Humans are just bad at this
In This Issue:
- Securing IoT like they’re industrial controls – before it’s too late
- The bug bounty price wars
- The Electronic Frontier Foundation is our security friend
- Both sides of the security deathmatch are getting stronger
Industrial Control Systems and the Internet of Things: Lousy IT Security Is Just How Humans Roll
At this point, I think it’s safe to say that humans are just bad at IT security. There are few areas where we could reasonably say that, on the whole, we’ve not only figured out how to defend a workload or device against common threats, and where most of us have done so. While information security professionals holler and shout about the default position of apathy, it’s only in very specific circumstances that our societies seem willing to mandate some form of action.
Industrial control systems are, in many nations, receiving regulatory attention. Ordinary citizens who would be incensed at the idea that they be forced to secure their home networks are nevertheless insistent that the command and control systems of, for example, nuclear power plants be secured. Unfortunately, our gaze needs to be wider, as Your Life Is the Attack Surface: The Risks of IoT points out.
Q&A: Why emerging IoT platforms require the same leading-edge security as industrial controls. The Last Watchdog offers arguments for why we, as societies, should be putting effort into securing the machine-to-machine communications of the IoT. The Differences and Similarities Between IoT and ICS Security offers a look at how industrial control systems and IoT devices can reasonably be compared. In both pieces, the nature of IoT devices is relevant to the argument: these devices aren’t regularly monitored by humans. If they’re compromised, and we aren’t monitoring them for compromise, we might never know.
Countermeasure:
It’s time to stop ignoring all the devices on our networks that aren’t easily governed by our enterprise management software. Just because our existing IT infrastructure management solutions can’t secure our sensors, light bulbs and printers doesn’t mean they aren’t a threat. Getting a handle on how to solve this problem needs to be done now, before the number of devices metastasizes beyond any reasonable attempt to bring them under control.
The Great Bug Bounty Debate
There’s big money in bug bounties these days. Zerodium Offers to Buy Zero-Day Exploits at Higher Prices Than Ever and Earn $2,000,000 by remotely jailbreaking an iPhone are both excellent introductions to the world of high-stakes hacking, and the debate around the validity of the practice is worth exploring.
Bug bounties have proven to be effective for many organizations, and the practice has ensured that information security professionals who might otherwise have left the field (or gone black hat) have contributed to our collective defense. The flip side of this particular coin is that there are real-world consequences to having the bounty prices offered by vendors rise.
The most obvious consequence is that smaller vendors are simply priced out of the market. The inability to afford exorbitant bounties means that these vendors can’t attract top whitehat talent, and this can leave these vendors’ products vulnerable.
Another consequence is that as the price of vendor bounties rise, so too does the price offered by malicious actors. Bug bounties are, in a sense, becoming a race to price those of lesser means out of the market. Unfortunately, malicious actors include a number of extremely well resourced state actors, and they may ultimately be able to concentrate the output of top information security talent away from improving the products of even the largest tech vendors.
Countermeasure:
If your organization has a bug bounty, consider seriously the ramifications of engaging in price wars. Chasing grey hats with cash may ultimately be self-defeating. Take time to cultivate relationships with white hats, and understand that there are some individuals whose attentions you will not be able to reasonably attract.
The Only Thing Certain About the Privacy and Infosec Regulatory Environments Is That Nothing Is Certain
Who has ownership of your data? Who should have ownership of your data? Who should be able to obtain, modify, or use that data, and for what purposes? These are the questions asked by the Electronic Frontier Foundation, most recently in You Should Have the Right to Sue Companies That Violate Your Privacy and Give Up the Ghost: A Backdoor by Another Name.
It’s no secret that virtually every organization, from non-profits to governments, are looking to obtain as much data about people as they can. In many – if not most – cases the goal is to use this data against us. In some cases the goal is simply to convince us to buy things we don’t want or need. In others, the goals are far more sinister.
The EFF, though sometimes portrayed as radicals, have proven to be remarkably balanced in their approach to privacy advocacy over the years. The EFF fights for us all, both as individuals and as organizations. The opinions expressed formally on their site are usually quite carefully considered, and worth serious consideration.
Countermeasure:
The EFF relies on the donations of individuals and organizations to survive. In exchange, they provide a valuable service. Beyond advocacy seeking more stringent privacy rights, they advocate for a stable, predictable regulatory environment that is acceptable to the majority of individuals and organizations. Regulatory stability is important for making long-term strategic decisions, and as such, supporting the EFF should be considered a sound investment for any organization operating in a Western nation.
Both Attackers and Defenders are Upping Their Game
When humans can’t get any smarter, it’s time to turn to artificial intelligence. Will Machine Learning Make Software Vulnerabilities Obsolete? offers a look at one side of the battle, while New Year, better phishing scams examines the other.
Yin and yang, attacker and defender, predator and prey. Evolution is happening in the information security and software development spaces (assuming you separate the two anymore) just as surely as it has in the development of life. Unlike biological evolution, however, the information security attacker and defender metagame evolves over the course of months, not millennia.
Countermeasure:
It’s unreasonable to expect that any information security professional or organization be fully up to date on all the various ways in which malicious actors are pursuing attacks. There are, however, umpteen 2018 retrospectives and predictive content pieces in the infosec space about 2019. Take the time to seek these out and peruse them. Yesterday’s threats are not today’s, and tomorrow is only a day away.
Podcast of the Week
While the podcast is itself interesting, the comment thread attached to it is very much worth perusal.
Interview with EFF's director of cybersecurity, Eva Galperin
This Week's Threads
The debate over what to look for in people we hire has been going on as long as there have been jobs to be had. Credentialism, however, and modern economics offer some interesting twists for emerging professions, especially given the existence of the Internet. This thread is an excellent exploration of all sides of the debate.
"Unpopular opinion, #infosec edition. I see too many posts complaining that new people coming into the industry don’t have “passion”.
It’s a form of gatekeeping. Knock it off." Chad Loder (@chadloder)
Quick Links
- NSA to release its GHIDRA reverse engineering tool for free
- Did we say there would be more side-channel exploits found in 2019? It only took a few days
- How do I determine if an IP lookup service was used maliciously?
- California bill would curb use of paper receipts to reduce waste, push digital alternative