Monday, December 16, 2013

Talking Security at the Amphion Forum 2013

I am all about security.  That's why I had to attend the Amphion Forum last week in San Francisco.  They programmed several different tracks but I was primarily interested in the presentations on mobile and IoT integration.  It's nice to hear presentations that aren't just disguised product pitches.

Mocana wanted us to know that threats magnify with more net integration, because more connected devices present a larger surface area exposed to attacks.  Joel Brenner's America the Vulnerable spells it out from an insider's perspective.  Criminal elements use asymmetric warfare and enterprises counter them with widespread sharing of defense tactics.  It's too bad that larger enterprises are reluctant to share their security ideas with smaller competitors because they'd prefer to see them crushed competitively.  They're morally culpable in the bad reputational fallout that harms an entire industry when a smaller player gets hurt.  That bad karma will come back to bite the big shots when hackers go after them too.  I experience schadenfreude whenever someone who overestimates their own poor morality wonders why bad things happen to them.  Asking why "bad things happen to good people" presupposes that most people are far better than they really are.  If the good guys want to really get better, they need to share their tactics and common data formats with every enterprise regardless of competitive position.  The big players can start with the standards from NCFTA, the AllSeen Alliance, and the NFC Forum.

Cisco had an equation for the threat landscape that multiplied threats, devices, and attackers together.  Wow, that implies exponential effects from incremental increases in each single factor.  There is such a thing as legal offensive security that starts with secure product development, and I'm pretty sure it includes white hat testing.  I got the impression that industry is aware of the scorn hackers feel for retaliatory attacks against their intrusions.  That tells me there's an untapped market for gray hat mercenaries who could track and take out hackers for the right price.  I think offensive security should include an enterprise's risk assessment but I have not located a template for this in open sources.  Okay, here's my framework.  Make a 2x2 framework that graphs the probability of an incident against its severity and populate it with an enterprise's records of recent intrusions.  Design a mitigation strategy for each quadrant.  Assign each quadrant a dollar figure for losses and figure the ROI of a counter-effort.  Holy canole, I'm brilliant.  Anyway, Cisco concluded that auditing and security typically come too late in the SDLC to be effective, so it makes sense that those tasks should move to the front of the cycle.  There are such things as DARPA's Cyber Grand Challenge, CyberPatriot, and the Open Web Application Security Project (OWASP) that are supposed to be working on ways to assess and mitigate risk from intrusions.  IT pros need to obtain CSSLP certification and apply ISO/IEC 27034 if they're serious about coding security into the earlier parts of the SDLC.

The general session panel on shaping security for the IoT included the very cute Maribel Lopez from Lopez Research, who gets to attend lots of these forums.  Security pros should take note that a single IP address for all of an enterprise's devices is a vulnerability, which explains why IPv6 is a big help.  Infrastructure engineers need to know that layering sensors over devices in physically secure areas opens hacking windows of vulnerability.  Embedded sensors open a can of worms around product upgrades and regulatory recertifications.  It's good that that the health care sector is moving clinical engineering tasks under their CIOs to assure data integrity but the patient is still at risk during the handoff between care phases.  The bad news is that health care providers can't patch medical device software without the OEM's express direction, or it voids the device's warranty.  It was disturbing to hear that unique digital IDs for both institutions and devices make it possible to target an attack to a specific individual's medical devices.  This is a special concern health care provides face when taking the path of least resistance in layering IT systems over unsecure devices.  Former VP Dick Cheney worried about terrorists hacking his pacemaker.  I think the rest of us should worry about data thieves hacking wearables and causing a power surge that melts a battery and blows off a limb.

