The Seeming Paradox of ‘Cybersecurity’
As systems get more complex, the hacker’s life gets ever easier — and that means opportunities for security professionals.
The headlines have ranged from disconcerting to downright alarming — “cybersecurity” almost seems a misnomer. From reports of government snooping on targeted individuals to massive DDoS (distributed denial of service) attacks, the digital adage seems to be borne out on a daily basis: Anything that can be hacked, will be hacked.
“To me, security and privacy are two sides of the same coin. If you erode one of them, you compromise the other one,” says Dave Evans, co-founder of Stringify and formerly tasked with looking into the future for Cisco. Evans will be a keynote speaker at CEDIA 2017 in September in San Diego.
Evans notes that people often blame technology for their lack of security, but that’s a bit unfair:
“It’s akin to someone leaving their home and leaving their front door unlocked,” he explains. That’s precisely what happened in a huge DDoS attack in late 2016, and Web-connected-cameras-turned-culprits were responsible for many of the requests that overloaded servers. Simply put: individuals with bad intentions used compromised devices to flood sites with so much traffic that they crashed — and last October, the victims were Netflix, CNN, Twitter, and many more companies.
“All of these cameras were hacked, and it was a big IoT botnet attack,” says Evans, and the cameras were vulnerable because their default passwords were left unchanged: “They left it, User Name: Admin, Password: Password.”
The fix seems simple: Make everyone from the manufacturer to the integrator to the end user understand the dangers of a weak password. It’s not just about allowing a home’s device to be weaponized; any crack in a firewall means that crooks can potentially access an individual’s personal info.
“So part of [the solution] is education, but part of it is also that we’ve got to be all accountable, all responsible. If you leave your home and you leave your front door unlocked, and someone breaks into your home — that’s kind of on you. The same is true with IoT technology; you have to secure it properly, you’ve got to get the right firewalls or security, and so on.
“And I think therein lies the opportunity for technology integrators and security specialists, because the average consumer doesn’t know what to do — but they want security.
“But if you have expertise and you can say, ‘Look, I can come in, and as much as the technology will allow me to do, I will make your home secure. I will make sure that you don’t have silly passwords; I’ll make sure that your network is set up correctly; I’ll make sure that you’ve got a firewall in place; I’ll make sure you’ve got products installed in your home that monitor for malicious traffic.’
“Those are services that integrators could offer,” Evans concludes.
Another recent headline grabber came from WikiLeaks — a data dump that revealed the CIA had figured out how to bug certain targets through their flat-screen TVs.
Dave Pedigo, CEDIA’s vice president of emerging technology, explains the operation, code-named “Weeping Angel”:
“The CIA put software into the operating systems of smart TVs that made the camera and microphone turn on, but the power light did not come on. This is important: They had to break into a subject’s home, use a USB, and put the code onto the computer, so it wasn’t like it went through the network. But it’s still a big issue. I think privacy concerns are on the top of people’s minds.”
And privacy concerns are likely exponentially important when it comes to top-end clients: Imagine a C-suite executive with homes overseas — maybe in Swiss ski country, the Baltic, you name it — who not only has a fairly large bank account, but has access to incredibly privileged information. One of this client’s needs is remote access, which leads to concerns (or, more aptly, terrors) regarding bad actors hacking his or her data and not just making off with cash, but with intellectual property, too.
“It’s challenging,” notes Ihiji co-founder Mike Maniscalco. “In those cases, you are more than likely going to end up working with the IT department of whatever corporation or institution that individual is employed by.” Those IT experts will often segment what the client has access to, including personal, home and job networks.
“Where the challenge really comes in is that everything is so blended today,” Maniscalco continues. He notes that the president’s famous Twitter account had to be moved from a personal phone to a state-issued device, but that’s an extreme case.
“For your average executive, no one is going to rip away his iPhone and say, ‘You can’t have this app or that app.’ These mobile [personal] devices create new challenges for all that security.
“A lot of times, the IT departments turn a blind eye to it. It gets tricky for integrators I’m sure,” Maniscalco says.
The Weakest Link
Roy Beiser, who handles IT for Access Networks, is blunt: “I would like to emphasize that the weakest link is humans. A lot of phishing game apps are sent to CEOs, CFOs, etc. It’s very important to put focus on human training. We’re doing that at Access Networks, and we are starting to proliferate that to our customers. It’s not that hard. People can take a 30-minute or one-hour training and just be aware of the risks.
