Читать книгу The Digital Big Bang - Phil Quade - Страница 46

Brian Talbert, Alaska Airlines

Over the past several years, the reach, scale, and depth of digital connectivity has intensified so dramatically that it has fundamentally changed our conceptions and definitions of what being connected even means.

While many outside the fields of security and information technology still talk of greater levels of digital connection in the context of human beings communicating with one another, chief information security officer (CISOs) and their teams understand that that is merely a small, visible ripple on the very surface of today's hyperconnected world. Things and machines connecting with each other is the bigger picture of connectivity—which gets exponentially bigger each day and now borders on the immeasurable and the unimaginable. And, as many IT teams can attest, it is also increasingly unmanageable—at least by people alone, anyway.

That's because, as the Internet of Things (IoT) grows, the majority of connectivity today occurs between devices. With aims of greater efficiency, cost savings, and convenience, everything from cameras to lightbulbs to household appliances is being augmented with digital capabilities, allowing these things to connect to the Internet and to each other to share relevant information.

It is a level of new-normal functionality that creates a momentum powered by consumer demand: As more smart devices are manufactured, more people come to expect a new device to have that capability. And more companies scramble to enhance their product lines with technology—whether or not they have experience with it.

Today, the IoT comprises more than 8.4 billion devices—with a projection of 20.4 billion deployed by 2020.

What consumers and manufacturers often don't realize, though, is that the convenience of IoT devices comes at a cost. And that cost is a significant one: A vastly expanded attack surface comprising millions of devices with minimal security—manufactured by companies with little experience in securing digital technology.

Many IoT devices can be easily compromised to gain access to a network, or they can be chained together to create a huge increase in attack power. Layer in cloud services for managing these devices, and what results is a level of vulnerability that is ripe for attack. Because of the minimal security of the devices themselves, that attack can be incredibly destructive with little expertise required. You don't need to be a civil engineer to topple dominos, and you don't need to be a master cybercriminal to harness the IoT into a botnet.

Take the Mirai botnet, for example. In October 2016, a massive denial-of-service attack left most of the East Coast of the United States without Internet access. The attack was so large and so disruptive—a digital tsunami of 1.1 TB of data per second—authorities first suspected it was an act of war by a rogue state or enemy nation. It turned out to be a couple of college kids with novice-level hacking skills and the desire for more competitive advantage in Minecraft.

And that gives an indication of the scale, power, and risk of today's landscape of connectivity.

Mirai harnessed the combined power of IoT devices—specifically routers, cameras, DVRs, and printers—by scanning for open ports, then taking over the devices with a few lines of code that cycled through 61 common unchanged default passwords. In the first 20 hours, it captured 65,000 devices—doubling the amount every 76 minutes, growing to a peak of up to 300,000 infections. All told, 164 countries were hit.

As the IoT continues to spread, IT teams are now faced with two primary connectivity challenges within their organizations. They must contend with devices brought in by casual end users, such as connected speakers that someone puts on their desk. And they must also secure business-use devices such as security cameras, office equipment, and facility equipment.

As enormous a challenge as this presents, it is important for IT teams to recognize that for the most part people are not using these devices with disregard for security. It is a new technology, and people simply don't know the risks it presents. Still, regardless of intent, IT has to treat every device as untrusted until it is verified.

These results create issues of incredible complexity and scale. With the IoT, as the surface area grows, it also becomes less and less defined. It is difficult to discern where a network begins and where it ends when literally thousands of devices can access it—and it also serves as an access point to anyone who can surpass the limited security of the devices.

Unfortunately, in such a complex and expanding environment, many organizations simply lack the visibility needed. As a result, they don't know what they don't know, much less how to secure everything they can detect.

As this new reality intensifies, it will create a primary need for better tooling for visibility; network access controls; and stronger threat detection, prediction, and response capabilities. But even with all these important defenses in place, it is not enough. The IoT is simply too vast to be managed and mitigated by people alone.

As the scale increases and vulnerabilities become more complex, the standard manual human security operations center or threat defense responders will no longer be a viable first line of defense. Success will depend on deeper machine intelligence and automation. That said, investing in the technology is only a small part of the solution—and even then, it requires a great deal of insight and understanding of the network and the greater connectivity landscape to design a model that is appropriate.

To create scalable and sustainable solutions, it's important to recognize that these problems are organizational—not individual or team-based. Before designing security strategies, executive leadership needs to fully understand the importance of addressing the problem systematically, with a cross-functional, cross-divisional program.

This program will have to include good security policies and architecture review processes. But it will also have to address the new reality that software engineers and application developers can no longer assume that they are building on top of a naturally secure and private underlying network. Secure coding practices must become so deeply ingrained in the philosophy, processes, and deployment pipelines that they simply become a part of the natural practices of the developer. The bar is high here, and these individuals must understand everything from user authentication to data obfuscation and secure data transport. Organizations will quickly see the need to develop repeatable patterns with consistent, standardized, and reusable security code libraries.

In short, addressing the connectivity challenge will require even deeper levels of cooperation and collaboration across an organization, from the coding level up. And to do that effectively requires both funding and expertise. As many CISOs and their teams know, this is a square one reality that they must advocate and evangelize to decision makers in the C suite, and even to the board of directors.

As daunting as organizational and cultural change can be, it is important to start where you are and move forward from there. If a company doesn't have experience and expertise in these areas, there may be an inclination to delay planning. But it is better to take modest first steps rather than to do nothing. External assistance from a trusted adviser will often prove valuable, even if only to provide a roadmap that an organization can follow. Find those outside experts and advocates as necessary and then scale their services to fit the budgets available. If nothing else, doing so will begin to build the network of strategic partnerships that will become increasingly needed and valuable.

Funding limitations are a reality all CISOs and their teams must contend with, but the cost of securing the enterprise is too often considered just on the basis of hard allocations—the tools, time, and resources needed. Intangibles and opportunity costs must be considered as well. Is the return on the investment of resources to build that next application feature greater than the costs of an inevitable breach and the reputation and brand harm it has created? These can be complex and challenging questions for any organization, but they are the types of questions that all companies should become more comfortable answering.

And they pale in comparison to the complexities and challenges of ever-expanding and complicated networks, sprawling outward with more and more consumer-level devices. The longer an organization delays, though, the more difficult the path forward could be.

The telltale sign of a need to focus on these areas is the recognition that you haven't already. Too many companies use a breach as an indicator—perhaps not understanding the substantial risks involved. If you are not already implementing secure coding practices, if you are not already looking for the presence of unauthorized IoT devices joining the network, you are already behind the curve. It's almost a certainty that you have devices and code that are easily compromised. The fact that you don't know for sure indicates how great the risk can be—and reveals how critical visibility, and the insights it provides, is to strategically managing and mitigating the intensifying levels of connectivity in the IoT era.