The dynamic of opposites permeates human culture: light and dark, push and pull, happy and sad, supply and demand, yin and yang. While we tend to prefer one over the other, the reality is that the tension between opposites is what makes them complementary. The same can be said of technology. We all know that quick and free access to information, regardless of economic status, is changing the world. But none of that would be possible without security safeguards like accountability and authentication. Without those, economics, capitalism, and even democracy itself are severely strained. Which is why security is a multi-billion dollar industry.
The recent growth of the Internet of Things (IoT) is a case study of what happens when access and availability are not counterbalanced by security. The vast majority of IoT devices available today have been built with little to no thought for security, and yet they are being integrated into the fabric of our daily lives at an unprecedented rate. As a result, massive botnets like Mirai and Hajime composed of millions of compromised IoT devices managed to take down a significant segment of the Internet and affect hundreds of thousands of businesses around the world. Most security experts agree that these attacks are just the tip of the IoT-based cyberthreat iceberg, and that they represent an extraordinarily large attack vector built into our emerging digital economy.
TheInternet of Things Cybersecurity Act of 2017 Actis a noteworthy attempt to address these challenges before they escalate further. The proposed IoTCA bill gives the problem of security and control a good deal of attention, since solving the problem of authentication (people-to-machines, software-to-hardware, data-to-processes, etc.) would be almost analogous, in the Internet security world, to solving world peace.
Over the next few years, billions more IoT devices will become part of our digital lives. If implemented properly, they could utterly transform business and society. However, their value will be limited by the degree to which we can trust their Authenticity that they are what or who they claim to be. Though the IoTCA is not a silver bullet, it attempts to help reduce the level of obvious risks in a ballooning population of Internet-connected devices.
Of course, like everything, even legislation is a two-edged sword. Im concerned about any attempt to legislate vulnerabilities, in part because technology evolves so quickly. Trying to strike a balance between progress and protection can be a tricky business, much like trying to shoe a horse at full gallop. While the government should use its power of the purse its contracting and procurement processes to move the ball forward, its probably not practical, for example, to demand written verification or certification that an IoT product is vulnerability or defect free. Security is a moving target. Frankly, the best that such a certification could mean is that at the moment a device was analyzed it was free from any known defects or vulnerabilities and was not vulnerable to any attacks that the manufacturer knew about. Knowing how fast things change in cyberspace, however, such verifications are the digital equivalent of mayflies.
Similarly, the IoTCAs proposal to require industry standard protocols, however well intentioned, may have unintended consequences because of its potential impact to innovation. These sorts of things need to be developed with care. Standards take time for a good reason. Imposing them with the force of law may unintentionally stifle breakthrough solutions that might leapfrog current technologies. And in that case, everyone would lose.
On the other hand, the proposed IoTCA legislations liability protection for those who are forthcoming about vulnerabilities is a breath of fresh air, especially compared to some of the critical infrastructure sectors that, for fear of regulatory fines, limit vulnerability disclosures.
Likewise, the bills notation about the important role of segmentationreflected a sophisticated understanding of security strategy: When it comes to cybersecurity strategy, Segmentation is still king.
Segmentation (limiting access based on need-to-know to those with authenticated credentials):
The bill rightly encourages the adoption of segmentation strategies and architectures. This approach would intelligently allow IoT devices to be incorporated into the network while limiting their potential negative impact. Visibility into devices actively connected to the network also continues to be a challenge for most organizations. Which is why the bills inventory of devices requirement would help create an excellent starting point for companies or businesses to reference when selecting and operating IoT devices. Proper segmentation and monitoring would not only separate classes of devices and data, but would also allow administrators to pinpoint and isolate misbehaving devices, check them against an inventory, and then extend remediation to all related devices, and not just the one that had been identified.
Intentional design is a strategy whereby vulnerabilities and potential attack vectors are identified and architected out of the network during the network architecture design phase, rather than relying exclusively on security technology. Segmentation is a fundamental part of such a design strategy. At Fortinet, were experimenting with a strategy called Earned Trust, where IoT devices would be allowed access based on their stated trust levels, but whose network behaviors would be automatically and actively monitored to ensure they are performing as advertised. If their behavior, or level of earned trust changes, the network could automatically adjust their access policies. At the same time, the level of monitoring or access for similar devices could be elevated while we determine if the observed behavior was an anomaly or endemic to an entire class of devices.
