(IoT) Security doesn’t matter

(IoT) Security doesn’t matter
*
*
*
*
Some restrictions apply
Not valid for security‐specific products
Void in some cases of top‐line and bottom‐line impact
I am neither a lawyer, nor an MBA
Who is Darin White?
• 12 years with BlackBerry, recently we broke up. Amicably.
• 9 years product security: hacker, product manager, leader
• Hundreds of security decisions across hardware, OS, apps, protocols, cloud, on‐prem software… as part of a team
• Maker/Photographer/Creative Instigator ‐‐‐ makebright.com
Why talk about security wrt IoT?
• Everything old is new again with each watershed in tech/mktg
• In the rush to capitalize on the IoT enthusiasm, companies rush in, and security is deprioritized
• As a former security guy, I can’t help but look at all these awesome new gadgets and think subversively about how they may be misused
• Maybe it’s helpful to the IoT ecosystem to start a discussion around security that is sensitive to the pressures and constraints of for‐profit manufacturing of hard products, often in a start‐up model
• Selfishly, I want all this utility and I want it to be reasonably secure.
Your one takeaway, the TL;DR
Make an explicit decision
on security investment
for your product
The Fight Club equation paraphrased
• N – number of customers
• R – probable rate of security compromise
• C – average cost per security compromise
• S – cost of securing your product
IF ( S > N x R x C ) THEN dont_secure_product(true);
* This is not math
The caveats
• Security is like insurance: you don’t need it until something goes wrong
• How do you quantify financial impact of compromises?
• Costs of doing security are more certain than costs of not doing it
• The big one: this is mostly subjective
On‐going costs of security
• Informed (re)design‐time security guidance
• Architect/Dev/QA/Sales/Marketing security training
• HW/SW development that is security aware and checked for compliance
• Plan/People to handle response to security incidents
• Process to monitor/fix/ship fixes – using any OSS in your product?
• (Re)Assess third‐party components and monitor/update/ship patches
• Stewardship of crypto key material
• Tool purchase
• External audits
• Delayed time to market
• Certifications
• Internal threats
• Trust issues with manufacturing partners
On‐going costs of not doing security
$0.00
*… so long as no security‐related issues crop up
Otherwise, bad outcomes
• Revenue loss
• Brand damage
• Lawsuits
• Loss of life (see Lawsuits)
• Extortion by bad guys
Measuring security
• It’s pure folly
• All metrics can be gamed
• Lots of players make money helping you try to measure
• How much security is enough? A medium amount?
• I am likely now disavowed by the security industry
Security… what does that mean?
• Confidentiality
• Privacy – an important sub‐bullet, but only if you’re over 30
• Integrity
• Availability
Relevant IoT examples
•
•
•
•
•
•
IOActive’s work on smart power meters
Sony’s Playstation Network
Disrupting Iran’s nuclear program (Stuxnet) and other SCADA scariness
IP‐based video cameras
Insulin pumps and pacemakers
Smart parking meters
• We always get the headline; rarely get the follow‐up
• What are the material and persistent consequences?
• Do they justify investment in security? (probably in Sony’s case)
Recommendations
• IF your product doesn’t pass the Fight Club equation, then just get back to your new feature development, prototype problems, manufacturing challenges, marketing plans.
• ELSE tackle the low‐hanging security fruit: map the attack surface, secure your comms channels, run some point‐and‐shoot assessment tools, tap the enthusiasm of your security‐keen staff, partner with hackers who are active in your product space
• Above all, make a decision
Questions/Beer?
I am Darin White
Follow @DarinTheGreat
Please read makebright.com
Please hire me to tell the story of what you’re doing