2017 Security Predictions and Themes

More of the same..

Simple attacks due to un-patched systems, mis-configurations, ‘standard’ app issues like SQL injection and Cross Site Scripting, phishing links etc. will continue to be the cause of the vast majority of breaches.

Advanced attacks will still make the headlines, even when just in terms of ‘it could have been xx nation using advanced methods’..  Advanced attacks will still be heavily promoted by vendors to sell products and services.

DDoS will continue to get bigger due to the increasing proliferation of insecure connected devices (cue first IoT reference!).

Big data and analytics will continue to be big.  Security use cases such as behaviour analysis across all the log data will continue to mature and start to show the value of “big data” from a security monitoring perspective.  Will need to work on moving from just behaviour monitoring in logs and alerting, to proactive blocking.  ‘Big data’ should start to become the ‘big brain’ that instructs the enforcement tools like IPS and end point agents (they will obviously continue to do their normal job as well).

IoT. I am waiting (note I don’t want there to be one!) for a serious incident in this space.  Not just the DDoS stuff, but actual direct harm to people from the hacking of cars or medical equipment.  This will shortly be followed by a LOT of knee jerk regulation.  No idea if this will happen in 2017 or later.  Unless something fundamental changes in how the devices covered in the wide IoT umbrella are developed, deployed and managed it will.

  • As a side note, we should stop just referring to IoT and start prefixing it with what we are actually referring to, in the same way as you have SaaS, IaaS, GovCloud etc. etc. for cloud ‘things’.  IoT is far to broad, and also has far too many different applications that will have vastly different security implications and requirements.

Blockchain.  Like IoT, no predictions list would be complete without something blockchain in it.  We are already seeing blockchain use cases expanding from currency to DRM and music management etc.  This will continue, it’s very much in the ‘hypecycle’ at the moment with everyone rushing to be at the front with use cases and ‘thought leadership’.  It would be great to see some really beneficial use cases – could a blockchain be used to track and guarantee that charity finances or food or medical supplies went to the right people?

Automation.  Combine environments that are becoming more complex and more dynamic (think DevOps, agile, containers, cloud etc.), increasing numbers of attacks, along with the much reported skills shortage and you have a perfect storm!  Automation will be key for organisations to stay secure.  Automating more of the basic security tasks will also enable better careers for the SecOps guys – they will have more time to focus on more advanced security issues and hunting for threats etc.

Simplification.  In a similar vein to the above, simplification must be a key strategy I’m talking from a security perspective, but this generally makes sense as well!  How many security conversations have started or ended talking about implementing a tool / solution?  We should be having more conversations about how we can rationalise the tooling we use.  How we can meet the security requirements of our organisation with the minimum set of tools and processes.  Thus with the maximum simplicity.

Likely millions of things will happen, that we can’t predict, but these are the current themes I am thinking about.

It would be great to hear your thoughts on the key security themes for 2017!

K

Securing IoT payments

There is a lot of discussion around IoT security, much focussed on patching, maintaining / updating etc etc.

Given the volume of discussion in this space I’ll not write something likely replicating other conversations.

 

What I am interested in is whether we can enable secure and trusted automated payments from IoT devices.  If we can solve this we can trust a lot of non payment behaviours as well.

Assuming we can improve those basics enough to make wider use of IoT devices safe (enough), payments will surely follow.  We may well see a growth in IoT driven payments before we are happy the IoT is safe enough – we are already seeing hackable cars and their associated mobile applications (http://www.theregister.co.uk/2016/11/25/tesla_car_app_hack_enables_car_theft/).  A lack of safety and security is clearly not holding back the IoT tide!

 

One of the benefits of consumer IoT devices is that they will be able to automatically order things.  Examples could be replacing themselves or components as they wear out, or restocking consumables as they run low – think of coffee machine buying coffee or fridge restocking etc.

Is it possible to simply and effectively secure (automated) payments from IoT devices? Or for that matter any device..

There are multiple potential issues including;

  • Did you authorise the payment?
  • Is the ‘thing’ really yours and acting on your behalf?
  • Where is the ‘thing’ located, and where should the goods be sent to?
  • Do you want / need what ever is being purchased?
  • How could malicious people;
    • Make money (cash out) from this?
    • Cause harm, and to what level? – from slight nuisance to real harm..

 

How can we mitigate the risk from these issues to enable secure IoT payments?

 

I’d propose that it is possible to do this, using a combination of three things;

  • Some rules and metadata about the device and what it is allowed to do
  • Certificates that link the device to you and an address
  • Something to make this data and all transactions immutable, such as a blockchain implementations

 

How would these work together?

For most consumer devices it will be relatively easy to set rules about the device in terms of what it is, and what it is allowed to do.  For a simple example, a light bulb can only order a single lightbulb to the address it is registered to.  For a slightly more complex example, a fridge could have rules around only being able to order items you have previously ordered and set as ‘replace me’, only to the registered address at agreed times, and only if there was space in the fridge for them.

As long as these rules are immutable, e.g. by being held in a blockchain, they chances of a criminal cashing out are extremely limited.  The ability to cause harm is also limited as you could potentially make a lightbulb order 1 lightbulb, or make the fridge order something you wanted replaced that would fit into the fridge..

Using an extremely scalable certificate management would allow identity and location to be stored with each device.  Consider something like a root cert and child certs model.  You are your own root cert, then all you devices get a child cert that links to you and has added information like address.  These could be managed, replaced and revoked as you would expect.  Securely managed certificates, potentially stored as part of the blockchain would enable the device (‘thing’) to be linked to the owner, location and by inference the owners payment instrument and permission to replace / order items.  The permissions associated with the device around what the owner has allowed it to do would also be stored in the blockchain.

 

By utilising relatively simples rules for each device, that the owner can set and agree, we are able to ensure it only performs sensible actions.

By using the existing certificate model, just in a massively scalable architecture we are able to link the devices to owners, locations and payment instruments.

Finally by utilising blockchain and it’s properties, we are able to immutably store these things, with clear permissions and a full audit trail for any changes and transactions.

 

I’ve obviously simplified this for the purposes of this blog post, but hopefully the idea is clear.  It would definitely be great to hear your thoughts on this.  I may write a longer more detailed overview and incorporating a wider range of inputs would definitely add value!

 

K