Internet of Things: Security vs. Time To Market
Last week I had the opportunity to take part on panel at the Sector Security Conference in Toronto. Just for the record, I’m also on the advisory board for that conference so we’re clear. The main thrust of the panel was dealing with predictions for the coming calendar year. I’m no fan of predictions in general. So much so that I wrote a piece almost a year ago where I compiled a top 10 vulnerabilities that we would have to worry about for 2014. The problem there was that this was a list that I lifted from a similar article that was written in 1999. Of the ten vulnerabilities in the list, eight of them were still relevant. That being said, I still agreed to do it. I’ll admit, that I enjoyed it but, one thing that struck me from a couple of the panelists was this bizarre technolust for even more Internet of Things…things.
Great, sure, I can get behind that but only if we do it right. This is where we run into the security vs time to market problem. In 2004 there was an article on the BBC that discussed a survey that was conducted which people were offered up chocolate in exchange for passwords. The results were somewhat troubling,
From BBC:
More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found.I’d offer that the results would be basically the same now ten years later. Why? People are creatures of habit. They want the next shiny thing but, they seldom pause to weigh the risk involved. This is where my concern comes into play. People will demand the next iPhone, iPad, Nexus 6 or even an Internet connected fridge but manufacturers need to take into account the security of these devices. Previously we had the fascination with Bluetooth being added to anything that had electricity coursing though its circuits. Now the great rush is on to have Internet connectivity baked into cars, home appliances, power systems and medical devices to name a few. I call this the “Bacon Principle”. Everything is better with bacon. So, by extension everything must be better with Internet. Right?
It also showed that 34% of respondents volunteered their password when asked without even needing to be bribed.
A second survey found that 79% of people unwittingly gave away information that could be used to steal their identity when questioned.
Kidding aside, we know that consumers are destined to ask for creature comforts before security. How do we get manufacturers to take proper care to ensure that their IoT devices are secured? I do worry that this will be overlooked in the rush to get devices to market. Which begs the question, how will these devices be updated? If there is a significant vulnerability discovered that affects a large swath of the IoT how will these devices be patched? Is there a plan in place to address this sort of eventuality?
As the rush continues to add Internet connectivity to devices, the potential attack surface will expand at an alarming rate. Due diligence needs to be conducted to address these issues. As an example I think of the game I play with my kids called Connect Four. There are times where my daughter is convinced that she has me on the ropes only to be undone by my next move. In this same vein we need to be sure we’re looking at all of the angles. Specifically with security in mind. That being said, how do we improve? One way is to leverage sensible and defined repeatable processes. If you can’t document your process, it doesn’t exist. If you can automate it you can improve the security. Utilize this logic for IoT devices as they are having the bacon principle applied to them. Hopefully, this sort of approach will help to avoid the rise of the wearable technology, appliance and control system based botnets.
No comments:
Post a Comment