5 Security Truisms for the Connected World
In the novel Foundation's Edge, Isaac Asimov describes a planet known as Gaia that is a super-organism. Every person and object on the planet are connected, creating a sort of group consciousness.
While clearly in the realm of science fiction, the notion of a world with legions of connected objects and people is very real. “We are creating an internet that senses, thinks, and acts,” said American cybersecurity expert Bruce Schneier at RSA this year. “And this is a classic definition of a robot. I argue that we are, together, creating a world-sized robot and we don’t even realize it.”
But if we are to think of the Internet of Things as a robot, it is more siloed than it is cohesive. This robot of things also lacks a central brain or a singular goal or design.
All of this make IoT difficult to secure. Towards that end, Schneier offered five cybersecurity truisms at RSA for the Internet of Things:
1. Most software is poorly written and insecure. A popular project management motto proclaims: ‘Your product can be good, fast, or cheap. Which two do you want?’ “Fast and cheap” has been the default answer of the software industry for decades. “We might want to rethink that,” Schneier says.
2. The extensibility of computing systems enables weaponization. “Computers can be programmed to do anything. The computer in your toaster can get additional features, or it can be reprogrammed, or it can get malware in a way that manual systems can’t,” Schneier explains.
3. The complexities of computerized systems cause new insecurities. Complex computing systems are difficult to secure, and it’s difficult to come up with one-size-fits-all methods to test them. “You can’t just do an Underwriters Laboratory test in the way you could do for a light bulb,” Schneier says.
4. There are new vulnerabilities in new interconnections. It seems evident that securing an office building with hundreds of doors and windows would be easier than securing a small house. But in the computing world, we see hackers exploit this basic fact. In the Dyn attack, cybercriminals shut down a chunk of the internet by enslaving video cameras and DVRs. The same principle enabled a hacker to gain access to Target’s corporate network by way of a vulnerability with their HVAC supplier. “This is really hard to fix,” Schneier says, “because no single system might actually be at fault. You could have two secure networks, put them together, and you get residual insecurity.”
5. Computers and networks are vulnerable in different ways. The failure modes are different between computer systems and the mechanical systems they replace. The internet is naturally empowering—it allows things to scale, including attacks. Schneier explains: “We know that driverless cars will be much more secure than regular cars—until they are not.”
Check out the rest of Schneier's talk here: