The necessity of connectivity mirrors the importance of speed in cybersecurity: Less integration creates more vulnerabilities. For effective cybersecurity, defenders should take the same integrated approach as the architects of the early Internet did (and the attackers who soon followed). The architecture that underpins security must match the cooperative fabric of flexible integration mechanisms of the Internet as a whole. Cybersecurity architects must design security that leverages the connectivity of all defensive components. By leveraging the connectivity among defensive components, defenders can field an entire team of security players from within and beyond their organizations.
Just as security must utilize and enable speed, it must also have and empower strong connectivity.
With properly designed security, defenders can achieve the core mission of cybersecurity: Enabling and protecting safe connectivity and allowing or denying access to information. Defenders who adopt such an integrated defense will gain an advantage.
MANAGING THE INTENSIFYING CONNECTIVITY OF THE IOT ERA
Brian Talbert, Alaska Airlines
Over the past several years, the reach, scale, and depth of digital connectivity has intensified so dramatically that it has fundamentally changed our conceptions and definitions of what being connected even means.
While many outside the fields of security and information technology still talk of greater levels of digital connection in the context of human beings communicating with one another, chief information security officer (CISOs) and their teams understand that that is merely a small, visible ripple on the very surface of today's hyperconnected world. Things and machines connecting with each other is the bigger picture of connectivity—which gets exponentially bigger each day and now borders on the immeasurable and the unimaginable. And, as many IT teams can attest, it is also increasingly unmanageable—at least by people alone, anyway.
That's because, as the Internet of Things (IoT) grows, the majority of connectivity today occurs between devices. With aims of greater efficiency, cost savings, and convenience, everything from cameras to lightbulbs to household appliances is being augmented with digital capabilities, allowing these things to connect to the Internet and to each other to share relevant information.
It is a level of new-normal functionality that creates a momentum powered by consumer demand: As more smart devices are manufactured, more people come to expect a new device to have that capability. And more companies scramble to enhance their product lines with technology—whether or not they have experience with it.
Today, the IoT comprises more than 8.4 billion devices—with a projection of 20.4 billion deployed by 2020.
What consumers and manufacturers often don't realize, though, is that the convenience of IoT devices comes at a cost. And that cost is a significant one: A vastly expanded attack surface comprising millions of devices with minimal security—manufactured by companies with little experience in securing digital technology.
Many IoT devices can be easily compromised to gain access to a network, or they can be chained together to create a huge increase in attack power. Layer in cloud services for managing these devices, and what results is a level of vulnerability that is ripe for attack. Because of the minimal security of the devices themselves, that attack can be incredibly destructive with little expertise required. You don't need to be a civil engineer to topple dominos, and you don't need to be a master cybercriminal to harness the IoT into a botnet.
Take the Mirai botnet, for example. In October 2016, a massive denial-of-service attack left most of the East Coast of the United States without Internet access. The attack was so large and so disruptive—a digital tsunami of 1.1 TB of data per second—authorities first suspected it was an act of war by a rogue state or enemy nation. It turned out to be a couple of college kids with novice-level hacking skills and the desire for more competitive advantage in Minecraft.
And that gives an indication of the scale, power, and risk of today's landscape of connectivity.
Mirai harnessed the combined power of IoT devices—specifically routers, cameras, DVRs, and printers—by scanning for open ports, then taking over the devices with a few lines of code that cycled through 61 common unchanged default passwords. In the first 20 hours, it captured 65,000 devices—doubling the amount every 76 minutes, growing to a peak of up to 300,000 infections. All told, 164 countries were hit.
As the IoT continues to spread, IT teams are now faced with two primary connectivity challenges within their organizations. They must contend with devices brought in by casual end users, such as connected speakers that someone puts on their desk. And they must also secure business-use devices such as security cameras, office equipment, and facility equipment.
As enormous a challenge as this presents, it is important for IT teams to recognize that for the most part people are not using these devices with disregard for security. It is a new technology, and people simply don't know the risks it presents. Still, regardless of intent, IT has to treat every device as untrusted until it is verified.
These results create issues of incredible complexity and scale. With the IoT, as the surface area grows, it also becomes less and less defined. It is difficult to discern where a network begins and where it ends when literally thousands of devices can access it—and it also serves as an access point to anyone who can surpass the limited security of the devices.
Unfortunately, in such a complex and expanding environment, many organizations simply lack the visibility needed. As a result, they don't know what they don't know, much less how to secure everything they can detect.
As this new reality intensifies, it will create a primary need for better tooling for visibility; network access controls; and stronger threat detection, prediction, and response capabilities. But even with all these important defenses in place, it is not enough. The IoT is simply too vast to be managed and mitigated by people alone.
As the scale increases and vulnerabilities become more complex, the standard manual human security operations center or threat defense responders will no longer be a viable first line of defense. Success will depend on deeper machine intelligence and automation. That said, investing in the technology is only a small part of the solution—and even then, it requires a great deal of insight and understanding of the network and the greater connectivity landscape to design a model that is appropriate.
To create scalable and sustainable solutions, it's important to recognize that these problems are organizational—not individual or team-based. Before designing security strategies, executive leadership needs to fully understand the importance of addressing the problem systematically, with a cross-functional, cross-divisional program.
This program will have to include good security policies and architecture review processes. But it will also have to address the new reality that software engineers and application developers can no longer assume that they are building on top of a naturally secure and private underlying network. Secure coding practices must become so deeply ingrained in the philosophy, processes, and deployment pipelines that they simply become a part of the natural practices of the developer. The bar is high here, and these individuals must understand everything from user authentication to data obfuscation and secure data transport. Organizations will quickly see the need to develop repeatable patterns with consistent, standardized, and reusable security code libraries.
In short, addressing the connectivity challenge will require even deeper levels of cooperation and collaboration across an organization, from the coding level up. And to do that effectively requires both funding and expertise. As many CISOs and their teams know, this is a square one reality that they must advocate and evangelize to decision makers in the C suite, and even to the board of directors.
As