“How many of you or your staff had trouble getting on the internet Friday?”
That was how cybersecurity consultant Bryce Austin kicked off his talk Tuesday at SIMposium 2016, a big gathering of CIOs and IT execs at the Mohegan Sun resort in Connecticut, on the "Unintended Consequences of the Internet of Things."
Uncomfortable laughter ensued.
Austin, who then went on to make attendees even more uncomfortable, swears that even though his session didn't make the original program, it wasn’t added to the agenda as a result of the now notorious IoT-exploiting Dyn DDoS attack that unfolded Friday.
(Not that Society for Information Management members have been ducking the topic: Earlier this year SIM launched a Cybersecurity special interest group and just last week, SIM’s annual IT Trends Study was released, with cybersecurity a huge focus.)
Austin, who said no thanks to an internet-connected thermostat in his house, described one scary scenario in which bad actors could manipulate such devices to turn temperature down and freeze your water pipes or turn them way up and kill pets. Or scarier still, as one of his past presentation attendees suggested: What if a company trying to get a multibillion nuclear energy plant installed in a city created a brownout by turning down a bunch of thermostats by a few degrees and convinced voters that way to fork over the tax money to pay for the unneeded facility?
“That’s pretty dark thinking, isn’t it,” Austin said. “Who would do that? Oh, Enron!”
Austin said that awareness of security basics, such as avoiding default passwords like those that helped enable the Mirai botnet to flood Dyn's DNS last week, isn't a problem for the types of higher up IT personnel attending SIMposium. The bigger challenge is figuring out just how big of a threat such attacks could be to an organization as it heads into its budget cycle. He asked: "Is our company willing to accept that risk? Are they willing to spend more mitigating that risk? Or do they want to consider insuring against that risk?"
It should be interesting to see the legal fallout from last week's DDoS attack. "Who's responsible for this?" he asked.
It's also a good opportunity for IT organizations to talk to their CFOs about the changing security landscape, Austin said. "Security and maintenance are processes, they are not events, and they have to be [part of a budget process] that goes on every single year, for every single system we have," he said.
One overarching security consideration for organizations is not automatically embracing the connected everything, just for the sake of it. Austin pointed to his own use of a security system at his house, one that he checked first to make sure had no obvious known flaws and that also is not IP-enabled (it uses coaxial cable connectivity to a central brain box).
Of course avoiding the IoT isn't going to be possible or necessarily desirable, so one course of action for organizations should be to make sure that device and service providers have skin in the game in case a vulnerability does surface. Austin discussed working with a hosting provider, for example, to put in a contract assurances that patches will be applied to known vulnerabilities within a certain timeframe or result in financial penalties. Working with providers that take part in the Industrial Internet Consortium and/or adhere to its security framework can also provide some comfort, he said.
YOU COULD LEARN A FEW THINGS FROM BOTNETS
Dr. Ed Amoroso, who retired recently after 31 years at AT&T (most recently as CSO), is now consulting with companies on IT security via an outfit called TAG Cyber.
He's urged organizations to re-architect their networks in a distributed and virtual way so as to avoid even worse consequences than those resulting from the recent high profile DDoS attacks. Amoroso acknowledged this won't be easy, as concepts will need to be simplified to the non-technical higher ups you report to, but require serious architectural changes to actual networks.
Amoroso doesn't blame the likes of former Office of Personnel Management Director Katherine Archuleta for that federal agency's big breach last year, but rather the IT and security team that stuck with an outdated perimeter-based enterprise network security system in an age where such perimeters have opened up so many holes to accommodate partners, employee remote access and various cloud services.
"If you're in a camp of saying 'oh yeah, the perimeter is long since gone,' well go back... Do you still have a perimeter? 'Yes' Is it the primary control in every one of your audits? 'Yes.' Well talking about it doesn't solve it. Do something about it," Amoroso said.
Amoroso advised organizations at the annual Society for Information Management confab to "explode the enterprise," by breaking everything from remote access to email to outsourcing access into the cloud via virtual micro-segments and having security go with it.
One of the beauties of this architecture is that every organization's can really look different, and that's one key to keeping intruders at bay. Amoroso railed against compliance rules during the Q&A portion of his talk, arguing that you're not doing yourself any favors by listing out everything you'll do and swearing you'll never waiver from it. "Should defense be a little more unpredictable?...We need less compliance. If we got rid of all compliance, we'd be more secure," he said, to applause.
Coming full circle to the topic of botnet-fueled DDoS attacks, Amoroso said earlier in his talk that CIOs can learn a few things from the way those distributed systems do their damage and resist efforts to kill them. Organizational leaders might say "I wish we had a way to have our network be more resilient...boy if only there were such a thing..."