The dynamic of opposites permeates human culture: light and dark, push and pull, happy and sad, supply and demand, yin and yang. While we tend to prefer one over the other, the reality is that the tension between opposites is what makes them complementary. The same can be said of technology. We all know that quick and free access to information, regardless of economic status, is changing the world. But none of that would be possible without security safeguards like accountability and authentication. Without those, economics, capitalism, and even democracy itself are severely strained. Which is why security is a multi-billion dollar industry.
The recent growth of the Internet of Things (IoT) is a case study of what happens when access and availability are not counterbalanced by security. The vast majority of IoT devices available today have been built with little to no thought for security, and yet they are being integrated into the fabric of our daily lives at an unprecedented rate. As a result, massive botnets like Mirai and Hajime composed of millions of compromised IoT devices managed to take down a significant segment of the Internet and affect hundreds of thousands of businesses around the world. Most security experts agree that these attacks are just the tip of the IoT-based cyberthreat iceberg, and that they represent an extraordinarily large attack vector built into our emerging digital economy.
TheInternet of Things Cybersecurity Act of 2017 Actis a noteworthy attempt to address these challenges before they escalate further. The proposed IoTCA bill gives the problem of security and control a good deal of attention, since solving the problem of authentication (people-to-machines, software-to-hardware, data-to-processes, etc.) would be almost analogous, in the Internet security world, to solving world peace.
Over the next few years, billions more IoT devices will become part of our digital lives. If implemented properly, they could utterly transform business and society. However, their value will be limited by the degree to which we can trust their Authenticity that they are what or who they claim to be. Though the IoTCA is not a silver bullet, it attempts to help reduce the level of obvious risks in a ballooning population of Internet-connected devices.
Of course, like everything, even legislation is a two-edged sword. Im concerned about any attempt to legislate vulnerabilities, in part because technology evolves so quickly. Trying to strike a balance between progress and protection can be a tricky business, much like trying to shoe a horse at full gallop. While the government should use its power of the purse its contracting and procurement processes to move the ball forward, its probably not practical, for example, to demand written verification or certification that an IoT product is vulnerability or defect free. Security is a moving target. Frankly, the best that such a certification could mean is that at the moment a device was analyzed it was free from any known defects or vulnerabilities and was not vulnerable to any attacks that the manufacturer knew about. Knowing how fast things change in cyberspace, however, such verifications are the digital equivalent of mayflies.
Similarly, the IoTCAs proposal to require industry standard protocols, however well intentioned, may have unintended consequences because of its potential impact to innovation. These sorts of things need to be developed with care. Standards take time for a good reason. Imposing them with the force of law may unintentionally stifle breakthrough solutions that might leapfrog current technologies. And in that case, everyone would lose.
On the other hand, the proposed IoTCA legislations liability protection for those who are forthcoming about vulnerabilities is a breath of fresh air, especially compared to some of the critical infrastructure sectors that, for fear of regulatory fines, limit vulnerability disclosures.
Likewise, the bills notation about the important role of segmentationreflected a sophisticated understanding of security strategy: When it comes to cybersecurity strategy, Segmentation is still king.
Segmentation (limiting access based on need-to-know to those with authenticated credentials):
The bill rightly encourages the adoption of segmentation strategies and architectures. This approach would intelligently allow IoT devices to be incorporated into the network while limiting their potential negative impact. Visibility into devices actively connected to the network also continues to be a challenge for most organizations. Which is why the bills inventory of devices requirement would help create an excellent starting point for companies or businesses to reference when selecting and operating IoT devices. Proper segmentation and monitoring would not only separate classes of devices and data, but would also allow administrators to pinpoint and isolate misbehaving devices, check them against an inventory, and then extend remediation to all related devices, and not just the one that had been identified.
Intentional design is a strategy whereby vulnerabilities and potential attack vectors are identified and architected out of the network during the network architecture design phase, rather than relying exclusively on security technology. Segmentation is a fundamental part of such a design strategy. At Fortinet, were experimenting with a strategy called Earned Trust, where IoT devices would be allowed access based on their stated trust levels, but whose network behaviors would be automatically and actively monitored to ensure they are performing as advertised. If their behavior, or level of earned trust changes, the network could automatically adjust their access policies. At the same time, the level of monitoring or access for similar devices could be elevated while we determine if the observed behavior was an anomaly or endemic to an entire class of devices.
