defined, it doesn't matter where the business goals of the product pivot toward, changes can be quickly made based on the new security classification by using preexisting models defined during initial threat modeling. Not bad, eh?
This is another thing we preach often in Information Security: Systems Development Life Cycle integration! Security is not some separate and enigmatic exercise carried on by wizards, despite the fact that some of us in this industry would like everyone to believe such a thing. Actually, security is simply good engineering! Why? The more steps that are taken to ensure security, the less an unexpected action may occur due to an adversary (or simply an accident).
In other words, solid engineering clearly defines the behavior of a product or service, and restricts that behavior to a predefined set, even if the behavior is an exception or anomaly. Security simply integrates the idea that an adversary may try to take advantage of anomalous behavior in a manner that benefits the adversary. By augmenting the SDLC, engineers no longer ask, "Why would someone ever interact with our product in that way?" Instead, they ask, "How do we ensure a stable working environment if someone attempts to interact with our product in this way?" This simple "thought inversion" can save a company hundreds of thousands of dollars in engineering costs when a critical vulnerability is found, and potentially millions in revenues.
In 2012, when I initially executed my DARPA Cyber Fast Track project, the Internet of Things could be broken up into several seemingly disparate models based on verticals in embedded industries. At the end of the year, I noticed a very obvious trend: The embedded/IoT models were collapsing into a single vertical. While there are multiple verticals from a business perspective, there were no longer multiple verticals from a component perspective.
Since everyone was essentially using the same model across all verticals to design and deploy Internet of Things technology, a framework became almost too simple. But, there are a lot of unexpected issues with IoT security frameworks. This is not because frameworks or IoT technologies hold bizarre surprises hidden under PCB boards (although some manufactured in certain countries might). It’s because the deployment environments for embedded/IoT devices bring unexpected attacks that you would not otherwise see in server or desktop environments.
Over the next few weeks, I will be releasing some of these frameworks on the Lab Mouse Security website. If you would like to contribute to these frameworks, please reach out to me on the Lab Mouse site, or through this blog post. I am looking for reviewers and contributors to ensure that the language and format are usable for all readers, regardless of their technical expertise.
Not all of us are interested in safety and security. That sucks, but it's an unfortunate fact of life. Knights, we're not, but even we unsettling imperfect souls sitting in that conference room at Black Hat understand the need for enforcement of security policy. This means architecting security through organizations that can punish entities that refuse to comply. We have the Federal Communications Commission, why not the International Security Commission? Oh, wait, we already have other organizations with the acronym "ISC" and they haven't worked out great for us ... Hmm, we'll have to work on that name.
Regardless, enforcement is an imperative. Perhaps the most important point brought up at the round table. Those of us who care will beat down the doors of decision makers at our companies to build budgets for threat modeling and security integration. Those who don't care won’t lift a finger. We can talk all day about frameworks, models, threats, actors, and more, and it will do the same good it has done us every fiscal quarter since Heartland Payment Systems was compromised: no good at all.
Now that the Internet of Things is fast becoming the most game-changing concept in Internet history, a change must be made. We must come together to help build the next generation of the Internet, to ensure it isn't sagging its jeans at the mall, or getting tattoos in languages it doesn't actually read. If you want to participate in this effort, please reach out to Lab Mouse Security.
The Information Security industry needs a team of technologically skilled individuals and public speakers who are willing to build a new security foundation for the next generation of the Internet. Together, we can make that happen without the rhetoric and hyperbole that sidelines what is a conversation that needs to happen yesterday. Don't let another organization speak for you, let's speak together.
The Internet of Things isn't about a small group of people gaining notoriety. It’s about technology that will change the way our society interacts not only with itself, but with the world around it.