SAN DIEGO—If you think cyber-security is a problem now, wait until the Internet of things becomes routine in our daily lives.
Cyber-crooks are now hacking into the Targets, Home Depots and UPSes of the world almost with impunity, stealing customers’ credit card numbers, PINs, corporate sales information and anything else of value they can get their hands on. But service providers aren’t waiting for the day when a hacker decides to turn off someone’s heart pacemaker, cut off the power or heating in someone’s home in the dead of winter, or render a car unstartable.
It is true that all the technology is available to do these things today. So what is the government, the enterprise and the IT community going to do to circumvent these types of events before bad guys gain inordinate control over everything connected?
Mix of Government, Enterprise and IT Pros at Event
These were just some of the topics at a new community/industry/government partnership event called CyberFest 2014, held at what used to be the Point Loma Naval Base here. The event, co-sponsored by San Diego’s Securing Our eCity Foundation and security software startup CyberUnited, attracted about 300 invited participants from government, enterprise, IT, retail, utilities and other sectors.
Topic areas included “Is the IoT All Hype?,” “The War on Personal Privacy,” “Hacking the Human,” “Infrastructure of IoT: Beyond Availability and Scalability,” “Preparing the IoT Workforce” and “The Future of the Internet.”
I moderated a panel discussion on “NextGen of Innovation: Riding the Pipeline of IoT.” Participants were Tom Caldwell, president of CyberFlow Analytics; Bob Quinn, CIO of Palo Alto Networks: Lamont Orange, chief information security officer at Websense; and Kris Virtue, director of Information Security Architecture and Risk Management at Qualcomm.
We tackled several questions, the first of which involved identity management—the initial step in keeping track of all things connected so that they can be accounted for and secured. This can involve any connected object as large as a major corporation or government database all the way down to something as minuscule as a connected soap dish.
Interesting Use Case: Connected Soap Dish
True use case: Cloud service-connected soap dishes are now being used in some hospitals to record how often they are being used by health care workers—who is using them, how often and at what times of day—to satisfy increasingly strict regulations.
The service identifies workers as they come through the door into the scrub room or bathroom and connects them with use of the soap dish. An audit trail detailing how many times the worker used the soap is then connected to the worker’s employee record. Recent reports of increased spread of germs in hospitals have necessitated this use of the IoT.
“We need to track the behavior of things,” Caldwell of CyberFlow said. “For instance, let’s take fraud. We get tracked with our credit cards. When you change your behavior of where you charge things, they catch it and keep your credit card from being charged. So in the Internet of things, everything needs a digital ID. It can’t be an IP address because that will get reassigned from location to location.
“What keeps me up at nights is the lack of consistent IDs of things that really don’t have identities.”
CyberFest Conference Looks at Road Ahead for IoT Security
In the IoT future, every sensor, every videocam, every connected soap dish will have an IoT name, and it might not be a number.
One of the misconceptions a lot of enterprises have is that innovation inside an enterprise can often be dangerous for security reasons, that innovations should stay behind walled systems and that security professionals only should be charged with handling the security of systems. This clashes with the common conception that “innovation happens elsewhere,” and that enterprises and service providers need to be constantly aware of new ideas coming to the fore in the open-source community, for one example.
“It’s been said that as innovation comes across a number of different industries, security professionals need to step in front of it and quash it. That’s hopeless. Innovation is going to happen. It’s just too compelling, too alluring to people,” Quinn of Palo Alto Networks said. “In reality, what the industry and the providers need to do is not going to keep up with innovation and the technology. It’s always a catch-up game.”
Major Data Breaches Will Continue to Bring Attention
We are going to continue to see events that will bring widespread attention to this, Quinn said.
“I would hope these events involve only a connected soap dish. But often it’s the very organized, sophisticated, well-funded nation-state groups who are after the infrastructure and disrupting the economy of the United States,” Quinn said. “That’s what keeps me up at night.
“They are very innovative in what they are doing. They don’t just target specific things, but they target something laterally. We call it a kill chain; attackers do recon [reconnaissance] to find something that is weak, weaponize or install something there, become invisible there, and then start to move laterally to other places on the network. In this paradigm, the network is the cloud. Ultimately, they get to where they want; they get into the data center, they get credit cards or whatever,” Quinn said.
Achilles’ Heel for Enterprises: Red Security Tape
An Achilles’ heel that security companies and IT administrators have that attackers do not is that attackers are not subject to the rules, regulations and paperwork that slow down security professionals in getting updates to systems in place, Orange of Websense said.
“Also, in running a global information security program, the other component is ‘context-aware.’ We’re so focused on the user-centric context that we are forgetting about applications that can invoke other things,” Orange said. “Or systems that invoke applications that invoke other modules that will allow us to become vulnerable. And we don’t see it at this particular point in time.
“A lot of our systems are geared toward this anomaly, this 20 percent noise factor that goes up, and then you pay attention. With the onslaught of the Internet of things, we’re going to get increased data, no increased resources, no increased budget, but we still are going to have to answer that question, ‘Are we secure?'” Orange said.
Virtue of Qualcomm pointed out that in a machine or human invoking any service on the Internet, or for a machine to invoke another type of connection with a human or other machine, “the system isn’t just one provider. It’s going to be 10, 12, however many different pieces in a chain that forms whatever service I’m consuming.”
Back-End APIs Need Strengthening
“Those all need to interact with some kind of trust model, otherwise there are points of exposure.” Virtue said. “There are protocols that exist for back-end APIs [application programming interfaces]. That stuff still needs some work; we need to build standards and protocols around how to share that [data] in a secure and trustworthy manner. This is going to be crucial to fostering innovation, so people can build things, trust it, and they won’t have to all go off and build it themselves.
“Some people will get it right; a lot of them will probably get it wrong—like generating your own cryptographic algorithms. If you’re doing that, you’re probably doing something wrong. You need to use something that’s tried and true, otherwise there’s too much risk.”
eWEEK will revisit the content from this panel discussion and follow up with subsequent articles.