Of course, the boom of IoT across its many classes (consumer, commercial, industrial) means that the majority of data is no longer contained inside traditional networks. Which means that securing only a few points within the network will no longer be good enough. Security strategies like segmentation need to be woven deep into the core of the network and at the same time expand out to the cloud, remote locations, and even end users. These security technologies need to be able to work as an integrated system to automatically identify, understand, and protect infrastructures from the massive attack surfaces and new attack vectors created by IoT across todays and tomorrows increasingly distributed and elastic network environment.
While the adoption and integration of IoT is going to require taking a fresh look at existing security solutions and strategies, the questions we need to ask about business goals, related risks, and risk mitigation havent changed. Network security not only needs to continue to actively prevent intrusions, it also needs to minimize the risk of serious breaches by reducing the time taken to detect and respond to new threats. Security solutions need to become better at collecting and sharing intelligence. They will need to be able to correlate indications of compromise and automatically coordinate a response to a threat or breach regardless of where it occurs or what attack vector was used. Given the scope and scale at which networks are evolving, achieving this will require a broad, powerful, and automated approach to security that many agencies and organizations do not yet have in place.
Id like to see a little more consultation with industry as this bill progresses. Businesses and even nations are staking their financial futures on the new digital economy.
Back to the topic of synergistic opposites:
Which is the truth? Right now, they both are, in part. But the good news is that, going forward, we can ensure that we maintain a healthy balance between the yin of ubiquitous IoT (and the convenient and instant access to information/services it represents), and the yang of holding it accountable to doing what we expect it to do, and nothing more, through authentication and the adoption of the principles of Earned Trust.
- Best Internet Security Software Compared - May 25th, 2018
- Computer and internet security software Chili Security - May 21st, 2018
- Internet Security Market Size, Share and Technology, 2021 - May 21st, 2018
- Center for Internet Security - Wikipedia - May 10th, 2018
- Download Webroot SecureAnywhere Antivirus & Internet ... - May 1st, 2018
- AVG Internet Security 2018 review | Ultimate antivirus ... - April 29th, 2018
- The Internet Security Academy - SAHCOM Technologies LLP - April 27th, 2018
- These files can't be opened. Your Internet security ... - April 20th, 2018
- How to Uninstall Norton Internet Security: 12 Steps - April 20th, 2018
- Internet Security Software at Office Depot OfficeMax - April 19th, 2018
- Why is Internet security important? | Reference.com - March 26th, 2018
- AVG Internet Security Unlimited 2018 18.2.3827 20% OFF ... - March 25th, 2018
- Trend Micro Titanium Internet Security - Download - March 21st, 2018
- Kaspersky Mobile Antivirus: AppLock & Web Security ... - March 21st, 2018
- Why do I Need Internet Security - The High Tech Society - March 21st, 2018
- Cincinnati Bell - Other Services Support - March 21st, 2018
- Internet Security Essentials for Business 2.0 | U.S ... - March 21st, 2018
- ESET Internet Security 10.0.386.0 Crack + License Keys ... - March 21st, 2018
- Privacy and Security in the Internet Age | WIRED - March 19th, 2018
- News & Events | K9 Web Protection - Free Internet Filter ... - March 19th, 2018
- 10 Internet Security Programs (for Windows), Ranked Best ... - March 7th, 2018
- AVG Internet Security 2015 Free Download - getintopc.com - March 3rd, 2018
- McAfee Internet Security Download - softpedia.com - February 28th, 2018
- COMODO Internet Security Download - softpedia.com - January 30th, 2018
- Best Internet Security Software 2018 - The best rated ... - January 28th, 2018
- Comodo Antivirus - Best Virus Removal Software 2018 - January 13th, 2018
- ZoneAlarm Antivirus Software | Virus Protection & Firewall - January 13th, 2018
- What Is the Meaning of Internet Security? | Techwalla.com - January 12th, 2018
- Download Avast Internet Security 17.7.2314 - FileHippo.com - January 12th, 2018
- Vipre Antivirus VIPRE Internet Security - January 12th, 2018
- AVG Internet Security 2018 License Key With Crack Full Version - January 8th, 2018
