/*
Securing the Fourth Industrial Revolution: A Shared Responsibility

Securing the Fourth Industrial Revolution: A Shared Responsibility

The fourth Industrial Revolution, or Industry 4.0, is well underway. Emerging technologies such as artificial intelligence, augmented and virtual reality, wearables and autonomous vehicles are making sizeable advancements and becoming a part of everyday lives and business.

These emerging technologies all create a lot of data, data that needs to be protected. Connected medical devices transmit sensitive patient information and are also responsible for keeping people healthy and alive. Connected power plants and other critical infrastructure transmit sensitive information and are also vulnerable to attacks. The list goes on. Not only are these technologies creating large amounts of data that require protection, they also require protection for the intellectual property (IP) fueling them. Augmented and virtual reality companies are creating helmets and goggles for civil and construction employees straight out of Iron Man. And there are states out there that are not above stealing this kind of IP, which raises the stakes as many of the world’s electronic components come from those states, adding extra pressure to manufacturers to keep devices secure.

This creates two situations where data, whose value is exponential to criminals, needs to be given extra precaution when securing both it and the devices producing and transmitting it, as well as protecting the intellectual property making them work. Data in transit and data at rest in these situations require heightened security through greater encryption and IoT security as well as high-assurance data protection environments to secure it when not in use.

IoT security efforts should focus on developing a dedicated plan to secure the IoT devices, especially given how an IoT architecture — with its disparate protocols, software and hardware — differs from the traditional enterprise network. Integrating IoT devices into enterprise networks will require new risk management strategies and updated operational security strategies with the level of protection for a given asset greatly depending on its use case and the criticality of the application it supports.

It is therefore essential for enterprises to establish a clear vision of the business need for IoT devices, validate the technologies with stakeholders (including security professionals), assess the risks, deepen their technical understanding of how the IoT system really works, and validate system operations and feasibility.

To be most effective, IoT security has to be a shared responsibility. Many security incidents could be avoided if developers and manufacturers were aware of the risks they face on a daily basis, considering not just those that affect IoT devices, but also those that affect the IoT environment as a whole and develop products accordingly. But connected devices are typically designed to be low-cost and built for a single purpose — not with security at the forefront. They often have limited memory and computing power, which means they can’t be protected by traditional endpoint security. Therefore, enterprises must fully vet new IoT devices to understand how much security is built in. For example, the device may have strong embedded encryption, or it may have a USB port. The administrative password might be “password,” providing an open invitation for misuse and abuse.

Finally, it should be noted that is impossible for every IoT system to behave securely at all times within every context. A good rule of thumb and a sound approach for enterprises is to always adopt an evolving security posture.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

Finding Top Security Talent: If You Build It, They Will Come

Finding Top Security Talent: If You Build It, They Will Come

I recently attended a meeting of likeminded Chief Information Security Officers who were discussing the challenges of their role.  Conversation bounced between the need for better reporting metrics to the lack of value in threat intelligence, but one topic seemed to come up continuously – the difficulty in finding qualified security talent.  Makes sense given a recent report by Forbes described a shortage of over one million cybersecurity experts in the United States.  In Atlanta alone there are 115 cybersecurity companies, all fighting for the same talent, and that does not include the more traditional companies requiring talent for their security departments. This shortage seems to be getting worse as demands on the average information security officer increase daily.  What options exist to mitigate this never-ending problem?

Good security candidates today have expectations about positions and have the leverage to demand that their expectations be met. The right compensation is only the basic ante for access to the talent. For this reason, this post is focused on non-compensation related strategies.  Frankly, without the right compensation and benefits packages, none of the below matters.

Our experience is that modern candidates expect:

  • Personalized technology (e.g. the endpoint of their choice or the latest IDE)
  • The use of latest methodologies (e.g. Agile Software Development)
  • Influence over the technology roadmap, regardless of rank
  • Flexibility to innovate when required (e.g. new approaches are encouraged)
  • The ability to work in collaborative, technically-challenging environments

Many companies that I meet with are working hard to create personnel pipelines but pay no attention to the internal environment that is attractive to top-end talent. Not every company can be like Google or Facebook, but without the right environment they shouldn’t be surprised when it is hard to find talent. Companies might consider including a technology package in the offer letter or job description to entice candidates.

Companies should also not overlook the small benefits when recruiting.  For many candidates I have recently interviewed, all things being equal, access to standing desks, MacBook Pros, and free coffee have been important differentiators between positions.  All too often, I speak with CISOs who believe that the honor alone of working for their company should be enough.  Short of being one of the big names (e.g. Uber, Facebook, Google, Twitter, Netflix, etc), honor alone is tough to sell.  Not to mention, creating the right culture is of paramount importance to those big names.

Where can talent be found?

