On this Down the Security Rabbithole podcast we're joined by Stephen A. Ridley & Jamison Utter for a discussion on the finer points of Internet of Things (IoT) security ... or complete lack thereof. If you own gadgets that are 'connected' or you are ever around them (hint: you're surrounded by things that pull IP addresses right now) then you need to listen to this podcast. Some great discussion in what was the very first podcast we recorded in 2017.
How insecure are products like broadband routers and smart surveillance cameras? The Security Ledger sat down with three experts from the firm SENRIO to discuss the matter: Stephen A. Ridley, the Founder and Chief Technology Officer; Jamison Utter, Senrio’s Vice President of Field Operations and Margaret Carlton-Foss, the company’s Vice President of Research.
Today, security is little more than a cost center for companies developing new, connected products. Building in security features, like a hardware security model or more robust application security and identity management features, adds to the complexity of the development process and the time needed to complete a product. On the other side of the ledger, however, there is little to compel smart device makers from expending that time and effort.
“(The FTC) is changing the cost benefit ratio of having security in products,” said Ridley. “Up to now, there has been no reason to have any security, so the stuff you’ve seen was more altruistic in nature.” The FTC’s suit against D-Link will give vendors pause, he said. “They have to ask: do we spend x on security now if we can avoid paying x-squared in the cost of litigation and class action suits,” Ridley said.
Listen to the Podcast here.
New Year's Resolutions for IT Security Executives and the Cybersecurity Threats Facing Businesses in 2017
What is one resolution every IT security executive should make for the coming year?
“DATA, DATA, DATA. Effective Information Security departments these days are less about cool tech for IR, detection, policy, and orchestration. We have a wealth of those for traditional endpoints/networks. What we now see is that Information Security (like the rest of technology) is that we need to be better about storing and utilizing data (and in an actionable time-frame). The largest transportation networks own no cars. The largest search engines and social media sites generate no content. It's all about data management. Security is now no different. Solutions that don't speak to how data is stored, searched, parsed, and effectively plugged into your existing architecture need to be ignored. Security products need to provide operational value now. We've evolved past the ‘how’ and now need to focus on the ‘why.’ Security solutions have the burden of bringing more to the enterprise than just security.
What’s the biggest cybersecurity threat facing companies in 2017?
“VISIBILITY, VISIBILITY, VISIBILITY. Networks have grown more diverse and now include more than just servers and endpoints that an agent can be installed into for policy, management, and enforcement. Gartner predicts that by 2020, over 15% of all network intrusions will leverage embedded devices. These devices are (from a CISO's perspective) impossible to ‘get into.’ So how do you make sure these devices aren't compromising your network security posture? Look for solutions that speak to this. This burgeoning blind-spot is symptomatic of the CURRENT ‘visibility’ problem. How can you cheaply and efficiently get visibility into the behavior of assets on your network without incurring the cost of archiving terabytes worth of pcaps? Visibility is king. And at the heart of the visibility problem is the DATA problem. The deluge of alerts. The overloaded SIEM. The ‘analysis paralysis’ of your Operations/Security team. Look clever solutions to the data/visibility problem that are tractable and accessible.”