Commercial drivers needed for IoT security

AusCERT 2016

Describing himself as a “Security Oompah Loompa” Andrew Jamieson (@AndrewRJamieson) works at Underwriters Laboratory. He presented at AusCERT 2016 on IoT security.

Andrew Jamieson speaking at AusCERT2016
Andrew Jamieson speaking at AusCERT2016

Jamieson posited the question “How do we measure security?”. The challenge, he says, is that there’s no objective system of measures for defining security.

“We need to define a level of risk through a thorough methodology,” he says.

While there are some objective standards, such as ISO FIPS and PTS, these can be expensive to use and measure. And there’s a balancing act between individual risks and externally defined risks.

In short, there’s no simple definition for security.

Jamieson says there are three types of security problems. There are deliberate flaws such as backdoors that might be deployed for good reasons, such as future-proofing, but can be exploited. Ignorance is also an issue through poor security configuration or as a result of a lack understanding. Finally, there are issues that were previously unknown. These require regular system maintenance.

Each of these can be addressed. Deliberate issues can be found through code reviews. Ignorance can be addressed through penetration treating while the previously unknown issues simply require prayer, he says.

The problem with security evaluations, says Jamieson, is that they take time, cost money and always fail. While they might be correct at a point in time, security is not static.

The IoT Challenge

With devices becoming smarter, less expensive and more connected we’re seeing shorter development and production cycles. As a result, there are more vulnerabilities introduced as go to market dates are forcing developers to shortcut security.

"Customers can't differentiate products based on security,” says Jamieson. “And there’s no incentive on vendors to make more secure systems”.

"Why don’t we do code reviews and pen testing?” asks Jamieson.

Simply, current penetration testing and evaluation processes can’t scale to deal with the massive volume of devices and products on the market. And there’s no objective way to test different devices as security is rarely presented as a point of product differentiation.

“IoT security is primarily a commercial problem, that prevent suitable technical solutions from being applied,” he says.

Andrew Jamieson speaking at AusCERT2016
Andrew Jamieson speaking at AusCERT2016

What’s the solution?

The problems need to be addressed commercially says Jamieson. There need to be incentives for vendors to bake security into their products and inform customers about how to make decisions about security.

This needs to be done with a framework that supports rapid product development and release cycles.

This might be achieved through programs that are similar to the star rating system used by appliance companies for energy or water consumption, and car safety that have successfully altered consumer purchase behaviour.

But there are challenges, says Jamieson. How does one compare a connected light bulb to an appliance?

Jamieson says systems can be defined by three things: interfaces (inputs and outputs), processing attack surface (the code running on the device), and system architecture. He calls this combination the “vulnerability surface”. Different features can change the vulnerability surface by their impact on the three components.

Logical Security Posture

Jamieson suggests that a system called the Logical Security Posture, or LSP, could be the answer.

A points system can be created that looks at the number of interfaces and protocols. The more interfaces, the more points of vulnerability and therefore the lower the point score. This can be used to drive vendor behaviour to reduce the number of interfaces. Similarly, vendors could increase their LSP score by committing to regularly patching their systems and using unique certificates for their products.

The focus of this kind of system is not on actual vulnerabilities but on the potential level of risk. Such as system could scale with the IoT whereas existing methods simply can’t meet the needs of many billions of devices.

LSP doesn’t certify that a system is secure. Rather, a device with a high LSP score is “better” than one with a lower score, says Jamieson.

Security is not binary, easy Jamieson. The real question is how much security are we prepared to pay for. That means commercial entities need commercial incentives to deliver more secure solutions.

Join the CSO newsletter!

Error: Please check your email address.

Tags PTSFIPSInternet of Things (IoT)AusCERT2016LSPisoUnderwriters Laboratoriesbinary packerscyber security

More about CustomersISOLogical

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place