We can still ‘Nail’ security in the IoT

It’s a matter of getting product developers to overcome their naïveté, ignorance and laziness. Harsh? Yeah, but the truth hurts.

Oh, the things that we didn’t know enough to worry about five years ago: Cars that can be remotely “bricked”via computer; home automation controllers that can be compromised to distribute spam; “smart”light bulbs that can be hacked to reveal Wi-Fi passwords.

Now that the Internet of Things (IoT) is upon us, these things have all made the headlines lately. But I’m not here to say that the IoT is a terrible idea and we all need to reject it before it destroys our last vestiges of security and privacy. My take is that what is going on with the IoT is predictable, preventable and fixable. I say this because when it comes to rolling out new technologies, history has a way of repeating itself.

Think about it: Every time a new and cool technology is released, the early adopters find out within a month or two that it has some gaping security hole.

Why? Is this pattern really inevitable? My colleague Gary McGraw wrote in 2006 about “The Trinity of Trouble”—connectivity, extensibility and complexity — that underlies the introduction of security holes in new technology products. Those factors certainly contribute to the problem, but I see things a bit differently. I think of the root causes as naïveté, ignorance and laziness, or “Nail”for short. Here’s why.

When diving into new technologies like connected refrigerators and thermostats, product developers tend to be naive about threats, ignorant of security controls and/or too lazy to fully learn and hence implement things the right way the first time.

Naïveté.Product developers tend to naively underestimate threats, particularly if they are new to them. They don’t appreciate the lengths to which adversaries will go in researching their new products for possible vulnerabilities and developing tailor-made attacks against those vulnerabilities. Inevitably, they are surprised when vulnerabilities and attacks are disclosed. Caught off guard, they often rush a solution out the door that solves nothing and possibly even makes things worse.

Ignorance. Being naive about the threats their products will face, developers are naturally ignorant about the security controls that they can and should be implementing in their products. Things like end-to-end link encryption, strong mutual authentication, threat modeling and code reviews are often simply ignored until it’s too late.

Laziness. All right, I know this sounds harsh, but when developers are aware of security controls and still don’t implement them, my perspective from the outside is that they’re just too lazy to do things right the first time.

The three elements of Nail are all quite understandable, though I can’t quite forgive them. They are understandable because product development is fiercely competitive, with companies under intense pressure for their new technologies to be first in the market. The thinking seems to be that once the new product has a strong foothold in the market, they will be able to go back and bolster security. The unforgivable part is that tomorrow never comes — or only comes when some researcher publishes a paper exposing a gaping security hole for all the world to see.

So how do we eradicate Nail? It’s a tall order, and I’m not convinced we can do it completely.

After all, you would expect naïveté to dissipate in the face of countless headlines about other products’ security fiascoes. I haven’t noticed that happening. Naïveté and a bit of misplaced hubris are a dangerous combination.

Ignorance can be overcome, and there are many security guys like me who’d gladly help software developers learn about the security controls they can deploy with their products. That, however, requires the developers to actually attend some training and then put it into practice.

As for laziness — well, there we’re up against a very formidable foe, human nature.

Despite that assessment, I’m an optimist. I’m convinced that if you’ve assembled the right staff, armed them with knowledge and inculcated a culture of putting quality and security first, things will change — especially after my recent encounter with a top-notch security organization. Which of you product developers wants to be first?

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Join the CSO newsletter!

Error: Please check your email address.

More about MellonPara-Protect

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts