Designing for Security

A112

An eventful week
There has been a lot of security news in the couple of weeks between the RSA Conference in San Francisco and Mobile World Congress in Barcelona. First, Google Security revealed a practical approach for generating collisions for the hashing algorithm SHA-1. While long considered vulnerable, SHA-1 has now been rendered all but useless. Second, security vulnerabilities reportedly cost Super Micro Computer to lose Apple as a client, leading to an 8% drop in the company’s market value. And third, the disclosure of a bug in CloudFlare’s services rendered consumers of web-based services from Uber, OkCupid and other companies potentially vulnerable.

Key questions resurface, and the stakes just got higher

While research, events, and breaches are all ongoing, the events mentioned above serve as a wakeup call for companies to regularly revisit key security questions:

What is the cost of reactionary change, and how do you future-proof solutions?

Numerous solutions, applications, and services—particularly legacy ones—continue to use SHA-1 for storing password hashes, generating session tokens, and affirming transactions. In this case, there are significant costs in reactionary change as part of the transition to more secure algorithms in terms of the fiscal burden to the organization, and inconvenience to consumers. Moreover, how do organizations future-proof solutions or entire platforms and technologies that use underlying techniques such as hashing? A primary example is blockchain, which is being hailed as a major disruptor in how we conduct and verify transactions. Fortunately, major implementations like Bitcoin already use the more secure SHA-256 algorithm, while platforms such as Ethereum that provide solutions utilizing private blockchain networks have adopted variants of SHA-3.

The lack of security doesn’t hurt, until it hurts a lot. When should security serve as a value creator instead of a cost center?

The Super Micro incident was a case where a lack of security directly impacted revenue. Organizations must be cognizant that competitive differentiators are no longer limited to product and service form or function but extend to security capabilities. This is particularly true of IoT environments, where the increased availability of IoT building blocks in connectivity standards (e.g. LoRA, SigFox, NB-IoT), protocols (e.g. MQTT, AMQP, CoAP), cloud platforms (e.g. AWS IoT, Azure IoT, IBM Watson IoT), and analytics capabilities has significantly reduced time-to-market for smarter products and solutions. However, with a lower barrier to entry, how does a company standout in a rapidly saturating market? The lack of a silver bullet for IoT security, and the need to monetize IoT products and operations, provides an opportunity for security to be that differentiator, and a value creator.

Investment in mature security capabilities can help companies avoid the fate of Super Micro, or the vendor that agreed to recall millions of devices in the wake of the Mirai/Dyn DDoS incident last fall. Moreover, there is tremendous opportunity for companies to increase consumer trust in their products and solutions by innovating through security. A few areas for innovation include:

  • Improved measures to prevent against device reverse engineering, particularly in the case of physical access, given the high-profile cases of Nest thermostats and Tesla cars being compromised
  • Device lifecycle considerations, including secure patch delivery and verification mechanisms. A case in point is the IoT search engine Shodan that identified vulnerable infant monitors. When was the last time anyone patched, or attempted to secure thousands of vulnerable baby monitors already in use?
  • Improved asset discovery mechanisms since DNS, DNSSEC, and DHCP are not native to IoT environments, and are unsuitable in power, computation or storage-constrained environments
  • Secure, transactional communication since channel-based security protocols such as TLS/DTLS, impose high overhead on devices in terms of protocol operations and resource consumption

In hyper-connected and highly interdependent ecosystems, are we designing for zero-trust?

Product vendors are increasingly utilizing many of the building blocks described earlier to accelerate product roadmaps and launches. In addition, they are leveraging or integrating applications and services to deliver enhanced consumer contextualization and value. For example, consider the number of applications that utilize authentication provided by networking sites such as Facebook, Twitter, and LinkedIn that integrate productivity tools—for example, Dropbox, Slack, and Evernote with the Microsoft Office suite—and that of numerous conventional or IoT applications via IFTTT.

When a security firm such as CloudFlare that provides CDN, DDoS protection, and other services is compromised, not only does it affect the millions of consumers using Uber and OkCupid, but there are risks regarding potential breaches or leakage of data relating to the 5.5 million other websites that utilize CloudFlare’s services. While vendors enjoy the benefits of building blocks and plug-n-play services, they must design for a zero-trust environment, and develop atomic security capabilities.

How is Aricent designing for security, and what can you look forward to?

At Aricent Security, our focus is on preventive measures to ensure product security and enhance consumer trust. Currently, our focus areas include product and ecosystem security testing and identity management in IoT environments.

Security Testing

Our Highly Automated Vulnerability Assessment Orchestration Containers (HAVOC) solution automates security testing (see Figure 1). This allows clients to harden their products and ecosystems, and reduce the risk of zero-day vulnerabilities. HAVOC provides extensive tool coverage, accelerates security analysts’ processes, and is highly scalable. Organizations leveraging HAVOC no longer require large, highly skilled, and expensive-to-maintain teams to design for security, and ensure a high degree of consumer trust.

From Aricent’s client engagements, we’ve documented HAVOC’s capabilities in a variety of use cases, including:

  • A leading smart home solution provider quickly uncovered vulnerabilities in an IoT ecosystem consisting of cloud-based micro-services, gateways, devices, and mobile applications.
  • A global leader of home and industrial automation solutions reduced costs and scaled operations for product security.
  • A leading telecom provider hardened applications used in its internal processes and infrastructure.

Diagram 02a

Figure 1: HAVOC Automation and Orchestration

Identity Management in IoT

Our Identity Federation, Root of Trust, Certificate and Key Management (IDROCK) framework helps safeguard against threats, by providing ecosystem and consumer trust (see Figure 2). Its automated, durable, scalable capabilities extend across devices, services, applications, and users.

This is foundational for a variety of reasons:

  • Secure communication across edge (device), fog (gateway), and cloud environments
  • Secure access management
  • Ensuring compliance requirements
  • Attaining a high-degree of trust
  • Unlocking the potential for enablement of additional consumer-focused use cases

From Aricent’s experience in working with clients, we’ve observed IDROCK to:

  • Enable Bring Your Own Certificate (BYOC) capabilities in industrial mesh routers
  • Provision device-level “birth certificates” at the time of manufacture, and operational certificates at run-time and at scale
  • Provision identity for consumer IoT gateways that prevent abuse by malicious actors, while ensuring the highest level of consumer privacy

Diagram 01 a

Figure 2: IDROCK Framework

Looking Forward

In addition to Aricent’s current initiatives, we’re excited to be engaging in innovative projects that leverage blockchain and software-defined perimeter across use cases that include scalable identity management, enablement of secure DevOps, and improved security in distributed IoT environments.

We look forward to seeing you at Mobile World Congress 2017 in Barcelona and at Aricent Innovation Showcase events across the United States, where you can view demos of IDROCK and HAVOC, and discuss what’s on the security horizon!

Leave a Reply

Your email address will not be published. Required fields are marked *