Of course, the boom of IoT across its many classes (consumer, commercial, industrial) means that the majority of data is no longer contained inside traditional networks. Which means that securing only a few points within the network will no longer be good enough. Security strategies like segmentation need to be woven deep into the core of the network and at the same time expand out to the cloud, remote locations, and even end users. These security technologies need to be able to work as an integrated system to automatically identify, understand, and protect infrastructures from the massive attack surfaces and new attack vectors created by IoT across todays and tomorrows increasingly distributed and elastic network environment.
While the adoption and integration of IoT is going to require taking a fresh look at existing security solutions and strategies, the questions we need to ask about business goals, related risks, and risk mitigation havent changed. Network security not only needs to continue to actively prevent intrusions, it also needs to minimize the risk of serious breaches by reducing the time taken to detect and respond to new threats. Security solutions need to become better at collecting and sharing intelligence. They will need to be able to correlate indications of compromise and automatically coordinate a response to a threat or breach regardless of where it occurs or what attack vector was used. Given the scope and scale at which networks are evolving, achieving this will require a broad, powerful, and automated approach to security that many agencies and organizations do not yet have in place.
Id like to see a little more consultation with industry as this bill progresses. Businesses and even nations are staking their financial futures on the new digital economy.
Back to the topic of synergistic opposites:
Which is the truth? Right now, they both are, in part. But the good news is that, going forward, we can ensure that we maintain a healthy balance between the yin of ubiquitous IoT (and the convenient and instant access to information/services it represents), and the yang of holding it accountable to doing what we expect it to do, and nothing more, through authentication and the adoption of the principles of Earned Trust.
- Avast Internet Security Review 2018 - We Hate Malware - November 8th, 2018
- Security Packages | High-Speed Internet | Windstream - November 8th, 2018
- Antivirus vs Internet Security [Security Software Comparison] - November 8th, 2018
- Internet Security Lectures by Prabhaker Mateti - November 8th, 2018
- Vipre Internet Security 2016 Free Download - Softlay - November 8th, 2018
- Internet security software Reviews 2018 - Compared & Reviewed - November 2nd, 2018
- Exhibit A - Internet Security Requirements - November 2nd, 2018
- CIS Benchmarks - Center for Internet Security - November 2nd, 2018
- Kaspersky Internet Security 2018 Crack + License Key [Latest] - October 12th, 2018
- Zillya! Internet Security | Best Security Solution for Active ... - October 12th, 2018
- Download Norton Internet Security 126.96.36.199 - softpedia.com - October 9th, 2018
- Avast Internet Security 2018 Activation Code, Serial Key Till ... - October 9th, 2018
- Download Avast Internet Security 18.6.2349 Build 18.6.3983 ... - October 9th, 2018
- Download McAfee Internet Security 19.0 Build 19.0.4016 - October 3rd, 2018
- AVG Internet Security 2018 Free Download - FileHippo - October 3rd, 2018
- Internet Security - Quick Heal - October 3rd, 2018
- Kaspersky Internet Security 2019 v188.8.131.528 | Software ... - October 3rd, 2018
- VIPRE Internet Security Review & Comparison - September 22nd, 2018
- Internet Security Suite | Verizon Internet - September 20th, 2018
- Antivirus Security Software & Internet Security - Newegg.com - September 19th, 2018
- Amazon Best Sellers: Best Internet Security Suites - September 7th, 2018
- Download Bitdefender Internet Security 2019 184.108.40.206 - August 24th, 2018
- Best (and Worst) Internet Security Software of 2018 for Windows - August 18th, 2018
- Amazon.com: Kaspersky Internet Security 2018 | 3 Device | 1 ... - August 8th, 2018
- AVG Internet Security - Free download and software reviews ... - August 3rd, 2018
