Describing himself as a “Security Oompah Loompa” Andrew Jamieson (@AndrewRJamieson) works at Underwriters Laboratory. He presented at AusCERT 2016 on IoT security.
Jamieson posited the question “How do we measure security?”. The challenge, he says, is that there’s no objective system of measures for defining security.
“We need to define a level of risk through a thorough methodology,” he says.
While there are some objective standards, such as ISO FIPS and PTS, these can be expensive to use and measure. And there’s a balancing act between individual risks and externally defined risks.
In short, there’s no simple definition for security.
Jamieson says there are three types of security problems. There are deliberate flaws such as backdoors that might be deployed for good reasons, such as future-proofing, but can be exploited. Ignorance is also an issue through poor security configuration or as a result of a lack understanding. Finally, there are issues that were previously unknown. These require regular system maintenance.
Each of these can be addressed. Deliberate issues can be found through code reviews. Ignorance can be addressed through penetration treating while the previously unknown issues simply require prayer, he says.
The problem with security evaluations, says Jamieson, is that they take time, cost money and always fail. While they might be correct at a point in time, security is not static.
The IoT Challenge
With devices becoming smarter, less expensive and more connected we’re seeing shorter development and production cycles. As a result, there are more vulnerabilities introduced as go to market dates are forcing developers to shortcut security.
"Customers can't differentiate products based on security,” says Jamieson. “And there’s no incentive on vendors to make more secure systems”.
"Why don’t we do code reviews and pen testing?” asks Jamieson.
Simply, current penetration testing and evaluation processes can’t scale to deal with the massive volume of devices and products on the market. And there’s no objective way to test different devices as security is rarely presented as a point of product differentiation.
“IoT security is primarily a commercial problem, that prevent suitable technical solutions from being applied,” he says.
What’s the solution?
The problems need to be addressed commercially says Jamieson. There need to be incentives for vendors to bake security into their products and inform customers about how to make decisions about security.
This needs to be done with a framework that supports rapid product development and release cycles.
This might be achieved through programs that are similar to the star rating system used by appliance companies for energy or water consumption, and car safety that have successfully altered consumer purchase behaviour.
But there are challenges, says Jamieson. How does one compare a connected light bulb to an appliance?
Jamieson says systems can be defined by three things: interfaces (inputs and outputs), processing attack surface (the code running on the device), and system architecture. He calls this combination the “vulnerability surface”. Different features can change the vulnerability surface by their impact on the three components.
Logical Security Posture
Jamieson suggests that a system called the Logical Security Posture, or LSP, could be the answer.
A points system can be created that looks at the number of interfaces and protocols. The more interfaces, the more points of vulnerability and therefore the lower the point score. This can be used to drive vendor behaviour to reduce the number of interfaces. Similarly, vendors could increase their LSP score by committing to regularly patching their systems and using unique certificates for their products.
The focus of this kind of system is not on actual vulnerabilities but on the potential level of risk. Such as system could scale with the IoT whereas existing methods simply can’t meet the needs of many billions of devices.
LSP doesn’t certify that a system is secure. Rather, a device with a high LSP score is “better” than one with a lower score, says Jamieson.
Security is not binary, easy Jamieson. The real question is how much security are we prepared to pay for. That means commercial entities need commercial incentives to deliver more secure solutions.