I’ve been involved in information security for more years than I care to count. Over the years, one thing continues to strike me: No matter what we do to fight risk and fix vulnerabilities, we can count on new ones appearing. After seeing the continuing evolution of tools such as ‘next generation’ firewalls, ‘unified’ threat mitigation platforms and ‘integrated’ desktop protection platforms, one can grow weary of the battle. Sure, things would be much worse without these tools, but nothing seems to solve the problem. And so infosec professionals sometimes look to overcome a jaded and cynical perspective by looking for something new, exciting and non-traditional. I propose that the field to look toward is device security.
Much of the focus on device security is coming from the move to mobility. As employees demand access to tablets and smarter phones for business critical functions, how is security — adequate security — being addressed? The best approach is to think about wired and wireless as not being all that different. The variety of channels will continue to tend towards a diversified and even chaotic environment that we work to manage. But when thinking about device security, I’m including business and control devices such as multi-function printers, factory and power plant controls managed by Programmable Logic Controllers (PLCs), increasingly smarter cars and even electronic, networked locks on doors. Each one carries potential risks and vulnerabilities.
So why securerobe this important?
Well, because stuff happens. The Stuxnet worm entered unconnected systems through USB drives, infecting software at power plants and other industrial facilities. There have been actual and potential attacks on supervisory control and data acquisition (SCADA) systems. The fear is that an attacker could open a dam’s floodgates or trigger sewage discharges into the drinking water supply. Or maybe prison doors could be opened by sophisticated organized crime-sponsored hackers, releasing some nasty characters.
Some device security concerns are linked to network technology such as switches supporting VPNs, or handling machine-to-machine communications. These controls need to be trusted and protected. Having compromised security hardware is a double whammy – they’re supposed to protect the enterprise but if they themselves are hacked, then what good are they? Security technology also needs to be properly identified by digital certificates for software updates and maintenance. Thinking outside the box triggers thinking about various types of boxes. For example, digital TV set top boxes need security for strategic reasons: CATV operators want to keep customers from switching to another provider’s services while using its device. Will cloud providers try to take a similar approach to ‘lock in’ customers to their service? If so, will this increase or decrease security?
Familiar office machines should not fool information security professionals into passively trusting these overlooked channels for potential breaches. Multi-function printers (MFPs) handle photocopying, scanning and faxing, and they represent risk at a basic level because sensitive documents can be left in the tray, leading to intellectual property losses or unwanted privacy breaches. Modern MFPs have integrated memory, which can retain sensitive information. And since MFPs are network connected, they are vulnerable to exposure. While vendors have introduced security options, they do little good if administrators fail to implement password/pin access for “pull” printing, or make certain that print images are encrypted, or employ other available protections. And don’t forget that retired machines can hold on their hard-drives sensitive images that need to be physically removed and destroyed.
A number of niche vendors have taken a variety of approaches to protecting devices and systems: Industrial Defender focuses on securing industrial controls, Arxan Technologies offers software protection, the Certificate Authorities provide x.509 device certificates, Wave provides embedded device security, and Mocana has toolkits and has been producing conferences on the topic.
So while fighting fires on the front lines of network and application security, infosec professionals also need to take a look at how their companies or agencies are evaluating device security, and provide leadership as part of the overall enterprise risk management strategy.
Victor S. Wheatman is currently Senior Director/Security for Javelin Strategy & Research. Vic has extensive background in information security, ecommerce, electronic data interchange, public key infrastructures and related applications. Prior to joining Javelin in the spring of 2012, he served as a Managing Vice President at Gartner, Inc. for the Security and Privacy team, as well as vice president of Gartner’s Electronic Commerce/Electronic Business research area. Vic holds an M.A. from Boston University and a B.A. in Journalism from Fairleigh Dickinson University. He has completed an Executive Management Program at Harvard University and technology coursework at Golden Gate University.
securerobe 