- CA Internet Security Suite Plus - Download - December 27th, 2017
- Collaborative Security: An approach to tackling Internet ... - December 27th, 2017
- Norton Internet Security - Download - December 20th, 2017
- Best Internet Security 2017 - Total Security Software for ... - December 20th, 2017
- Get the Best Internet Security Software of 2016! - December 20th, 2017
- Internet Security Administrator: Job Description and Requirements - December 19th, 2017
- Top 10 Cheap Antivirus and Internet Security Protection for ... - December 19th, 2017
- Download AVG Internet Security Unlimited - FileHippo.com - December 19th, 2017
- Norton Internet Security - softpedia.com - December 19th, 2017
- Internet Security - Cisco - December 19th, 2017
- Best Antivirus Software, Internet Security & Malware Removal - December 19th, 2017
- internet security | eBay - October 26th, 2017
- Avast Internet Security Download - softpedia.com - October 20th, 2017
- Internet Security Software | Trend Micro - October 3rd, 2017
- Lenovo Faces No Significant Penalty for Security-Destroying Superfish Debacle - ExtremeTech - September 7th, 2017
- 25% Upside Seen In Palo Alto, Argus Research Upgrades To Buy - Benzinga - September 5th, 2017
- How to: Your essential guide to internet security - PC Authority - September 5th, 2017
- Internet security startup founded by former CIA analyst raises $40 million - San Francisco Business Times - September 2nd, 2017
- CyberRehab's mission? To clean up the internet, one ASN block at a time - The Register - September 2nd, 2017
- Kaspersky Lab launched updated versions of Kaspersky Internet ... - Software Testing News - September 1st, 2017
- Cloud-based CAE HPC Partnership Focuses on Speed and Security of Data Transfer - ENGINEERING.com - September 1st, 2017
- China's cybersecurity law grants government 'unprecedented' control over foreign tech - The Register - September 1st, 2017
- Symantec CEO Sees Broad-Based Internet Security Threats - Bloomberg - August 31st, 2017
- Expert warns sexting is seen as normal by many young people - Evening Echo Cork - August 31st, 2017
- Internet Explorer - Wikipedia - August 30th, 2017
- Your essential guide to internet security - IT PRO - August 30th, 2017
- DUO to increase student internet security - The Crimson While - August 30th, 2017
- Online threats lead to real-world harm, say security experts - CNBC - August 30th, 2017
- Net neutered: When ISPs like Comcast crash the cloud - ZDNet - August 30th, 2017
- Upgrade your internet security with Private Internet Access VPN ... - Popular Science - August 28th, 2017
- Internet 101 Survey results show disconnect between confidence and Internet user knowledge - TechSpot - August 28th, 2017
- Leak of >1700 valid passwords could make the IoT mess much worse - Ars Technica - August 27th, 2017
- How to Choose the Best Internet Security Software? | Bdaily - Bdaily - August 25th, 2017
- China overtakes Belgium on world innovation index - TechNode (blog) - August 25th, 2017
- Zephyr Cove internet security company enters into Paten Standstill Agreement - Northern Nevada Business Weekly - August 25th, 2017
- Internet key to farm security, farmer Bruce Crafter says at Farm Security and Farmers Health Expo in Bendigo - Bendigo Advertiser - August 25th, 2017
- Q2 2017 Akamai State Of The Internet / Security Report Analyzes Re-Emergence Of PBot Malware; Domain Generation ... - PR Newswire (press release) - August 25th, 2017
- OneLogin is Changing How We Think About Internet Security - HiTechChronicle - August 25th, 2017
- Q2 2017 Akamai State Of The Internet / Security Report Analyzes Re-Emergence Of PBot Malware; Domain Generation ... - GuruFocus.com - August 23rd, 2017
- Getting serious about research ethics: Security and Internet Measurement - Freedom to Tinker - August 23rd, 2017
- Dozens of pro-Trump rallies retreat to internet, insist it's not due to poor attendance - Mashable - August 22nd, 2017
- Ransomware Victims Pay Much More Than Just the Ransom - eWeek - August 22nd, 2017
- A Very Dumb Mistake Costs Cryptocurrency Investors Big Time - WIRED - August 22nd, 2017
- WomensLaw.org | Internet Security - August 20th, 2017
- Facebook Awards $100K for Spear Phishing Security Research - eWeek - August 19th, 2017
- Resilience, Emergencies and the Internet: Security In-Formation - Peace Research Institute Oslo (PRIO) (press release) - August 18th, 2017
- LIBTELCO Hosts First Cyber Security Confab - Liberian Daily Observer - August 18th, 2017
- Free or hate speech? Silicon Valley searches for proper line - CBS News - August 18th, 2017
- Women build capacity in internet security - Ghana News Agency - August 14th, 2017