CSO Perspectives - Rough around the edges
- 14 March, 2017 16:34
Mark Loveless is a security researcher with Duo, a company focussed on two-factor authentication. He spoke at the CSO Perspectives Roadshow on his journey in the infosec business, where he has worked as both a white-hat and a black-hat hacker.
While most people live and work in the "normal zone of society", says Loveless, there are some fuzzy or rough edges where people hack systems, or work in law enforcement carrying out surveillance or live and work outside that normal zone.
This is where Loveless spends his time exploring – this is the zone where technological advances happen, he says. Those advances eventually ripple back into the mainstream.
Loveless' presentation focussed on three areas - the past which is used to frame ideas, the present to highlight ideas and the future for exploring ideas.
"There are lots of things that happened in the past threat help shape the future," he says.
In infosec, three key trends from the past inform the present. In the 1990s, there was the rise of DDoS attacks. These were used to either block access to sites or as a way to extort money, by threatening to bring sites down unless they paid.
Next, cyber became weaponised and vulnerabilities became available for a fee. This created an environment where malicious payloads improved in quality, creating an entire market.
The third factor is the death of the perimeter says Loveless. This started with the emergence of laptops but continued with the spread of WiFi and, eventually, smartphones. This required new network entry points for remote clients such as point to point connections, VPNs and other tools. And WiFi, he says, uses protocols that relied on the physical security offered by a cable.
Smartphones, says Loveless, was the first "IoT thing" and original BYOD.
"It was the best and worst thing ever. It was the best thing for users but the worst thing for IT administrators".
With the disintegration of the perimeter comes the need to encrypt every thing all them time says Loveless. And we are better at defending against some threats through agentless security tools, two-factor authentication, and improving AI for dealing with log data so that there are fewer false positives.
There have been significant changes in infrastructure as the cloud becomes increasingly ubiquitous. Other technologies, such as self-driving cars that are able to make decisions about their own movements, smart homes with sensors and control systems, and other emerging technologies not only change the way we live but introduce a raft of new security challenges.
Loveless discussed connected power tools. As part of his work, he looked at a connected power drill to examine its security credentials. Using an app, he was able to make fine adjustments to the velocity and torque and save some custom settings.
For a tradesperson with multiple tools, settings can be pushed out to a fleet of tools so they can all be configured similarly for workers. And, using a smartphone, asset management (such as location, purchase date, maintenance state) can also be controlled.
This application of mobile technologies was something no one anticipated. But Loveless noted that there were some security issues he identified.
Looking at the future, Loveless started by pointing the finger at the media saying the popularity of click-bait is making it harder for real news to become known. This means real security issues aren't getting enough coverage.
Over-reactive legislation will continue and get worse says Loveless. Governments will continue to react to headlines rather than facts.
The IoT will evolve as both a target and a threat vector for new attacks.
However, Loveless did see some positives. Patching and the use of trusted devices to access company assets are effective today and will continue to be effective. Passwords will, in time, be replaced by multi-factor authentication, he says. The reason we use two-factor today is because we can't trust the first factor. So we should get rid of it.
Over time, we can expect to see technology embedded into our bodies. Already hearing aides can interact with mobile phones. It's a relatively small leap to see these devices becoming embedded.
Ultimately, there will be increasing connectivity between all the devices, bio-sensors, cars, homes and other hardware. And it's not only the devices but the connections between them that we will need to secure. And that's the future - an increasingly complex of devices networks that need to be secured using a variety of different tools and methods.