(IoT) Security doesn’t matter
(IoT) Security doesn’t matter
Some restrictions apply
Not valid for security‐specific products
Void in some cases of top‐line and bottom‐line impact
I am neither a lawyer, nor an MBA
Who is Darin White?
• 12 years with BlackBerry, recently we broke up. Amicably.
• 9 years product security: hacker, product manager, leader
• Hundreds of security decisions across hardware, OS, apps, protocols, cloud, on‐prem software… as part of a team
• Maker/Photographer/Creative Instigator ‐‐‐ makebright.com
Why talk about security wrt IoT?
• Everything old is new again with each watershed in tech/mktg
• In the rush to capitalize on the IoT enthusiasm, companies rush in, and security is deprioritized
• As a former security guy, I can’t help but look at all these awesome new gadgets and think subversively about how they may be misused
• Maybe it’s helpful to the IoT ecosystem to start a discussion around security that is sensitive to the pressures and constraints of for‐profit manufacturing of hard products, often in a start‐up model
• Selfishly, I want all this utility and I want it to be reasonably secure.
Your one takeaway, the TL;DR
Make an explicit decision
on security investment
for your product
The Fight Club equation paraphrased
• N – number of customers
• R – probable rate of security compromise
• C – average cost per security compromise
• S – cost of securing your product
IF ( S > N x R x C ) THEN dont_secure_product(true);
* This is not math
• Security is like insurance: you don’t need it until something goes wrong
• How do you quantify financial impact of compromises?
• Costs of doing security are more certain than costs of not doing it
• The big one: this is mostly subjective
On‐going costs of security
• Informed (re)design‐time security guidance
• Architect/Dev/QA/Sales/Marketing security training
• HW/SW development that is security aware and checked for compliance
• Plan/People to handle response to security incidents
• Process to monitor/fix/ship fixes – using any OSS in your product?
• (Re)Assess third‐party components and monitor/update/ship patches
• Stewardship of crypto key material
• Tool purchase
• External audits
• Delayed time to market
• Internal threats
• Trust issues with manufacturing partners
On‐going costs of not doing security
*… so long as no security‐related issues crop up
Otherwise, bad outcomes
• Revenue loss
• Brand damage
• Loss of life (see Lawsuits)
• Extortion by bad guys
• It’s pure folly
• All metrics can be gamed
• Lots of players make money helping you try to measure
• How much security is enough? A medium amount?
• I am likely now disavowed by the security industry
Security… what does that mean?
• Privacy – an important sub‐bullet, but only if you’re over 30
Relevant IoT examples
IOActive’s work on smart power meters
Sony’s Playstation Network
Disrupting Iran’s nuclear program (Stuxnet) and other SCADA scariness
IP‐based video cameras
Insulin pumps and pacemakers
Smart parking meters
• We always get the headline; rarely get the follow‐up
• What are the material and persistent consequences?
• Do they justify investment in security? (probably in Sony’s case)
• IF your product doesn’t pass the Fight Club equation, then just get back to your new feature development, prototype problems, manufacturing challenges, marketing plans.
• ELSE tackle the low‐hanging security fruit: map the attack surface, secure your comms channels, run some point‐and‐shoot assessment tools, tap the enthusiasm of your security‐keen staff, partner with hackers who are active in your product space
• Above all, make a decision
I am Darin White
Please read makebright.com
Please hire me to tell the story of what you’re doing