Security Shaming the Security Ostrich – Let’s Make It a Thing

Share
  • Modern businesses, organizations and manufacturers – and the executives that drive key decisions – have a responsibility to implement progressive IoT security.
  • IoT devices are driving a dependency compute model. Customers no longer control the entire infrastructure on which their IoTs and applications operate. That is why traditional enterprise security tools and approaches designed to protect concentric networks just don’t work for IoT security.
  • The IoT industry is still principally focused on function. However, it is precisely during the architecture and design phases that IoT security should be a key player at the table.
  • Security ostriches choose to bury their heads in the sand rather than educate themselves, hear different perspectives, and accept input from others. Isn’t it time we started treating lax cybersecurity efforts like littering? Let’s make security shaming a thing.
  • Negligent or disengaged executives who are reckless with security measures are a danger to businesses, consumers, economies, and democracies. It’s time for us all to be good netizens and push for thoughtful and responsible security.

We recently had a conversation with the CEO of an IoT manufacturing company to learn more about its strategy for IoT security. The conversation started with the CEO’s immediate declaration, “Our IoTs are secure!”

“You see,” the CEO continued, “we use encrypted connections for all of our IoTs.”

Given his bold tone, we waited to hear the rest. It never came.

We then inquired how he controls access, validates the integrity of communications, verifies the integrity of data, validates the exchange of functional commands, and handles the privacy and identity of the devices.

He responded, “You have to understand that our devices aren’t smart enough to be hacked.”

It was a dumbfounding response. We asked if his IoT devices use IP. “Yes,” he replied. Are they on the Internet? Again, “Yes.” Respectfully, is it possible they are just not smart enough to know they’ve been hacked?

We went on to explain that even “dumb” IoTs are susceptible to and have been involved in many recent high-profile attacks. We even offered two examples of vulnerabilities that impacted devices like the ones his company manufactured.

However, he was dismissive and unconvinced.

This technology CEO is a security ostrich choosing to bury his head in the sand rather than educate himself, hear different perspectives, and accept input from others.

In another instance, at an event with Maciej Kranz, we met a CTO for a solution provider exclusively focused on building custom IoT-centric applications. We asked the CTO how the organization handled IoT security. His answer was simple: “We use the certs from Amazon.” We pressed further and asked how these certs secured his customer’s IoTs and applications. He said, and I quote, “Not sure. It’s what Amazon offers—they wouldn’t sell something insecure.”

Although this CTO is the exact opposite of the security bold CEO, he is also a security ostrich. He had no curiosity about what happened to the technology platforms his company developed for its customers.

We have seen many other examples of savvy security officers taking what they believe to be prudent steps to help mitigate risk for their newly developed IoT infrastructures. This is a difficult problem, and we empathize with any technologist trying to optimize IoT security. Using enterprise security tools and approaches for IoT security is a challenge.

A case in point is a CISO of a Fortune 500 company who tried very hard to segment his industrial IoT devices into separate networks—a very prudent step.

Then he acquired a commercial software product that operates at the network level, specifically to help improve security. It acted a bit like the old Kerberos solution in computer security where a separate server gives access permission for devices to join and communicate on the network.

The problem with that approach is that we have not seen these enterprise security methodologies and technologies scale to the size required by IoT infrastructure.

But a bigger problem is that even if it works, it does not prove that a device is secure once it is allowed on the network. Until now, that kind of magic has not existed.

This is a case where a CISO was trying to use yesterday’s security tools to solve a next-generation problem, because that was all that was available. When the only tool you have is a hammer, you have to treat everything like a nail.

We exist in a time of unparalleled connectivity. With all the good that this connectivity brings, it also creates exposure. Exposure today is greater than ever and modern countries especially the US are the most exposed. Cyberattacks don’t just impact systems, data, publicity, and stock prices. Today, they impact economies and democracies.

IoTs are driving a dependency compute model in which each IoT, its dependent applications, and its associated management platform all exist on many public and private networks. Customers no longer control the entire infrastructure on which their IoTs and applications operate.

That is why traditional enterprise security tools and approaches designed to protect concentric networks just don’t work for IoT security, especially when multiple IoTs exist on a shared network where each has a different function, for different use-cases and each using different remote applications, operated by different entities. When different applications that are owned by different organizations service IoTs that share a common customer network, all IoTs and applications become exposed and vulnerable.

It’s not only that these devices are susceptible to compromise or that a compromised IoT impacts the integrity of the application and dataset it serves. It’s not even that the company’s customers and the customer’s customers are impacted. By putting these vulnerable devices on the Internet, IoTs become force multipliers to launch new and more menacing attacks on many other public networks, systems, applications, and datasets. And with the prevalence of clouds, everything is exposed.

