IT Managers Struggling to Keep Up With Cyber-Threats: Security Experts
McClure agreed, and told of one test he ran in which he was able to hack into an insulin pump. The pump, which is designed to regulate insulin delivery to diabetic patients automatically using an embedded wireless blood glucose sensor turned out to have a back door. He explained that the manufacturer designed the pump so that it would only talk to the sensor using a specific serial number, but to make testing easier at the factory, the serial number “999999” would also work. McClure said that he would have been able to force the insulin pump to deliver too much insulin, killing the patient. He said that when he revealed this to the manufacturer, they seemed to be unsure of what to do about the problem. But then the manufacturer said that the security hole was actually a feature because it made testing easier. Eventually the manufacturer understood why this was serious, and has since fixed those insulin pumps, but it illustrates the problem and the importance of getting IoT security right. Unfortunately, the problem of security at all levels persists. Wallach said that in some cases device manufacturers realize that security is important, but they have trouble gaining management approval for security measures because of cost considerations. McClure said that the only way to solve the cost problem is to design security into devices from the beginning. That way, he said, the cost of security wouldn’t be seen as an add-on.Still, there is some hope. “The defenders are getting smarter,” McClure said, but he noted that the picture isn’t as bright as anyone would like. “The attack surface area is so large that we’re basically janitors trying to clean up at the end of the day.” The answer, Wallach said, is to focus on things that IT managers can change. That includes shifting focus to the endpoint because that’s where the attacks are aimed these days. He pointed out that while perimeter defenses aren’t the only answer, they are part of the solution. “There’s that old notion of defense in depth,” he said. That means that the only way that security will work is to deploy it in layers so that no single attack can get to everything.
So what about those insider threats that seem to have become so visible lately? Even though the FBI doesn’t see those as often as they see criminal activity, they’re still important. Worse, they’re very difficult to defend against. “They know the system,” McClure said, “they know where the important information is kept and they know how to get to it.”