet, IoTs become force multipliers to launch new and more menacing attacks on many other public networks, systems, applications, and datasets. And with the prevalence of Clouds, everything is public!
IoT manufacturers and development shops should practice greater scrutiny regarding their IoT security. Despite an IoT’s small size, with IoTs, everything is bigger. If the overly confident CEO and disengaged CTO don’t respect IoT Security for their own product, company, and customers, then they should at least consider the impact their actions, or inaction, has on the rest of us.
Isn’t it time we started treating security like littering? Maybe we should make security shaming a thing. Where the entire cyber community gets involved in security shaming those who are reckless, disassociated and especially the inappropriately bold. Essentially all cases where those in the industry who are in a position to enact impactful change, choose not to act.
Could security shaming drive the change the IoT security industry needs? Perhaps! Better yet, we should treat security much like a public health crisis — where even a single instance of an outbreak is treated with the greatest sense of urgency by the entire community.
The behavior of the security ostrich is rather formulaic. Focus on functionality. When the system is reasonably functional, then focus on performance. And when it’s performing reasonably well, then and only then do some turn their attention to security. By this point, the only options are bolt-ons and band-aids.
Moreover, some deploy self-centered risk–reward IoT security where they choose not to enact security at all. In other words, there are times when it costs more to secure some or all platform assets than their worth to the organization. Though this may look like a business decision, in actuality it is a myopic perspective that empowers hackers – against everyone!
Regardless of the asset value, securing all assets with uniform and consistent security has a dramatic positive impact on the security big picture for everyone. What is suggested here is akin to the “broken windows” policing model where eliminating the small crimes dramatically reduces the big crimes.
The IoT industry is still principally focused on function. Everyone is trying to get their heads around how to make everything actually work. However, it is precisely at this stage when there should be a focus on security – during the architecture and design phases.
We can no longer sit back, look from the outside in, shrug and say it’s their problem — not mine. If there is one thing that the massive denial of services, botnets, ransomeware, and data thefts have taught us is that the security weak links on the Internet are weaponized against everyone.
In one case the CEO was inappropriately confident, in another the CTO was disengaged and trusting to a fault. These security ostrich executives hurt all of us – perhaps their actions are not malicious, but definitely negligent. And their actions impact business and consumer, global enterprises and family operations, Americans and Allies, us – you – everyone.
Most importantly, business leaders, tech executives or the tuned-in slash concerned participants of the tech industry should learn a lesson from their errors.
However, the CISO truly cared about doing the right thing and was failed by the industry’s lack of viable options to the IoT Security challenge. This is especially true when cloud, IoT, and dependency compute is involved.
In this case the security industry is too conservative and looks down on progressive approaches. And progressive approaches is precisely what this CISO needed.
Let’s invoke an old Internet term that needs to be resurrected. Be a good Netizen. Some, if not the majority of the effort for IoT security falls on the manufacturers and developers. They have to provide viable options for the industry. But at the same time customers and solution providers should be thoughtful and mandate security that drives the manufacturers and developers.
Think of it this way: Anyone who ignores IoT security, recklessly and negligently drags their muddy shoes across everybody else’s clean white carpet – when they should know better!
Read the original ‘Security Shaming’ article here.
Listen to the next podcast, Putin’s Eleven – Inside Nation State Hacker Teams, here.
About Acreto IoT Security
Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.