In my experience, companies are leveraging three general techniques to fill their pipelines: universities, industry technical groups, and internal skill transition.

Local universities present a great option for finding new talent. Many universities will carefully modify their curriculum to meet local company needs and are hungry for outside ideas and funding for capstone projects.  While creating these university pipelines at multiple universities leads to more hires, it is a long bet for primarily junior talent.  Furthermore, simply financially supporting these programs is not enough.  It requires a time commitment from leadership within the company and active involvement in the program from career fairs, co-operative programs, internships, capstone projects, and active partnership with student organizations. The primary advantage of university-trained talent is access to classically trained engineers and scientists.

I often ask CISOs if a college degree is an important attribute for their company when looking for new employees. Almost universally, unequivocally, I hear no. For many of them, a requirement for a college degree eliminates too many technically qualified candidates. While there is certainly a role for university-trained talent, many positions simply don’t require the classic computer science or engineering background. It is hard to compare an engineer with five years of Red Hat experience to a newly graduated candidate who understands the Linux scheduler but has never managed Linux in a product environment. Local technology meetups and industry groups such as ISACA and ISSA are great places to identify hard to find talent. If an engineer is invested in their field enough to join an industry group, there is a good chance they are good at their profession. At Kudelski Security, we actively participate in Open Stack related meet-ups to stay abreast of local, qualified talent.

Short of finding qualified talent, many CISOs are looking to transition IT talent. As one CISO told me, “if you can’t find them, make them.” This approach requires the development of information security programs and technologies that do not require years of security experience. For example, I recently met with a company re-purposing Perl developers to build security automation systems – they partnered each few development team with a security architect to mitigate any experience gaps.  Another approach is to build a farm system of security talent or a minor league team.  Through internships and other temporary positions, companies may be able to train talent internally.  The challenge with this approach is that you are paying for talent that is not contributing in the short term.

It is worth noting that employees that like their job are more likely to stay and will also try and attract top level talent to join them. The security community is not that large and both good and bad information on employers travels quickly. Six degrees of Kevin Bacon is alive and well within the community – even the candidate doesn’t know someone who worked at a company, they likely know someone, who knows someone, who did.

Overall, finding qualified talent is difficult and outside the box thinking is often required. I have seen more progressive companies take serious outside-the-box approaches to finding and re-training existing talent. While somewhat self-serving as a Managed Security Service Provider (MSSP), it is important to note that careful outsourcing of capabilities can help reduce the impact of this problem. By outsourcing tasks that a company cannot possibly hope to staff, this enables them to focus on staffing qualified talent they can find. My experience is that CISOs that first focus on building an environment that is attractive to top talent do not struggle as much with talen shortfalls. Correlation or causation?

 

THE IMPACT OF (THE LACK OF) IOT SECURITY

THE IMPACT OF (THE LACK OF) IOT SECURITY

There have now been 2 massive rounds of DDoS attacks recently using Internet of Things devices. The first round of attacks took down OVH, an Internet Hosting Provider and cloud hosting service, and KrebsOnSecurity. The second round just occurred, and brought down Dyn, a major DNS hosting provider. This latest attack impacted many sites, including Twitter, Amazon, and Netflix. KrebsOnSecurity has a good article explaining the impact and cause [here].

So why is this happening now? The general feeling is that the release of the Mirai botnet source code has given an IoT army to anyone who wants it. Mirai took advantage of default passwords in IoT devices, and amassed enough resources to produce over 620GB of DDoS Traffic. With the source code released, anyone can run the program to take over the same IoT devices. However, the botnet is really just a symptom. A symptom of the current disregard of security best practices by some in the IoT industry.

In this attack, the botnet is benefiting from IoT device white-labeling. Many IoT vendors will include chips and devices from other manufacturers upstream and sell them as their own. In this case, according to this Flashpoint report, a Chinese manufacturer was providing DVR, NVR, and IP based camera boards to downstream manufacturers. These boards had default usernames and passwords that were effectively unmodifiable. In addition, they also included default-enabled services that allowed easy access to these accounts.

For an IoT manufacturer, there are two points where this attack could have been prevented. First, the Chinese manufacturer should have done a security analysis of their device and removed the account. Second, the IoT downstream vendor should have done a security analysis of any chip or board they were including in their product. They could have asked the upstream provider to fix the issues or provided countermeasures in their own product.

Realistically, all IoT vendors do not have the security expertise to architect robust, safe systems that are hardened against attack. That said, IoT vendors need to become more security conscious. They need to pressure their industry to enable security by default as well as embrace already common corporate practice of external penetration testing and security assessments to assess their devices, for the safety and security of us all. The problem with this is that there is nowhere for IoT vendors to turn for this expertise and support. On that topic there is more to come, and very soon. Stay tuned…