Insecure of Things

During this exciting time of technological advancements, when there is an app for every facet of our lives, from letting you know the right time to take a bathroom break during a movie to how to build a space shuttle, why am I continually disappointed?  We have become a generation addicted to our apps and having the latest and greatest technologies, but that comes with a steep price. We have to continually ask ourselves with every purchase and click, what is my data and privacy worth if and when it is leaked, breached or stolen?

George Santayana wrote: “Those who cannot remember the past are condemned to repeat it.”  (The Life of Reason, 1905)

With all the massive security breaches that happen daily around the globe, why are we not learning from them and from each other? Why are we not taking the necessary precautionary steps as consumers and manufacturers? Maybe a better term for “Internet of Things” should be “Anyone Can Control my Things?”

Just because it is convenient to connect all your devices doesn’t mean you should.  The price for convenience can cost our privacy, our reputation, our livelihood, and even our lives. To the average user, a connected smart thermostat is just a thermostat. We would never imagine that it could be a fully equipped, connected and functioning computer that is able to influence the physical world. Through these in-home devices, an entry point is established to enter your home, access all of your connected devices, and ultimately your entire digital DNA. Over 70% of these devices are vulnerable to cyber-attacks, due to loopholes and backdoors that were left in the hardware and software and being exploited daily by anyone.

We, the consumers, need to band together to push these security threats back onto the responsibility of the companies that create them.  The best way to do that is by voting with our feet, our wallets and through legislation. We need to demand that companies build in security.  Not just in the beginning with the initial discovery phase when they are researching new products and services, but also carry it out all through the software/hardware development life cycle (SDLC) to include support and maintenance.

What can I do as a consumer?

1. Research before you buy, and vote with your wallets. Read the EULA, security features and the privacy policies. Install patches, software updates and product upgrades when available.
2. Don’t buy the first or beta version of the product. Let someone else test it out and wait for the manufacturer to rev the product.
3. Become active with legislation to help create or change privacy laws for public and private companies to become more accountable for their products and services they bring to the market.
4. Stop connecting everything. Don’t give up security for convenience.
5. Use strong passwords and two factor authentication.

What can I do as an employee/manufacturer?

1. Adopt a security focused approach, build and design security in, create use cases and test cases, write security related requirements through out every iteration. Develop threat models, pen testing and offensive security plans to test potential attacks. Ensure your Business Analysts, Project Managers, QA Engineers, Developers, Architects and Managers are measured on quality and security. Don’t be afraid to speak up if the product does not use proper encryption or privacy controls to secure user data and network services properly.
2. Stop collecting so much user data, provide consumers with more choices to opt-out of data collection.
3. Build in a line item into your budget just for security, and that does not mean buy more hardware and software. Invest in your employees, get them trained, cross trained or certified.
4. Purchase and partner with key manufacturers for the memory, chips, sensors and processors who you trust, don’t pass the buck onto the consumers to pay for your laziness or cheapness.
5. Don’t create backdoors or leave them open. Harden and secure endpoints.
6. Listen to your customers, put quality first. Take the lead on creating a secure product line.
7. Invest in systems that automate the detection of malicious activity so that it can be contained and remediated before data is lost or damage is done. Your network has to be configured to automatically prevent or detect these nefarious behaviors.
8. Secure the data. Most data is unprotected in the cloud; personally identifiable information (PII) is open to anyone who wants it. The protection needs to start from the sensors and go all the way up to where the data is stored to cover data at rest and data in transit. Companies need to have and enforce a strict data retention policy and make sure they maintain a high level of security compliance.

I often get asked by friends and family, whose responsibility is security, isn’t it the companies that make it? The answer is a resounding, “no,” it is ours. It is our data, we own it and we should protect it. We need to become educated and aware of all the risks that come with surrounding ourselves with IoT connected devices. Companies are not good at securing their products or even their own infrastructures. They are starting to see and feel the effects of these poor decisions and security breaches by firing C-level executives or paying out millions in fines for lost consumer data. Security is every human’s responsibility to ensure that they are taking the necessary precautions to protect their own data. Do not rely on companies to do this on your behalf. As long as being first to market (quickly and cheaply) is their main driver, then security will most likely continue to be an afterthought and a reactionary gesture.

There is good news through all these breaches; the knowledge, experience and awareness is already here, we just need to learn from it. Listen and adapt to fit the constraints of IoT devices into our lives properly. Technology will continue to advance at a rapid pace and get better over time, but so will the bad actors.

Change your passwords frequently, install anti-malware, set up firewalls for your home networks, and most of all, never stop learning and educating yourself on security. Take control of your data and your lives, it is your responsibility. – – Wesley Simpson, COO, (ISC)²

[(ISC)² Blog]