I learned a new concept from Wind River, namely the IT/OT convergence.  Search that term and you'll see it used together with the smart grid.  Operations tech is in highly regulated verticals and its convergence with IT opens up new use cases for analytics.  It also opens up vulnerabilities, as the panel mentioned above, when IT carelessly layers programs onto physical systems that have historically been isolated from connectivity.  Existing security controls can evolve under resource constraints but it's obvious (to me, anyway) that enterprises won't be able to resist the efficiency gains from connecting physical systems as quickly as possible.  They'll be tempted to ignore security until it's too late.  Certificate-based authentication within an enterprise is adaptable to both IoT and the IT/OT convergence.

SAP thinks mobile security poses a special challenge to multinational enterprises.  Mobile device management (MDM) is one of those layers I mentioned above that vendors slap onto unsecured devices.  Device vendors install their own APIs on top of mobile OSs, complicating MDM.  The CIO needs a policy architecture in place to govern MDM before a multinational's ecosystem partners get access to the enterprise's data.

Forrester Research said security belongs in a new paradigm.  I'll never forget their think-pieces back in the 1990s that touted dot-com growth in perpetuity.  Maybe security will follow the same parabolic trajectory.  There's an app multiplier effect from the number of app versions released per month that will overwhelm an IT department's ability to make manual adjustments to BYOD protocols.  This must drive enterprises to automate some security functions, and IMHO they need to employ a BRMS to govern their security rules.  IoT is supposed to mature from dumb objects to partially autonomous sensors to fully independent devices, but we need to think seriously about how much of our home and enterprise we want to be exposed to outside data burglars.  Just because we can do it doesn't mean we should do it.  I see no need whatsoever to connect household appliances to your mobile device.  Firewalls and VPNs will be in demand from homeowners.

Joe Weiss of Applied Control Solutions had the best presentation of the conference, although perhaps I'm biased because his interests in infrastructure and security match my own.  Read his blog at Control Global or read his book Protecting Industrial Control Systems from Electronic Threats.  There's more to industrial control systems than SCADA and hacking them is easy with free web toolkits.  Non-technicians in business domains should know that engineers don't like IT security because it impedes system performance.  His lesson for the IT/OT convergence is that IT and system engineers must work together because IT people can't just be recast as operations managers.  I heard other speakers here tout the innovation they expect from M2M linkages and the analytic benefit of discovering new audit trails from machine data.  They need to hear Joe's points about how M2M links will also affect security.  Minimal cyber forensics for control systems mean an electronic version of Pearl Harbor will not leave an audit trail to the attacker.  IT security can't prevent these attacks if IT is merely layered onto OT systems that were designed to work before IT was invented.  Project SHINE (SHodan INtelligence Extraction) is an effort by Infracritical and DHS ICS-CERT to map the extent of critical infrastructure vulnerability.  I won't link to Shodan from here; look up that project's eye-opening revelations.  Joe said that the SarBox regulatory regime convinced corporate management that cyber vulnerability is an IT function.  I've hated SarBox since it was first implemented and now here's confirmation from a non-finance source that it causes operational problems.

Mocana was up again with fifteen unintended consequences of mixing mobile with IoT.  I'd like to see the promised billion dollar opportunities in these consequences, especially the chance for the wealth concentration of the automobile and hydrocarbon sectors to replicate in IoT.  Massive wealth creation lies somewhere in the milieu of collaborative design, shared usage, powerful ecosystems, proactive AIs influencing their own data streams, free Big Data from social media, the disintermediation of design from production in 3D printing, STEM-to-STEAM creativity, autonomous weapon conventions, network control, and the end of privacy.  I'm developing one concept that will leverage most of these trends but you won't hear about it until after I've made it work.

