Adversaries are constantly evolving. Success breeds copy-cats. And security is multifaceted. These are some of the key lessons Jeremy Cowan takes away from talking to Ted Harrington, executive partner, Independent Security Evaluators.
IoT Now: Where does the greatest threat to enterprise data security lie? Is it the threat to data in transit, or in stored data assets?
Ted Harrington: That depends on the threat model for a given enterprise. Threat modelling is an exercise through which an organisation identifies the assets it is trying to protect, the adversaries it is concerned with defending against, and the collection of attack surfaces against which those adversaries will launch campaigns. The greatest threat to one organisation may not be the same for another organisation; threat modelling helps answer that question.
IoT Now: In one study I understand ISE identified 21 financial, healthcare, insurance and utility account sites (70% of sites tested) that fail to forbid browsers from storing cached content on disk. So, after visiting these sites, unencrypted sensitive content is left behind on end-users’ machines. Does this prove that good procedures and training are as important as up-to-date software? How do you persuade digital service providers to prioritise training & process?
TH: Primarily this study proves that companies of all types need to effectively understand how attackers break systems. Only by understanding the attacker can you hope to defend against him. What this study demonstrated is that even well-intentioned development efforts, attempting to take security into consideration, will always fall short if those efforts don’t account for how to break a system. There are several strategies that we use in order to try and persuade companies to pursue more effective security approaches. These include:
Executive education. We believe that a more informed executive will make better security decisions. Thus, a byproduct of all of our security research entails not only the technical outcomes, but also translates those outcomes in a way that is meaningful and actionable for executives.
Exploit demonstration. There are many natural biases inherent in human nature that cause people to overestimate their own capabilities and underestimate either adversarial capabilities or the likelihood of a compromise. By pursuing research that makes the intangible become tangible, we help undermine such biases, which in turn hopefully results in meaningful action.
Empathy. Too often the security community is considered to be at odds with those who build things; a common refrain amongst developers is that security “slows us down”, and amongst user experience professionals that security “makes things difficult”. While we disagree with positions like these, we don’t outright discard them; instead, we always take care to listen, and understand what troubles our customers. By best understanding their business and empathising with their problems, we are able to develop mitigations that are effective in the real world context in which their business operates.
IoT Now: It was reported in January that hackers had mounted their third attack on the Romantik Seehotel Jaegerwirt hotel in Austria, demanding $1,600 in bitcoins to return control of the hotel’s doorlocks to the management. Unfortunately, with the hotel fully booked, the hotelier opted to comply and pay the ransom. What lessons can be learned from this for the hospitaility industry and other sectors?
TH: Several lessons can be gleaned from this.
Adversaries are constantly evolving. Ransomware itself is a relatively new twist on an old attack tool, and using it to coerce payment by undermining the guest experience is a truly remarkable innovation. By focusing on yesterday’s defence paradigms only, companies will never be able to defend against modern attackers, let alone future attackers.
Success breeds copy-cats. Because this attacker was successful in monetising its efforts, the hospitality industry can reasonably expect similar attacks to follow. Attackers often make outcome-based decisions just like everyone else does; where they see opportunity demonstrated by past success, they will pursue.
Security is a multifaceted. When it comes to security, the hospitality industry has been largely focused on PCI compliance, and protecting personally identifiable information (PII) about guests. However, this case demonstrated a compromise of other very valuable assets – brand reputation, guest safety, and guest experience. Considerations of PCI and PII alone are insufficient to also protect brand reputation, guest safety, and guest experience.
IoT Now: What role has ISE played in overcoming this threat?
TH: We’ve been very involved with the hospitality industry for several years now. Along with my counterpart at Hyatt Hotels, we launch and co-chaired the Door Lock Security Working Group for the industry trade association Hospitality Technology Next Generation.
As a result of that 2+ year effort, we created several valuable deliverables for the industry, including an abstracted threat model for door locking systems, and a set of development best practices for emerging locking systems such as RFID, online locking systems, and mobile key.
I have just recently taken a leadership role along with Interel, a leading innovator of connected devices for hoteliers, to co-chair the IoT Working Group for the same trade association. The group is currently underway, and we are guiding it to help the industry think through how to adopt connected devices, and ensure they are developed and deployed in a secure manner.
IoT Now: Are US healthcare providers paying enough attention to protecting patient data? Or are they more focused on meeting HIPAA (Health Insurance Portability & Accountability Act (USA, 1997) requirements?
TH: These are essentially the same, as HIPAA forces healthcare to focus on patient data. The real problem in healthcare security is instead what they are not focusing on: protecting patient health. We recently published a large piece of research, produced over the course of 2 years and in partnership with 12 hospitals and many of their supporting medical devices and other technologies.
This study investigated how hackers could cause patient harm or fatality in a healthcare setting. We proved that not only was it very much possible, we proved that in many cases it would be easy to do so. Fundamentally, efforts to protect just patient data alone are insufficient to also protect patient health. At the risk of appearing to be overstating the obvious, this could be the most significant security issue at the moment.
IoT Now: What are the top three actions that IoT service providers should take now to ensure that their customers’ data and identities are secure?
TH: Build security in. From the moment you gather requirements, through to well after deployment, each stage of the development process should consider security as a top priority. This obviously leads to more effective security, but more surprisingly, it also leads to less expensive and less resource intensive security.
- Engage security assessments from third party experts. Whether or not you investigate your systems for weakness, your adversary will.
- Adopt the adversarial mindset. When you think about your security assessments, don’t settle for commodity approaches like automated scanning, black box pen testing, or compliance-as-security. The attackers go well beyond these basic steps, and so should you.
Ted Harrington, executive partner of Baltimore-based Independent Security Evaluators was interviewed by editorial director, Jeremy Cowan.