“Many of us are seeing spam emails, and some of those spam emails are actually phishing emails that alert you to press to a URL and then you get into a malicious site or download,” Beiser says. He stresses that it’s fairly easy to identify these missives as scams, as long as the reader knows what they’re looking for.
“It’s a multifaceted approach,” notes Nathan Holmes, also with Access Networks. “As Roy said, the human element is the weakest link in the chain, but it is only one element. For an integrator to truly provide the level of networking security and performance that these clients are asking for, it requires the correct hardware, true enterprise-grade products — stuff that can actually handle the type of firewall performance we need.”
But installing the security and training the user is only half the battle, Holmes says. Homeowners, for the sake of convenience, sometimes bypass or disable security measures.
“When they do that, we need to ensure that they understand the risk they have just put themselves in,” he says. It’s critical, then, to ensure that the client knows that they’ve essentially “voided the warranty” if a hole’s been willingly punched through a firewall by the user.
Holmes is emphatic: “We have to indemnify the integrator.” (Translation: Vet those contracts and agreements carefully before your customers sign on the dotted line.)
But enough about the “1 percent.” When does this need for constant vigilance begin to trickle down to the great middle class?
“I think we are already there,” Maniscalco says. “It started with the iCloud ‘Celeb-gate,’ which targeted a bunch of celebrities to get their photos. Right around that same time, you saw the Ashley Madison breach — you are talking about things that are sensitive, private information.”
Now, with the growth of the IoT, the risk is growing at an astonishing rate. The most innocent devices can be turned into ticking time bombs.
“When just one of those devices in your home, such as the connected teddy bear, gets hacked, all of a sudden that’s the bridge into the home network; it’s no longer behind a firewall,” Maniscalco says. “That’s where it really starts to hit the masses.
“The writing is on the wall — and it’s coming really quickly.”
Watch Your Speed
In October 2016, Motherboard magazine interviewed a gent who had the fastest residential Internet in the U.S.: James Busch, a radiologist who needs to look at X-rays and mammograms and all manner of medical images. The speed in his place is 10Gbps. (http://bit.ly/2sTA248)
James’ joint makes the rest of us look like we’re dialing up AOL in 1998. But the availability of high-speeds-for-all will soon arc upward dramatically, and we’ll be in the magic place where every surface inch of a 1,500-square-foot dwelling will be sensorized (the estimate for that is 16Gbps).
With all of those connected sensors and devices, however, there’ll be ever more opportunities for bad actors to winnow and burrow their way into a home’s defenses.
There’s another concern that comes with ubiquitous sensorization, the kind that will eventually give the end user a seamless interface blending voice and gesture control. How comfortable are you going to be knowing that you’re mic’d up and on camera 24/7, 365?
History for Sale
Here’s where Evans bristles: “That’s one piece of the question. The other piece is government — and, frankly, I don’t have an answer for that one.” Evans — like many others — was particularly alarmed when the federal government began the process of allowing ISPs to sell a user’s browsing history, no questions asked. Evans noted that he’d gone to Twitter to quote Tim Berners Lee, the inventor of the World Wide Web: “He had said the ability to sell your ISP browsing history is ‘Disgusting.’”
So what to do about it? That’s another query for Maniscalco (who teaches CEDIA’s Advanced Networking Boot Camp from time to time). The specific question: Is a virtual private network (VPN) the answer? And is this a potential revenue stream for security integrators?
“I think VPN has always been a good option for anyone wanting to encrypt their Web traffic. It’s been a common practice for those who travel overseas and also for those who live in countries that have censored the Internet,” Maniscalco says.
“There is a business opportunity for the CEDIA HTP but I think the big question is, do the consumers care enough to make it a worthwhile service offering? Right now the biggest opportunity for integrators is to be educated on the topic so that they can talk accurately and confidently about the topic with clients who have questions or concerns,” he says.
On this topic, Evans wants those concerned to vote with their — well, votes. “I mean there is no magical answer other than to use the system to say, ‘Look, this is not acceptable. We’re not going to allow 1984 to happen. There’s no technological magic bullet for this other than to secure yourself as well as you can.
“It’s a challenge from a political perspective — I will acknowledge that.”