Will the IoT Mean the End of Defense in Depth Cyber Security?
Searching for a cure for insomnia, I spent the weekend combing through the 162 page report released last week from RAND Corporation,the independent research organization best known for its influence on policy. The report titled, “The Defender’s Dilemma: Charting a Course Toward Cybersecurity,” was fraught with fear and warnings about the impending attacks that will target companies around the world over the next decade. Citing grey and black markets for cyber criminals, the basement hackers and nation states will operate a $2 Trillion dollar Enterprise by 2020. As part of their report, RAND also released what they called a heuristic cybersecurity model to help organizations brace for the financial impact of combatting the future of online threats.
However, there’s a problem with the model. It’s still the same design that focuses on preventing cyberattack, when it’s been proven - OPM anyone? - that cyber criminals are going to get in. With the loss of, well, everyone’s SF86, OPM is clearly out of business. Defense and intelligence leaders, already suffering the worst intelligence failure in history, will no longer trust OPM to store records on their employees. At OPM, Einstein, the government's network monitoring and IDS/IPS system was supposed to secure the country’s most sensitive data and cost $3B of taxpayer money to build. But, this article is a great look at why even the best intended government projects usually fail to bureaucracy. OPM didn’t even have a Security Chief until 2013 when the agency hired Jeff Wagoner. Even he had this to say:
“Layers of 'walls' to let good guys in and keep bad ones out hasn't worked very well...When you start tracing a user, any user, through the network as if they were the bad guy, it becomes incredibly real and scary when they realize they don't always know what the user is doing...Can agencies effectively say they know the data within each application, each function and how they tie together?"
We’ll look at RAND’s model a little closer in a minute. Overall, the report was definitely a worthy read that had plenty of beancounters participating in the final analysis. They note that the sophistication of cyber attacks is increasing as is the breeding ground for hackers to get a foothold into corporate environments. For the purpose of this blog, I wanted to focus on the IoT components of the report, which were as vast as they were uncertain. The RAND report discusses connected devices and BYOD at length, explaining that both of these new technology trends will rapidly expand the attack surface for all organizations and that companies of every size should prepare for the financial impacts of this new frontier in computing. That said, to double down on simply thwarting breaches is futile. RAND seems to keep the focus on building walls instead of knocking them down in favor of real time visibility into network environments.
The report does acknowledge the newer defense postures such as behavioral analysis and even the use of honeypots in more offensive efforts, but they seem to fall back to the defense-in-depth stance throughout the report. Alluding to labor intensive alert monitoring, the report seemed to ignore the need for more visibility (I only found the word ‘visibility’ twice in 162 pages), but that’s exactly what is needed. Home Depot, Target, JP Morgan, what do all of these have in common? They were infected by malware that sat there quietly for months before they were discovered because no one was looking for it. As devices and protocols penetrate every corner of the Enterprise, there is no way to know how they will interact with traditional security or if their presence will even be known to network teams. Fortifying walls and leaving the door unlocked is not a strategy.
To illustrate the vulnerabilities in IoT devices, RAND looked at two notable hacks that have taken place in the last couple of years. The first of these is a Z-Wave attack which debuted at 2013’s Blackhat. In it, malicious actors were able to command and control smart home systems, in essence, allowing hackers complete control of connected environments leveraging the Z-Wave protocol. The second illustration was a smart lightbulb allowing access to Wi-Fi passwords. While these were quickly fixed, RAND used these examples to demonstrate the emerging exploits resulting from the rapid - and insecure growth - of the Internet of Things. Proprietary protocols and poorly tested products, according to the report, will only intensify hackers desires to leverage them as a way into the corporate network.
The study interviewed 18 Enterprise CISOs, and all agreed - they are uncertain as to what really works at thwarting attacks on the network, but acknowledge that it will take a multilayered approach to stay safe. When weighing the numbers to spend on security, RAND noticed that it wasn’t necessarily proportionate to the value of the assets being protected. The number one reason given for more cybersecurity investment was not to keep information safe, but rather to protect reputation. The desire to save face comes amid embarrassing retail and financial breaches in 2014 that damaged stakeholder confidence and heightened public awareness of cyber related issues. But, I’d have to disagree again, Think Tankers. Cyber security, especially in today’s increasingly connected world is existential. Losing data is bad. Losing customers is bad. But when you start to introduce sensors into the mix, you could begin losing much more valuable assets that could directly impact business operations or public safety. To get more into the numbers:
RAND explored the cost of security in the following categories:
losses from cyberattack
direct costs of training users
direct cost of buying and using tools
indirect costs associated with restrictions on the ingestion of
indirect costs of air-gapping particularly sensitive subnetworks.
The outcome? A predicted 38% increase in cyber security costs over the next decade. The biggest impact would result not from the cost of a breach, but rather the cost of the people, policies and products that will be necessary to address emerging challenges. RAND refers these as “instruments”; tools, training, BYOD/smart devices restrictions, and air- gapping reigned as the most effective safety nets for organizations. Not surprising, their model highlights that the more connected the business is, the higher the risk. In the graph below, they highlight the dramatic rise in costs for ill prepared IT teams that venture into the IoT without the right instruments.
The report concludes by reiterating the need for CISOs to be aware of the increasing market for illicit sale of vulnerabilities, exploits and valuable corporate data, but remind executives to remain optimistic about the progress being made in software. Cybersecurity, in some ways, has improved dramatically since the 90’s when SATAN, COPS, and Internet Scanner were all the protection available. However, we’re also not looking at the same 1M node Internet as we were in the 90’s, which means that we have reverted to a primitive state in network security. Either way, the RAND report gives enough statistical research to warrant a PhD to read, but it serves as an excellent wake up call for CISOs to start raising awareness in the boardroom about the growing challenges and costs that are coming to fiscal budgets.