As the new year begins, we sat down with Executive Vice President and CTO of XMedius, Sébastien Boire-Lavigne, and asked him to consult his crystal ball about what might be the big data security stories waiting to happen in 2019.
Internet of Things: The Enemy Within
The proofs of concept have been well established and documented, it is just a question of time before Internet of Things (IoT) attacks will make the next big headline.
When Alexandru Balan, Chief Security Researcher at Bitdefender, presented at RSA 2018 how a simple smart plug could be exploited, I came to realize how much of a serious blind spot in our information security system IoT devices are in general and how much of a grave danger it is to everyone’s home network.
“Non computer” devices are often perceived has having a lower risk profile than computers, but that may change fast in the next few months. In his presentation, Alexandru managed to easily discover millions of smart plugs over the Internet using an open API and then proved that the plugs could be infected to establish a persistent foothold to launch attacks from within whatever network they are in. That’s as bad as it gets.
Don’t be deceived by their appearance, these are fully-operational headless computers. Once infected, IoT devices bypass normal security protections, like firewalls, and allow attackers to start probing network weaknesses and eventually move into systems with valuable information. Most IoT devices run some version of busybox, a Linux distribution targeted for embedded devices.
So the real danger of IoT is not a hacker flipping on or off your lamps, making you hot in the middle of the summer, or playing some Danish death metal on your smart speaker at 3AM in the night (Ref: episode eps2.0_unm4sk-pt1.tc of Mr Robot), it’s invading your network. Networks are more vulnerable from the inside than from the outside, and this is particularly true for home networks.
How an IoT Hack Could Happen
Imagine this scenario: let’s have a tradeshow booth for our fake company at the Gartner IT Symposium, targeting high-profile IT executives. Let’s give away smart plugs to everybody who gives us their business cards. That way, by carefully giving the smart plugs in a particular order, we can even know who got which plug. Odds are good that they will use the smart plugs at home, which is perfect for us, as there aren’t usually much intrusion detection systems (IDS) running on home networks.
The end result? For the cost of some smart plugs and a trade show booth, an attack on the CIO or head of IT of a billion-dollar company can be executed from the comfort of his home network. This is an hypothetical attack scenario, but it is certainly not far-fetched and would be fairly easy to implement.
So Where Does That Leave Us?
Realistically it is hard to believe that IoT device manufacturers will harden their $50 devices to the point where they can be trusted. Legislation like California’s “Security of Connected Devices” is certainly a step in the right direction, but frankly it doesn’t change the economic fundamentals of those “cheap headless devices”.
The only legitimate solution then is a zero trust approach to IoT, IoT devices must be radically segregated from the rest of our networks, both at work and at home. Consumer network manufacturers should start having “default” configurations that include a secure zone explicitly for IoT devices, where they could not be used to attack other valuable assets on the network.
Note to self: do not install smart cameras in bedrooms…
Over Proliferation of Security Frameworks and Questionnaires, the Unbearable Cost
Security framework and security questionnaires have existed for while now, but 2018 is an inflection point. The conjunction of the adoption of the Cloud and the integration of the global IT supply chain is multiplying the requirements for providers running security programs, unfortunately while delivering frankly little benefit to all parties.
Before, few customers were requiring security certifications, so supporting customer requirements was not too much of a burden and a certification was nice to have. Those days are over, and customers are getting more sophisticated in managing the security requirements of their cloud suppliers. This is actually a good thing, it makes businesses and the internet as a whole a safer place. The problem lies in the multiplication of ad hoc security questionnaires and various security requirements.
Too Many Questions That Are All the Same
Most security questionnaires are asking the same questions, but in different ways. This imposes a heavy cost burden on cloud providers. For example, The Cloud Security Alliance CAIQ questionnaire is certainly a worthy initiative. We spent several weeks filling it out, supplying meaningful answers and thorough notes. We can’t spend that kind of effort on “ad hoc” questionnaires.
It would be to the benefit of all parties to use a standardized security Q&A system, so that everyone gets the most out of it. Of course, some industries may have specific requirements, but we should be able to construct a modularized approach to questionnaires that build one on each other.
A Framework for Every Problem
We’re also seeing the same phenomena with security frameworks. In the last 12 months we have been asked to demonstrate compliance with: SOC2, HIPAA, GDPR, ISO 27001/27017/27018, NIST 800.53, CSA, HiTrust, PCI-DSS, Fedramp, and CIJS. I’m sure there are several more around the corner.
There is a need to standardize the whole tech industry onto a single global security framework that can be extended into specializations that address particular requirements of specific markets.
I think that France’s healthcare services provider certification (HDS) is a good example of the right way to establish sectorial certification. They required compliance to ISO 27001, ISO 20000 and ISO 27018 along with 38 additional security controls specific to their sector. This a much sounder approach to the problem than building yet another security framework from A-Z.
We need a universal security framework. I personally favor ISO 27001 and working on sectorial security control as an extension to the base system. This would significantly reduce effort to support a broad range of certifications, make cyberspace a safer place, so we can spend our time securing information assets instead of demonstrating the same thing over and over again.
I will not be holding my breath though…
The Empire Strikes Back… on Encryption
Encryption. We take it for granted, but the truth is that our privacy and security are under attack, and not by some dangerous hackers, but by our own governments.
Following the footsteps of the UK government, the Australian government just signed a law (the Telecommunications and Other Legislation Amendment bill) giving law enforcement far reaching rights to compel internet service providers to alter their security protections (i.e. encryption) so law enforcement may gain access to user data.
While this may sound reasonable, it’s a Pandora’s box that is easy to open, but very difficult to close. Given the way encryption works, it is not possible to weaken it for the government without weakening it for all hostile parties. For example, if companies are forced to roll back end to end encryption and best in class encryption key management practices to allow government to intercept communications, everyone suffers from the weakened security.
In most cases, the best way to build strong encryption schemes is to make sure that even the maker of that scheme cannot circumvent it. If the NSA was not able to protect “EternalBlue”, which ended up causing several billion dollars in damages around the world, can we really expect that service providers will be able to protect us with weakened encryption systems?
It doesn’t stop there. In the US, the FBI is lobbying for legislation that would force tech companies to weaken encryption schemes on smart devices, and also fighting in court to force Facebook to weaken the encryption of Whatsapp.
What do clipper chips, key escrow, backdoor or front door, and lightweight encryption have in common? These are bad schemes that hurt citizen privacy and security with no clear advantage to society. Personal information, healthcare information, and banking information should be protected by the best encryption schemes possible.
In any case, it is wishful thinking to try to put 100 years of advancement in cryptography science back into its box. Determined parties will have the means to develop and use perfectly secure encryption software, obtained outside normal commercial channels, and keep their communications protected from the prying eye of governments. In contrast, law-abiding citizens will see their day to day activities put at risks for little to no benefits. While that may discomfort governments, encryption is here to stay. In the age of the internet, without encryption there is no freedom and without freedom there is no encryption. Countries restricting access to encryption says a lot on how much they really value the freedom and protection of their citizens.
It is a battle that the tech industry must continue to fight for the benefit of all.
Want to be better prepared for the security requirements of 2019?
XMedius offers cutting edge secure data exchange solutions that can boost protections while facilitating easier compliance with privacy regulations.
Sébastien Boire-Lavigne is the Executive Vice President and CTO of XMedius, where he has been a driving force in the company’s technology strategy. Among the accomplishments in his 20+ year journey with XMedius, SBL has led the development of the cutting-edge XMedius Fax-over-IP technology, Cloud platforms, and XM SendSecure solutions.