- Jul 22, 2014
- 2,525
Cambridge Wireless event chews the fat over key questions
“Defence is only as strong as the weakest link,” said Tim Phipps of Solarflare at today’s Cambridge Wireless event on security within the Internet of Things.
Today's Cambridge Wireless event was part of its Special Interest Group focusing on security and defence. In particular, on securing and defending the Internet of Things.
Speaking to an audience of about 50 network industry executives this afternoon, Phipps highlighted three security challenges for the IoT: data loss, particularly with last week’s Yahoo! hack of half a billion user accounts; hijacking, such as the controversial Jeep hack published a little while ago; and consumer products, particularly, with the latter, medical device hacks of items including pacemakers and insulin pumps.
Phipps also highlighted how Ken Munro of PenTest Partners had “made children’s toys swear” by hacking them, which drew general laughs.
Building on that point of how a trivial hack can lead to bigger things - in the case of Munro and an IoT kettle, the host Wi-Fi network's authentication keys - however, Phipps warned: “The attacker needs to overwhelm you in just one place to be successful. If it delivers on the promises of the hype, IoT looks like something that will be integrated into our home life, transportation, cities, and … even improving our health."
“I think this is a Wild West industry” thundered Paul Tindall of Sepura, following on from Phipps, opening a talk that focused on IoT security beyond the simple headlines. “It is fragmented and that makes security harder to apply."
"If you consider the fragmentation of the standards as well," he continued, "you cannot trust security due to the fact that you’re using an unusual standard. We’ve got to apply proper governance around this.”
Take the example of a body-worn sensor such as a Fitbit health monitor which generates data about you, he said. "I think I own that data. At some point that data is aggregated and [the aggregating party] is going to fuse that data with data from other sources. If you wrap context around those sources you turn that into valuable information. I don’t know who owns that information. Actually, I think that gets really complicated from a legal point of view.”
The legal side of things was a point that was returned to later on.
So what could possibly go wrong? Adrian Winkles of Anglia Ruskin University, an information security lecturer, said: “IoT security is not device security. IoT is end-to-end. It has many different facets, many different faces. There’s a whole raft of things we have to think about.”
The DDoSing of Things
Referring to the recent DDoS of Brian Krebs, which was powered by an IoT botnet – “cameras, lightbulbs and thermostats” all generating 990Gbps of traffic, “which would take most government websites down” - he contrasted what people think they have, in terms of networked devices, with what they actually have in terms of traffic types. In brief, your devices generate far more information about you than the ordinary punter ever realises.
Winkles summed it up neatly: “Security is like a stack of Swiss cheese. Each slices covers up holes in the slices below it.”
“You could make a financial difference by building security in,” added Winkles, who quoted NIST: “The cost of fixing a bug in the field is $30k vs $5k during coding.”
As for baking proper infosec practices into the Internet of Things, Winkles was forthright about taking a top-down approach:
There’s an argument that says you start from the boardroom. The pressure to be first to market doesn’t feature security. The pressure to reduce costs? If you ignore security, you do so at your peril; it's going to cost you more in the long run. Educate boardroom and senior management to build security in from the start. Appoint a Chief Information Security Officer. What I’m touting is bottom up and top down. The end message is to build security in.
..more in the link above.
...something is moving...
“Defence is only as strong as the weakest link,” said Tim Phipps of Solarflare at today’s Cambridge Wireless event on security within the Internet of Things.
Today's Cambridge Wireless event was part of its Special Interest Group focusing on security and defence. In particular, on securing and defending the Internet of Things.
Speaking to an audience of about 50 network industry executives this afternoon, Phipps highlighted three security challenges for the IoT: data loss, particularly with last week’s Yahoo! hack of half a billion user accounts; hijacking, such as the controversial Jeep hack published a little while ago; and consumer products, particularly, with the latter, medical device hacks of items including pacemakers and insulin pumps.
Phipps also highlighted how Ken Munro of PenTest Partners had “made children’s toys swear” by hacking them, which drew general laughs.
Building on that point of how a trivial hack can lead to bigger things - in the case of Munro and an IoT kettle, the host Wi-Fi network's authentication keys - however, Phipps warned: “The attacker needs to overwhelm you in just one place to be successful. If it delivers on the promises of the hype, IoT looks like something that will be integrated into our home life, transportation, cities, and … even improving our health."
“I think this is a Wild West industry” thundered Paul Tindall of Sepura, following on from Phipps, opening a talk that focused on IoT security beyond the simple headlines. “It is fragmented and that makes security harder to apply."
"If you consider the fragmentation of the standards as well," he continued, "you cannot trust security due to the fact that you’re using an unusual standard. We’ve got to apply proper governance around this.”
Take the example of a body-worn sensor such as a Fitbit health monitor which generates data about you, he said. "I think I own that data. At some point that data is aggregated and [the aggregating party] is going to fuse that data with data from other sources. If you wrap context around those sources you turn that into valuable information. I don’t know who owns that information. Actually, I think that gets really complicated from a legal point of view.”
The legal side of things was a point that was returned to later on.
So what could possibly go wrong? Adrian Winkles of Anglia Ruskin University, an information security lecturer, said: “IoT security is not device security. IoT is end-to-end. It has many different facets, many different faces. There’s a whole raft of things we have to think about.”
The DDoSing of Things
Referring to the recent DDoS of Brian Krebs, which was powered by an IoT botnet – “cameras, lightbulbs and thermostats” all generating 990Gbps of traffic, “which would take most government websites down” - he contrasted what people think they have, in terms of networked devices, with what they actually have in terms of traffic types. In brief, your devices generate far more information about you than the ordinary punter ever realises.
Winkles summed it up neatly: “Security is like a stack of Swiss cheese. Each slices covers up holes in the slices below it.”
“You could make a financial difference by building security in,” added Winkles, who quoted NIST: “The cost of fixing a bug in the field is $30k vs $5k during coding.”
As for baking proper infosec practices into the Internet of Things, Winkles was forthright about taking a top-down approach:
There’s an argument that says you start from the boardroom. The pressure to be first to market doesn’t feature security. The pressure to reduce costs? If you ignore security, you do so at your peril; it's going to cost you more in the long run. Educate boardroom and senior management to build security in from the start. Appoint a Chief Information Security Officer. What I’m touting is bottom up and top down. The end message is to build security in.
..more in the link above.
...something is moving...
