Blocking the Barbarians
Jun 24, 2019, 9:00 AM.
article key points
The internet of things has put network security front and center again. Here’s what you need to know.
Twitter, Etsy, down Spotify, for PayPal, the Reddit, The New York Times, Netflix. The list goes on. All went count on October 21, when Dyn, the DNS provider they had in common, suffered a Distributed Denial of Service attack.
One probable source for the attack: thousands of infected internet of things (IoT) devices pounding in lock step at the company’s services. Security specialists were hardly surprised. They’ve been predicting bad news for as long as sensors began showing up in consumer devices. In fact, just six weeks before the attack, the Online Trust Alliance (OTA), a nonprofit organization focused on enhancing online trust, issued a news release stating that every vulnerability or privacy issue reported for consumer- connected home and wearable tech products since November 2015 “could have been easily avoided.” All it would have taken was adherence to an “IoT trust framework” developed by the organization.
However, this technology created to run our homes, hearts and cars has long stressed functionality and low cost over security. And that will probably continue. As one representative from a major brand told OTA executive director Craig Spiezle for the reason it wasn’t willing to add better security: The cost to protect the device would be 11 cents, and the encryption could potentially affect battery life. Bottom-line production considerations may rule now, but that could change depending on outages and data breaches. But even if built-in security does become the norm for IoT, that won’t be enough to keep out the barbarians on the other side of the wall, says Alexander Perez-Pons, a security expert who has been monitoring malware since before it had that name.
The Quandary of Security
“Twenty years ago, we barely had cell phones. Security was not even an issue,” says Perez-Pons, a researcher in malware and a lecturer in Florida International University’s College of Engineering and Computing. “Now with IoT, we see this growing from 6 billion devices to 20 billion devices by 2020. We’re allowing more of our devices to be sitting around us; we’re wearing them; they’re interacting with us. Security has to become an area of focus.”
Perez-Pons, who designed and teaches in FIU’s fully online Master of Science in Computer Engineering with a concentration in Network Security, acknowledges that every organization needs to stay on top of its systems and “make sure they’re protected, have intrusion-detection systems and all the bells and whistles in place.” But ultimately, that only “gets us some comfort that we think we’re doing everything.”
As long as there are users, truly secure computing will always be out of our grasp. As he explains, malware or malicious activity — whether it’s ransomware, viruses, spyware, backdoors or something else — “is what you have to avoid.” But how do you get the malware? Through users navigating and clicking inadvertently on something.
Or, if you’re a company with a presence on the internet and email, “you’ll most likely have outbound systems — systems that are out there for people to find. If you want normal consumers to be able to access it, that means that hackers and anybody else can have access to it, too. They’re available to everyone for either benign or malicious activities. All it takes is one misconfiguration to allow someone to get in.”
Humans are a network’s greatest weakness, says Perez-Pons. And user education, he insists, will only get you so far. “If you have a training program you do once a year, and the employees are dying to get through it so they can go back and do what they have to do, that’s not going to be a good scenario,” he says.
“We can have the best security in place in the network. We can spend thousands of dollars securing our network boundaries. We can spend thousands of dollars in training. We can spend so much effort, and all it takes is one foolish action — just clicking on an attachment or on a link that
might bypass the security mechanisms in place. All you need is to contaminate one system within the network and that one system can be searching for other systems within the network to contaminate.”
”Remember,” he reminds us, “we have to be right 100 percent of the time.” The bad guys “only have to be right one time.”
If training isn’t foolproof and hardening our systems won’t close the loop, what’s the solution? Frankly, Perez-Pons says, “there is none. You can’t stop it. All you can do is try to reduce the risk when you do get compromised by not having all your critical information [stored] in a way that allows it to be infected.”
And, he insists, eventually, everyone will suffer a cyber break-in. If you haven’t so far, it may be because “you just don’t know about it yet.”
All it takes is one misconfiguration to allow someone to get in.
“This is a cat-and-mouse game,” Perez-Pons observes. “You make changes, and the hackers will come up with ways to try to circumvent whatever you put in place. It is an ongoing battle. It is continuous.” Ultimately, the solution requires “training, technology and cooperation across business, government and other entities that will help mitigate [the damage] as much as possible.”
Given all that, Perez-Pons contends there is no more fascinating business to be in. “Security will have to be a vital component in anything that we are producing now and in the future, because we care about two things more than anything else: our privacy and security. If you don’t seek to have those items in place, everything else seems to be so minute compared to that. No matter how wonderful the device you’re putting together, if you cannot address security with it, consumers who are becoming much more educated if not more sensitive to the concerns of security will start to question the validity of that product.”
In other words, those IoT-makers will eventually have no choice but to deal with security. The cost of risk mitigation will eventually look like a bargain compared with the added expense of building security into their products.
A few years ago security was “kind of an afterthought,” he says. “Now it is front and center. We’ve let the genie out of the bottle. We’re not going to put it back.”
Security Skills that Count
FIU’s Perez-Pons outlines the skills that matter for security professionals these days.
A Networking BackgroundIf you have a degree in engineering or computer science “and you’ve been working as a professional in this area,” you’re a prime target to succeed in the security field, he says. “Experience goes so far,” Perez-Pons observes. “When you’re thrown an unknown piece of software and the CIO needs to know in the next day or so whether we’ve been hit or not, the pressure is on at that stage.”
Programming Experience“Although security tools can take you to a certain place, at some point, you’re either going to be modifying, extending, enhancing,” Perez-Pons insists. That work requires being able to program software.”
Curiosity for Security Issues.
“You’ve got to be passionate about this,” he declares. Otherwise, you’ll grow weary of the pace. “This is an ongoing, never-ending, relentless information-gathering [process] all the time. Every day we hear [about] new things coming up.”
“We have to be right 100 percent of the time. The bad guys only have to right one time.”