Thursday, October 27, 2016

Thoughts on IoT Vulnerabilities

(Warning:  this post is a bit of a rant.  Proceed at your own risk :) )

The more things change, the more they stay the same.  This is the lesson we need to take from last week’s DDOS attack via (amongst other things) internet-of-things (IoT) devices.

Several years ago I gave a presentation on what I called the “Business Ideation Cycle” as pertains to security.  It goes something like this:

  1. The business has a “great idea” that’s highly innovative
  2. Business leaders discuss the benefits, costs, and risk…usually without security personnel present.
  3. The business leaders get approval to pursue their idea and select a vendor…again, usually without input from security
  4. Sometime between proof-of-concept and going into production – and usually due to the fact that approvals of some sort are needed in order to go live – security is notified of the plan and asked to approve
  5. Security personnel start to (gasp!) ask questions about the security ramifications.  They introduce risk concepts not solely related to profit and loss that are relevant to the implementation.  
  6. Business leaders complain to executives that security is “slowing things down” and “disrupting” business
  7. In the end, one of two things happens: (a) the business implements a “shadow IT” infrastructure to achieve their objectives; or (b) the implementation is modified to account for security
  8. Regardless of the decision in (7), the desired results which drove the innovative idea aren’t fully recognized or realized.  In the case of Shadow IT, this gap is usually because the rogue implementation cannot be fully supported and/or cannot be scaled appropriately.  In the case of a modified implementation, the modifications usually end up limiting some of the originally planned functionality
  9. In the end, the business needs to take a different path to achieve its revenue objectives…resulting in further ideation and a brand new “great idea.”

…and the cycle continues.  

This cycle has existed for decades, if not longer.  Many Warriors of the Light remember similar conversations around offshoring; outsourcing; laptops; WiFi; Bluetooth; and cloud-based services providers.  As security professionals we tell businesses that we want to support their ideas, but we need to be brought into the processes earlier in order not to be a disruption.  We tell our leaders that we are happy to assist in the deployment of this technology/solution/idea, but that our risk acceptance levels will (and must) change as we cannot guarantee the same risk levels as exist within the current operating model; and we diligently and rapidly clean up the messes that occur when we are not listened to.

While convenience and speed-to-market will always trump security in the minds of most businesses – and individuals – bolting on security as an afterthought is always more dangerous and more costly.  If the stories are to be believed regarding a default password hard-coded into the firmware of the vulnerable devices, this is something that any application security engineer would have raised as a red flag if the company had performed an AppSec review.  Instead, the company is now facing a recall of thousands of its devices as well as reputational damage – to itself and to the IoT industry as a whole.  We need to move closer to a model where “security by design” becomes a value-added differentiator versus just an inconvenience or a necessary evil.  

Security is not convenient…but it doesn’t have to be inconvenient if we factor in security considerations during the earlier phases of design – and throughout the entirety of the the development/ideation life cycle.

My two cents…


No comments:

Post a Comment