Have you ever slowed your car while driving to gawk at an accident on the side of the road, or been frustrated by the car in front of you that did? Have you caught yourself mesmerized by a ridiculous YouTube video? This is the current state of the Internet of Things security—it’s captivating and as a result, there’s been a whole lot of vulnerability hunting in the space. The more “OMG! This is what can happen!!” that appears in the media, the more we are drawn to it. Catastrophic, hyperbolic, apocalyptic movie plot scenarios sell, but unfortunately in security, falling into the FUD trap leaves us chasing the current drama instead of focusing on real, tangible security shortfalls.
Applying Critical Thinking to Security FUD was the topic Chris Poulin, Research Strategist at IBM’s X-Force security research team, chose to tackle at InfoSec World 2016. Yes, he said, it’s true that many things now operating in “smart” mode—refrigerators, cars, thermostats, lightbulbs—offer new, hackable vulnerabilities. And, yes, some of the vulnerabilities exist because information security professionals were not part of the development process. There is some scary potential out there, to be sure, but the fact of the matter is, said Poulin during his talk, the major exploit activity—at least what’s been publicly disclosed to-date—is happening in the security research community. Organized crime, he continued, has not figured out how to monetize researchers’ efforts, and we have yet to see any evidence of nation state or hacktivism targeting connected vehicles or pacemakers.
The vast majority of successful attacks are those targeting data such as intellectual property, personally identifiable information (PII), healthcare records, credit card information, and financial records. This is where the security industry’s focus should be, said Poulin. There is a need for research into the IoT; Poulin makes his living in that pursuit so it would be self-defeating to disavow the practice. Most companies, however, need to keep their eyes on the prize and work on fixing the problems that impact our organizations every day. Poulin instructed, “Don't drop everything to focus on the new threat; that's how simple-to-solve and longstanding threats like SQLi remain viable for attack for over a decade.” What about the latest breach, how did the attackers get in? Excessive permissions? What did they steal? Unencrypted data?
Everything old is new again
The distractions of shiny, new objects have attracted security teams before. Cloud, mobile, and big data, for instance, all inspired similar knee-jerk reactions during their hype cycles. Now, most of these platforms are managed proportionally to the threats they pose. “In the case of mobile threats,” illustrated Poulin, “we’ve not seen any grave compromises of enterprise data. Almost all threats have affected the individual, so do the minimum to ensure mobile threats are closed off; make sure enterprise email is safe in a container and encrypted—Apple's default—and go back to removing all the concatenated strings in favor of stored procedures for database queries.” Basic, clean security fun (not FUD).
In addition to basics, what’s really needed, Poulin pointed out, is critical thinking about the profile of attackers and the motivations that might drive them towards attack. Understand your adversary, know what they’re after, and then build your defenses around what’s most at stake. Doing so means implementing a process rather than a reaction to the latest headline. Applying critical thinking to security threats (or “threats,” as it may pertain to the IoT) is akin to the National Fire Protection’s “Stop, drop, and roll” campaign. What do you do when you think your clothes might be on fire (i.e., when your toaster is eavesdropping on you)? Stop! That’s number one. Take a second to assess the situation and then determine your course of action. Running around wildly without direction, said Poulin, is not productive. It is, however, “a pretty good way to become a statistic.”
If we look at the problem in this vein, the disconnect between security’s attention on the IoT and where practitioners need to focus becomes even more clear. Stop! Who’s your adversary? Drop! Dig into what might motive them. Roll! Roll out the protections that put barriers in front of the adversaries’ targets.
Researchers (for the most part) are not out to cause harm. They are out, however, to call attention to their favorite subjects. There’s nothing wrong with this, to be completely clear. We need the boundary pushers and creative thinkers in the security industry. Let’s not let their work, valuable as it might be, distract us from the fundamentals and the issues actually affecting enterprises.
A little less conversation, a little more action
Poulin’s advice for enterprise security practitioners is pretty simple:
- The media can be a huge distraction. They want your attention and will scream “the sky is falling” to get it.
- Vendors can also be a distraction as they overblow threats and promise you a cure-all pill, often based on magic technology. Don’t fall for snake oil pitches; security requires effort beyond opening your wallet.
- Don’t jump at the latest supposed crisis. Stop and ask yourself, “Is this really my crisis?”
- Ask who and why first; channel your inner blackhat to understand attackers’ motivations.
- Prioritize your defenses based on rational evaluation and gathered evidence (Ah! Evidence. Factual information telling us what we really need to secure).
It’s not easy to tear oneself away from the flashy lights and chiming bells, but to be the best enterprise security practitioner, think critically about where you need to focus and why. Security is a smart industry; really consider what needs your attention before you offer it up.