I’ve been asked to describe how I would describe a “ideal” secure work environment, and unfortunately, the answer comes out sounding like a variation on an old joke; you can have security, productivity, or Convenience; pick 2.
We can’t have ideal security. We can have a system that is mostly effective at preventing known threats and vulnerabilities from causing problems, while allowing enough work to get done to make it all worthwhile. We have to be vigilant; new methods of doing things means new vulnerabilities; even the way users generally think and their social interactions can change. Things that aren’t part of the work environment but are socially common can bring entire new fields of insecurity into the network security zone, such as cellular phones, fitness trackers, and next year possibly Neural implants. Security methodologies such as facial recognition could become ineffective or even illegal. Even the admittedly marginally useful polygraph can be further compromised by effective widespread social engineering.
And, of course, there are also hardware and software changes.
Some of these changes are real game changers, and change the entire networking and security landscape; Desktop Computers. TCP/IP. The Internet. WiFi. VoIP.
Networks and Network Security existed before each of those improvements; and each of those improvements made Network Security more difficult, but the productivity increase was well worth it.
And now we come to 5G and I0T.
Neither is a game changer in and of itself; There is very literally nothing you can do with either that could not be done with technology available prior to their availability. The huge impact that they will create is from the economics, because if implementation is carried out at the speed that the general enthusiasm seems to insist on, both 5G and IoT will be very cheap from most perspectives that aren’t focused on infrastructure costs or security.
If that is how things actually work out, the Network Security landscape will become MUCH more interesting. And there might be some productivity boost.
Which is one of the reasons I’m so glad to see “Zero Trust” becoming mainstream, even though there are many inevitable misunderstandings and predictable bobbles when implementing it comes into play, as there is at least one very good security model for a massive geographically distributed IoT device cloud, and that is “totally untrusted”. Most seasoned Security professionals could take one look at a proposed IoT implementation, for instance to monitor and provide control for a system that will seldom, if ever, be physically examined by the deploy-er and easily accessible by pretty much anyone? And that professional will say “Don’t trust it, don’t allow it to have access to any significant systems, firewall it from those”.
According to various sources, Nearly every new car being produced in the US and Japan has LTE/IoT.
And, as our example Network Security Professional could have predicted if he or she thought about it, multiple hacks have occurred, including a well publicized hack of a Jeep that allowed, among other things, shutting down the engine while it was on the highway. And it will get worse, because of Trust.
Car manufacturers use a trust networking model with automotive IoT.
Quote: “A
Trusted Computing Base (TCB) is a collection of policies, procedures,
and technologies that enforce the use and security of critical
cryptographic and application-based tokens. It is the foundation upon
which a platform’s trustworthiness can be defined. If a
well-engineered TCB is used at the core of a product, the product
will be trustworthy in the field.” EndQuote.
And to be fair, Many Network Security Professionals would agree with that statement.
Blockchain technology, invented in 2008 to secure Bitcoin, was widely considered trustworthy and unhackable, and up until 2017 that was still believed. And then multiple vulnerabilities were revealed to have been exploited, with one exploit involving the theft of nearly 2 Billion dollars in Cryptocurrency. Why? One very simple reason that I would hope that every security specialist always keeps in mind: Nothing is perfect.
If I were to design a IoT system for a vehicle, it would have physical separation from any system that could actually interact with the vehicle, aside from possibly the driver; passive sensors only, with GPS, camera and microphone available only at the throw of a physical analog switch, so it would be secure (for the driver). And as could be expected it wouldn’t be very popular, because of the lack of convenience.
While I’m not a fan of either 5G or IoT, I do see many good things that could be done with both. Will those good things balance the massive security issues? I really hope so.
No comments:
Post a Comment