During an earlier interview on the challenges relating to security by design and connected objects (IoT), Julien Patriarca, Professional Services Director at WALLIX and cybersecurity expert for more than a decade, tackled the issue of responsibility with regard to security.
This second interview provides some solid leads on how to implement the best practices when it comes to security by design.
Why are we not taking security by design more seriously?
Is it an active choice or are we underestimating the necessity of security by design?
Security is often seen as an obstacle in the digital experience. Whether we are dealing with individuals or companies that develop software or connected hardware, strengthening security from the design stage is a continuous effort that organizations and users need to make. The whole process requires time, organization, and a certain amount of discipline, as security by design also extends to the implementation of best security practices during the use of connected objects or software. Take for example vendors aiming to strengthen security by design on their devices by forcing end users to set more complex logins and passwords. They may be reluctant to do so as a foreseeable, and undesirable, outcome of imposing this condition would be a dip in their earnings in the short run. If their competitors happen to prize simplicity of installation and use over security — which is often what end users want — their reluctance is understandable. However, by implementing security by design techniques, not only will these vendors increase their added value and stand out from the crowd, they will also be positioned as players in digital trust, leading the way in making security by design an indispensable feature.
What holds back security by design is how little knowledge and awareness end users have about the stakes involved.
Since the average user may not have been thoroughly schooled in the risks that lurk in the digital realm, vendors that wish to boost security on their products from the outset run the risk of their clients opting instead for solutions that seem simpler to them. We often hear reasons such as:
"I don't want to memorize another password. "
"I have nothing to hide, so why would a hacker come poking around on my computer? "
I have nothing to hide, so what would a hacker do on my computer?
Users often do not see the big picture on the scale and impact of a hack. It's not as simple as plain data theft. The massive cyberattack on Dyn, a DNS service provider, in which hackers exploited a vulnerability on connected cameras to launch a brute force attack on the American company, bringing websites such as Twitter and Reddit to their knees, is all the proof you need. This incident shows the magnitude of the knock-on effects when security by design is treated as an afterthought. However, it is worth pointing out that such an attack might have done much worse than bringing the world wide web to a temporary standstill, had its target been state organizations, for example.
It is easy to imagine a scenario in which hackers exploit a vulnerability in connected cameras in order to launch an attack on the host of the website allowing taxpayers to file their taxes the day before the last quarter ends. Cameras flimsily protected with login credentials such as admin/password will then become prime targets for disrupting the tax filing process. If such a scenario became reality, users most likely would not even be aware of their role and responsibility in the attack, and would place the blame of a security breach solely on the tax office.
There is an urgent need to educate users and raise their awareness on the fact that security by design — and maintaining such a level of security — is as important as the way the product or software is used.
Security by design is as important as the way the product or software is used.
This also applies to organizations that often have the most meager cybersecurity budgets until the day an attack jolts them into action.
How can we overcome this lack of security?
Cyberattacks these days get wide media coverage, which is a good start in creating user awareness. Simply by watching the evening news, anyone without particular IT knowledge will be able to see for themselves the consequences of not implementing cybersecurity measures. Explaining computing practices in layman terms to report on events such as cyberattacks makes it possible to engage users who become increasingly aware of the risks of digital technology and connected objects, in turn spreading the knowledge by discussing the topic with people they know.
They will then be better equipped to weigh the impact of their own actions by securing the objects that they use, thus playing their part in strengthening security by design.
1. Stronger and more complex passwords
A simple and extremely effective way to strengthen security by design is to change the password to the connected object or device. In many cases, all it takes is a password that is just slightly more complicated (with 8 to 10 characters and other complexity criteria) to be practically sure of never getting hacked.
A complex password is a 90% guarantee against brute force attacks.
Why? Most of the time, cyberattacks use dictionary or brute force attack techniques, meaning that hackers will use a very large set of words found in a dictionary with all possible combinations like admin/password, password/admin, password1234, etc. until they break through the system and obtain access. Laptops today are powerful enough to run such attacks over an extended period and at extreme speeds. What this means is that, in mere seconds, a weak password can be cracked, granting access to sensitive data that can then be pilfered, modified or used to launch attacks of more epic proportions.
The solution to the lack of security by design is to present the danger in simple language while trying not to cause unnecessary alarm. Since IT controls most of our waking hours (work, healthcare, errands, etc), the specific dangers of these new uses for IT are starting to emerge. We need to learn how to protect ourselves from such dangers, much in the same way we learned how to drive safely, for example. In IT, part of being prepared to take on cyber risks begins with creating stronger passwords. As soon as they become more complex, the risk of falling victim to cyberattacks plunges — that is, unless you are the particular target of hackers determined at all costs to break into your system, knowing that you possess the data that they need, but that is extremely rare. In most cases, it is worth noting, individuals are not targeted in particular. In a dictionary attack, the computer scans the IP address ranges on an ISP's network or a host, which appear very clearly in logs as the mechanism works instantaneously. It is really only a computer scan with running scripts. Which is the whole point of having a strengthened password to immediately block such attacks.
2. The developer's role in security by design
Security by design must also be what matters most to developers since they are the ones building the connected object.
When a developer writes code, he needs to factor in use, usability as well as security.
If a program is flawed, hackers can potentially break into the program or connected device by exploiting one or several vulnerabilities. When this happens, the password alone — complex or not — will not be of much help in preventing an attack.
Try as you might, resistance is futile with an armored door guarding cardboard walls.
In this case, what we have is no longer a dictionary attack but a zero-day attack, with vulnerabilities published on the Internet. Here, too, the computer will simply scan the Internet to find the signatures of targeted devices and launch an attack. All the hacker needs is to develop a script with the attack programs in order to take control of the connected object.
As a result, security by design requires two complementary components: 1) a robust software program without any exposed vulnerabilities 2) that forces users, mindful of what is at stake, to change their passwords.
The only solution to bypassing security by design would be to develop an offline, air gapped device, in which case it would not be exposed to such vulnerabilities. But of course, there are still other types of attacks such as social engineering, or data theft using USB drives, which may compromise security on such devices.
Julien Patriarca, cybersecurity expert and Professional Services Director, WALLIX