IoT manufacturers and development shops should practice greater scrutiny for their IoT security. Despite an IoT’s small size, everything is bigger with IoTs. If the overly confident CEO and the disengaged CTO don’t respect IoT security for their own products, companies, and customers, then they should at least consider the impact their actions—or inactions—have on the rest of us.

Isn’t it time we started treating security like littering? Maybe we should make security-shaming a thing. Maybe the entire cyber community gets involved in security shaming those who are reckless, disassociated, and especially the inappropriately bold. Essentially, that would include all those in the industry who are in a position to enact impactful change and choose not to act.

Could security shaming drive the change the IoT security industry needs? Perhaps. Better yet, we should treat security much like a public health crisis where even a single instance of an outbreak is treated with the greatest sense of urgency by the entire community.

The behavior of the security ostrich is rather formulaic—focus on functionality. When the product is reasonably functional, then focus on performance. And when it’s performing reasonably well, then and only then will some turn their attention to security. By this point, the only options are bolt-ons and band-aids.

Some also deploy self-centered risk–reward IoT security in which they choose a minimalist approach or no security at all. In other words, there are times when it costs more to secure some or all platform assets than their worth to the organization.

Although this may look like a business decision, it is actually a myopic perspective that empowers hackers—against everyone.

Regardless of the asset value, securing all assets with uniform and consistent security has a dramatic positive impact on the big security picture for everyone. What is suggested here is akin to the “broken windows” policing model where eliminating the small crimes dramatically reduces the big crimes.

The IoT industry is still principally focused on function. Everyone is trying to get their heads around how to make everything work. However, it is precisely at this stage—during the architecture and design phases—that security should be a key player at the table.

We can no longer sit back, look from the outside in, shrug, and say it’s their problem, not mine. If there is one thing that the massive denial of services, botnets, ransomware, and data thefts have taught us is that weak security links on the Internet are weaponized against everyone.

In one case, the CEO was inappropriately confident. In the other case, the CTO was disengaged and trusting to a fault. These security ostrich executives hurt us all – perhaps their actions are not malicious, but definitely negligent. And their actions impact businesses and consumers, global enterprises and family operations, Americans and the rest of the world—us, you, everyone.

Most importantly, business leaders, tech executives, and concerned and tuned-in participants of the technology industry should learn a lesson from their errors.

However, the CISO truly cared about doing the right thing and was failed by the industry’s lack of viable options for the IoT security challenge. This issue is accelerated by the unusually rapid growth of cloud, IoT, and dependency computing.

In this case, the security industry is too conservative and looks down on progressive approaches even though a progressive approach is precisely what this CISO needed.

Let’s invoke an old Internet phrase that needs to be resurrected—be a good netizen. Some if not the majority of efforts toward IoT security fall on manufacturers and developers. They have to provide viable options to secure their technologies. But at the same time, customers and solution providers should be thoughtful and mandate security that drives the manufacturers and developers.

Think of it this way. Anyone who ignores IoT security, recklessly and negligently, drags their muddy shoes across everyone else’s clean white carpet—and they should know better!

Want to listen instead? Check out the ‘Security Shaming’ podcast here.

Next up, read Secured IoT Just a Delusion Away!

 

About Acreto IoT Security
Acreto IoT Security delivers advanced security for Crypto-IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021 and are on track to be the biggest consumers of Blockchain and Crypto technologies. Acreto’s Ecosystem security protects Crypto / Blockchain and Clouds as well as all purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto on the web at acreto.io or on Twitter @acretoio.

Bob Gourley
Bob Gourley
Bob Gourley is the founder and Chief Technology Officer (CTO) of Crucial Point LLC, a technology research and advisory firm. He is the publisher of CTOvision.com and ThreatBrief.com. He is the former CTO of the Defense Intelligence Agency. At Crucial Point, Bob provides CTO Services and Due Diligence Consulting.
Babak Pasdar
Babak Pasdar
Babak Pasdar is an ethical hacker and a globally-recognized expert in Cyber-Security, Cloud, and Crypto-currency. He has a reputation for developing innovative approaches and methodologies for the industry’s most complex security problems. Before Acreto, Pasdar brought the first proxy-in-the-cloud platform to market, even before the word “cloud” was coined. He called in security in the "Grid". Named one of New York’s Top Ten Startup Founders over 40, he has built and successfully exited two Cyber-Security technology companies and his innovations have been widely adopted by the industry.

Watch Video

Replay





Interested In ...

Show Buttons
Hide Buttons