Cyber Security
national secrets. And yet, even those technology defenses were able to be defeated by social engineering weaknesses exploited by Snowden — such as colleagues giving away their passwords. External hackers use those same techniques today, as demonstrated at security conferences like RSA. Recent cyberattacks against bitcoin exchanges represent another example of how attacks will go after weaknesses in people and process, despite solid technology which is supposedly "hack-proof." Just last week a South Korean bitcoin exchange declared bankruptcy after the second attack in less than a year. This situation developed after commentators still maintain that the bitcoin currency cannot be hacked. Perhaps true, but your bitcoin wallet can still be raided. Similar problems will continue to occur with IoT devices in the future.
Fun Movie and TV Examples to Help Understand the Role of People in Security I want to recognize that Dibrov says: “It may be prudent, and required, for you to continue with awareness programs, but you will have to rely more on intelligent technologies and automation if you hope to have any chance at success. …” I certainly agree. Nevertheless, the reality is that the main point of his article comes from the last sentence at the end of the article: “It’s time to remove people from the discussion and move towards a more intelligent, secure future.” Really? Take people out of the security discussion? Side note: I immediately posted this article to my LinkedIn and Twitter feeds and received a flood of similar comments to what I am writing in this rebuttal. Some of those same comments from colleagues appear at the bottom of the article at HBR.org. Furthermore, to keep this simple, I’d like to offer a fun illustration of why people cannot be removed from the central security discussion. In the (fictional) film series Mission Impossible, the most sophisticated technical security controls are consistently overcome via weaknesses exploited in people and process hacks. Ethan Hunt (played by Tom Cruise) and a wide assortment of men and women spies in the fictional U.S. Impossible Mission Force (IMF), face an untold number of highly improbable and dangerous tasks that are actionpacked, over-the-top and fun to watch. One common theme throughout these five movies (with number six coming in 2018) is how people can still defeat the most sophisticated technology safeguards put in place. Sadly, hackers overcoming state-of-the-art technology defenses are not just for the movies or TV shows like Mr. Robot. We have seen an untold number of ways that IoT devices can be hacked by tricking people into doing things or not following recommended best practices for security. Sadly, hacking IoT devices is often easier than Tom Cruise pulling off one of his movie stunts. Everyone certainly agrees with the goal to build moresecure IoT devices. Humans certainly make mistakes, and we should aim to automate as much security as possible. Just as we safely fly planes on autopilot, shouldn’t we strive
12 | Australian Cyber Security Magazine
to build human-proof smart devices that are secure out of the box? Of course. And ... I am all for more-secure IoT devices that remove the potential for most end-user errors or security mistakes. Nevertheless, training and working with people and processes to protect data will never be an optional extra for secure enterprises, homes or individuals.
A False Choice The HBR article by Yevgeny Dibrov appears to offer an attractive answer because it promises IoT security solutions without the very hard to change enterprise security culture. It offers a false hope by eliminating “reliance on a human-based strategy” and offering better security with a perfect technology-driven, or bolt-on tech solution, for all IoT devices. Managers imagine saving significant money by reducing the time required for staff to be trained and/ or understand and implement appropriate (and secure) business processes with innovative technology. This invented conflict is similar to another security paradox from a few years back that asked the question: Are data breaches inevitable? Most people now say "yes" without hesitation, but Invincea CEO Anup Ghosh told Washington news site DC Inno that breach prevention is possible, proclaiming “breach inevitability” is just marketing. As I wrote at that time, we need a third answer that adopts all the wisdom contained in the NIST Cybersecurity Framework regarding cyber incident and data breach prevention as well as incident response. The same holistic approach is required for IoT security. Let’s not sacrifice one security best practice in exchange for another, as if we need to pick technology protections over enabling people with better awareness training and engaging in cyber exercises. The NIST guidance encourages an assessment of all cyber-risks with prioritization based upon your specific situation. It recommends that solutions contain end-user training, technical training for developers and system administrators, cybersecurity exercises, management briefings, repeatable technology upgrade processes and much more. Don’t skip over important sections of the NIST Cyber Framework.
Final Thoughts Better cybersecurity protections for IoT requires improvements in people, process and technology. So, let’s not pit people issues against technology protections in a fight for dollars — nor pretend that a perfect black box is coming that will enable IoT nirvana, while removing people and process from the security equation. Bottom line: The Edward Snowden story can teach many important security lessons. But no security message is more central than this: People, and their actions, will always matter in cybersecurity. So, can we remove people from the IoT security discussion? Mission Impossible!