Defining Online Protection

We recently got introduced to an amazing organization called the Online Trust Alliance and they have a fascinating approach to protecting the Internet of Things called their IoT Trust Framework.  This framework, akin to other actionable efforts we have researched, conveys security as an active effort to continuously adapt to new attack vectors and update users of these ongoing efforts.  From their description, security is constantly changing and very much an interactive and evolving proposition.

This is a far cry from what most IoT security solutions look like today and it got us thinking about what is the best usable definition of security.

While it might make intrinsic sense that security should be constantly adapting, it is important to consider how many IoT security solutions market themselves today.  Let’s take the general world of SSL as one example.  In this case, SSL providers might state that, once their communications have been established then they use AES 256-bit encryption and good luck cracking that level of encryption and isn’t encryption all you really need?

Of course they are glossing over the fact that SSL is regularly hacked prior to encryption starting but their point is that, once you get past the upfront work, isn’t ultra-strong encryption sufficient?  To their point, almost no system on Earth has a great initialization option and, once you set up a long-running IoT system running super-strong encryption then you are set.

Right?

Well, perhaps not.

As it turns out, almost every IoT hack – from Barbie dolls to Jeeps – has occurred by exploiting weaknesses in the authentication and authorization of members of a given IoT system.  We have written about this before, but the fact is that most of these systems existed long before the “IoT” was a thing and, back then, protection equated to isolation.  If nobody could get into the network running a given system then everything on that network was safe.

The Internet of Things essentially plugged a network cable into these isolated systems and yet nobody ever thought to change the underlying security model – and that includes nuclear power plants and our critical infrastructure.

Into this vacuum came a number of older technologies such as SSL/TLS that attempted to plug the hole through encryption – but they failed given the lack of proper at-the-gate protection.  What good is protecting conversations between members of an IoT system when you have no clue if the members are good or bad?  Until we provide, at a minimum, the same level of protection we have for even a basic laptop, how can these systems be considered to be safe?

The problem is that these other services are not static by nature and they do require an active presence.  More troubling – at least for Bear competitors – is that active security requires ongoing reporting – otherwise how can you respond to anything?  Moreover, unless you hire a LOT of people, the reporting and response tools have to be centralized – pretty hard for “security” options that do not have any concept of management or reporting.

This then begs the question of what is sufficient protection?  If it enough for you to have top end encryption and leave the rest to chance?  If you believe that is the case, then what is your rationale?

How about an exploit – how would you handle that today in systems where updating software is, to be nice, insanely hard to do?

What is sufficient protection in your mind?