The rest of the talks I attended on IoT and mobile security touched on many of the same themes.  Now you'll listen to what I have to say about security.  Your smartphone may not be an ideal gateway box for your networked home once it gets stolen.  Most IoT devices will have to draw power from their ambient environment because tiny long-life batteries won't be an economical way to minimize field services.  The higher bandwidth and frequencies available for IoT designs may not comport with shorter battery life and lower power available to penetrate buildings.  The US has weak legal protections for privacy because Americans have been asleep while they fell in love with convenience and functionality.  Standards like MQTT, SOAP for web servicesLink Layer Discovery Protocol (LLDP) and its various proprietary equivalents won't mean much if they all conflict with each other.  IACR and other bodies will have to sponsor projects like to deconflict competing standards.  Compliance will be very tricky when single devices start falling under multiple regulatory regimes:  PCI, HIPAA, and the FTC's Bureau of Consumer Protection all have different standards.  IoT collecting huge amounts of both machine and human data will present a tremendous opportunity for knowledge management (KM) and decision management (DM) solutions.  I just did a web search for each of those terms and no one except me is making the IoT connection.  That means you heard it here first from Alfidi Capital.  I read an article recently about how the large chip manufacturers are adding a microprocessor dedicated to encryption.  That means Arduino and open source designers need to catch up if they care about building security into their ecosystems.  You know IoT is going mainstream when the Economist creates an IoT business index.  Application whitelisting has its place in IT security but I think OT operators will have problems when that whitelisted IT layer is bolted on to their legacy systems.

I'm throwing more original wisdom out to the geek crowd.  Security people in both the IT and OT spheres need to note the duality of the "bolted on" sensor/actuator relationship, especially for connections to critical infrastructure that were never intended to be connected to the outside world.  Sensors collect information (device to enterprise direction of flow) and actuators transmit instructions (enterprise to device flow).  This is the state of affairs that exists before KM implements information capture and DM automates operational routines.  Bear in mind that most of those actuators will eventually receive instructions from BRMS systems that were never designed to manage security flaws in legacy physical devices.  The IT/OT convergence is driven partly by generational differences in the engineering community!  Older engineers operating the OT of critical systems are retiring.  Their replacements are young IT pros who grew up with smartphones; they are probably unfamiliar with the manual backups in physical plant because to them IT connectivity is a given.  Youngsters aren't mindful of security!  The instant gratification impulse has already driven our consumerist culture into spiritual poverty.  It now risks driving our systems engineering culture into a black hole of vulnerability.

I did attend one non-security presentation.  YarcData gave a very informative show on how to use graphs in data analysis.  I didn't understand all of it but I'm a cognitive junkie and it pointed me in the right direction.  The important thing to take away is that a graph isn't some dual-axis chart that the C-suite can twist into yet another 2x2 matrix.  It's a collection of vertices (nodes) and edges (links, or relationships).  The Resource Description Framework (RDF) that governs the Web's data structure makes those data relationships readable to humans.  Graphs can answer strategic KPI-related questions and I say KM will determine who needs to act on the graph's revealed answers.  Graphs can be very useful in computer network defense, because graphing node activity reveals weak points vulnerable to intrusion.  Computer scientists typically do graph analysis but business domain users can't just delegate the whole architecture to them without knowing enough to give content guidance.  The similarities to DM are obvious, where mathematicians design the rule engines but domain experts populate the rules.  Business domain types like me should read Albert-Laszlo Barabasi's works so we're not flying blind when the geek squad presents the results of their graph engine's rapid hypothesis testing.  Get some open source graph tools like Gephi and start graphing.

DEFCON attendees infiltrate these kinds of conferences.  I couldn't spot them because everyone looked pretty normal.  I plan to take a Cloudonomics-type approach to security once I have a 2x2 matrix that can figure out the cost/benefit and expected ROI of different security approaches.  I also think that data loss prevention (DLP) in mobile requires virtualization.  This eliminates the possibility of storing data on devices, so the loss or theft of a device does not compromise data.  I'm really intrigued by organizations that use a "honeypot" scheme to entice a deliberate intrusion and establish an audit trail that law enforcement agencies can use to determine culpability.  The IT/OT convergence demands pros who can graph out their network nodes, map vulnerabilities, and deploy active defenses like honeypots and other white hat techniques.  I learned a ton at the Amphion Forum.  Their sponsors need to invite me to share my insights with their enterprises.  My speaking fees won't be cheap but my contributions are priceless.