[BreachExchange] A cybersecurity seal of approval is not enough

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 16 19:26:10 EDT 2016


http://www.idgconnect.com/blog-abstract/19365/a-cybersecurity-seal-approval

Cyberthreats continue to dominate the headlines and wreak havoc on
corporate networks. There are now nearly one million new malware threats
released every single day, according to recent reports. In a bid to stem
the tide, several groups have announced programs to rate the cybersecurity
of network-connectable products and systems.

In April, Underwriters Laboratories (UL), a prominent safety standards
organization (the UL certification mark is on everything from lightbulbs to
wireless routers), unveiled its Cybersecurity Assurance Program (CAP). This
comprised of a set of standards to establish testable cybersecurity
criteria for network-connected devices and systems to assess software
vulnerabilities and weaknesses, minimize exploitation and increase security
awareness. Meanwhile, the Cyber Independent Testing Lab (CITL) is set to
introduce a new cyber ratings system for 100,000 software applications
ranging from web browsers to industrial control systems. Some are calling
it “Consumer Reports for software security”.

I don’t argue with the need for new cybersecurity standards and rating
systems, especially given the rapid emergence of the Internet of Things
(IoT). After all, there will be 21 billion IoT devices connected by 2020,
according to research firm Gartner, and this will vastly increase the
vulnerability of networks. IDC predicts that two-thirds of networks will
experience an IoT security breach by 2018. Given numbers like those, I
applaud the UL and CITL programs—they are an important first step.

But let’s acknowledge that an IoT version of a lightbulb is not like a
regular lightbulb.  For regular lightbulbs, we know what we are concerned
about – will it burst into flames, or shower glass on innocent bystanders?
When it fails, does it fail safe? IoT challenges that way of thinking. We
can (and do) build internet connectivity into light bulbs – at first, as a
way to save energy by automating turning off of lights, and later, for
security, so that we can do things like track which motion sensors are
turning on lights in buildings that should normally be dark at 3am.

But all this connectivity means we now have to think about wily, deliberate
adversaries, who are putting effort into thinking up clever ways to exploit
these capabilities, ranging from denial of service through to “stealing” a
sense of the health of a company by seeing whether people are working long
hours.  These are new challenges, and they keep changing – our cyber
adversaries are smart, and they change their tactics every time we figure
out how to block their current methods. This creates a dynamic, shifting
problem that is not like UL certification of a standard lightbulb – a
technology that had not developed all that many new interesting physical
behaviors in the time between Edison and the compact fluorescent.

Starting to get the picture? It’s not a pretty one. Networks and
network-connected devices are an almost infinitely complex system. And
securing them is an almost infinitely complex challenge. Device and
software certifications like those now promoted by organizations like UL
and CITL while perhaps a good start, are not sufficient.

Here’s a better start: a thorough assessment of your organization’s
network-wide risk. Once you have assessed your risk, you can then make
truly informed security decisions. You can make changes to reduce risk,
insure against risk or simply decide that you can live with risk. After the
assessment, you will better understand the state of the network. You can
measure resilience, verify compliance and accelerate incident response. A
thorough assessment will also allow you to accurately measure how well
prepared you are now and actively promote progress toward where you want to
be in the future.

Finally, a network-wide assessment should not be a one-time event. You need
to continuously monitor changes in your network and the devices connected
to it to identify and assess new risks as they appear.

To be honest, you don’t have much choice, because information security as
it stands now will not be up to the job in our IoT future. The level of
reliability and resilience required to safeguard data in the world of IoT
is vastly greater than what we are accustomed to now. As the network grows
more dynamic, it will demand monitoring that is just as dynamic. A seal of
approval stuck onto whatever IoT devices you purchase is simply not enough.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160816/6f701522/attachment.html>


More information about the BreachExchange mailing list