- Top 3 Internet Security Software Suites Reviews ... - July 26th, 2018
- GRC | LeakTest -- Firewall Leakage Tester - July 26th, 2018
- Internet Security is an important part of Identity Theft ... - June 22nd, 2018
- V3 Internet Security | AhnLab - June 22nd, 2018
- Internet Security with Xfinity - Norton Security Online - June 17th, 2018
- Best Internet Security Software Compared - May 25th, 2018
- Computer and internet security software Chili Security - May 21st, 2018
- Internet Security Market Size, Share and Technology, 2021 - May 21st, 2018
- Center for Internet Security - Wikipedia - May 10th, 2018
- Download Webroot SecureAnywhere Antivirus & Internet ... - May 1st, 2018
- AVG Internet Security 2018 review | Ultimate antivirus ... - April 29th, 2018
- The Internet Security Academy - SAHCOM Technologies LLP - April 27th, 2018
- These files can't be opened. Your Internet security ... - April 20th, 2018
- How to Uninstall Norton Internet Security: 12 Steps - April 20th, 2018
- Internet Security Software at Office Depot OfficeMax - April 19th, 2018
- Why is Internet security important? | Reference.com - March 26th, 2018
- AVG Internet Security Unlimited 2018 18.2.3827 20% OFF ... - March 25th, 2018
- Trend Micro Titanium Internet Security - Download - March 21st, 2018
- Kaspersky Mobile Antivirus: AppLock & Web Security ... - March 21st, 2018
- Why do I Need Internet Security - The High Tech Society - March 21st, 2018
- Cincinnati Bell - Other Services Support - March 21st, 2018
- Internet Security Essentials for Business 2.0 | U.S ... - March 21st, 2018
- ESET Internet Security 10.0.386.0 Crack + License Keys ... - March 21st, 2018
- Privacy and Security in the Internet Age | WIRED - March 19th, 2018
- News & Events | K9 Web Protection - Free Internet Filter ... - March 19th, 2018
- 10 Internet Security Programs (for Windows), Ranked Best ... - March 7th, 2018
- AVG Internet Security 2015 Free Download - getintopc.com - March 3rd, 2018
- McAfee Internet Security Download - softpedia.com - February 28th, 2018
- COMODO Internet Security Download - softpedia.com - January 30th, 2018
- Best Internet Security Software 2018 - The best rated ... - January 28th, 2018
- Comodo Antivirus - Best Virus Removal Software 2018 - January 13th, 2018
- ZoneAlarm Antivirus Software | Virus Protection & Firewall - January 13th, 2018
- What Is the Meaning of Internet Security? | Techwalla.com - January 12th, 2018
- Download Avast Internet Security 17.7.2314 - FileHippo.com - January 12th, 2018
- Vipre Antivirus VIPRE Internet Security - January 12th, 2018
- AVG Internet Security 2018 License Key With Crack Full Version - January 8th, 2018
- CA Internet Security Suite Plus - Download - December 27th, 2017
- Collaborative Security: An approach to tackling Internet ... - December 27th, 2017
- Norton Internet Security - Download - December 20th, 2017
- Best Internet Security 2017 - Total Security Software for ... - December 20th, 2017
- Get the Best Internet Security Software of 2016! - December 20th, 2017
- Internet Security Administrator: Job Description and Requirements - December 19th, 2017
- Top 10 Cheap Antivirus and Internet Security Protection for ... - December 19th, 2017
- Download AVG Internet Security Unlimited - FileHippo.com - December 19th, 2017
- Norton Internet Security - softpedia.com - December 19th, 2017
- Internet Security - Cisco - December 19th, 2017
- Best Antivirus Software, Internet Security & Malware Removal - December 19th, 2017
- internet security | eBay - October 26th, 2017
- Avast Internet Security Download - softpedia.com - October 20th, 2017
- Internet Security Software | Trend Micro - October 3rd, 2017
- Lenovo Faces No Significant Penalty for Security-Destroying Superfish Debacle - ExtremeTech - September 7th, 2017
- 25% Upside Seen In Palo Alto, Argus Research Upgrades To Buy - Benzinga - September 5th, 2017
- How to: Your essential guide to internet security - PC Authority - September 5th, 2017
- Internet security startup founded by former CIA analyst raises $40 million - San Francisco Business Times - September 2nd, 2017
- CyberRehab's mission? To clean up the internet, one ASN block at a time - The Register - September 2nd, 2017