The number of threats continues to expand. It’s time the tech industry began embracing solutions.
This week’s outage at Amazon Web Services is yet another reminder that Internet security is still not quite there.
Amazon isn’t a second-tier cloud services provider. It’s one of the biggest cloud companies on the planet. If Amazon can’t get it right, it’s hard to imagine anyone can. The company’s Simple Storage Service, aka S3, was the target, and it took about five hours before this online storage was up and running.
Compared with other outages, damage was minimal. It doesn’t appear that private data was hacked, which is good because one of Amazon’s S3 customers is the U.S. Securities and Exchange Commission. As a point of reference, Yahoo suffered from three successive attacks that gave hackers access to data from at least 1.5 billion accounts. And Target’s 2015 breach compromised the data of 40 million customers.
There are four major problems, and a number of remedial steps that will be required. Among the problems:
1. Existing security protocols are insufficient. Large companies such as financial institutions point to their compliance with Transport Layer Security and its predecessor, Secure Sockets Layer, as industry best practices. The truth is these are more like a speed bump for attackers than an impenetrable force field. They offer a legal defense as an industry best practice, but by themselves they are wholly inadequate.
2. Legacy infrastructure only can offer so much protection. The number of new threats that are proliferating on the darknet is like the scene out of apocalyptic movie where natural or evil forces threaten to destroy civilization. (The Center for Internet Security keeps a daily scoreboard of these threats.) Upgrades are required, but they’re also expensive.
3. Hackers share their information. Governments and corporations rarely do.
4. Any connected device can team up with other connected devices to cause problems, no matter how inexpensive or insignificant they appear. This is what happened in the Dyn distributed denial of service attack (DDoS) last October.
There is no single solution to these problems, but there are steps that can be taken to make future attacks less rewarding for cyber attackers.
To begin with, security needs to be designed in at the system level. While most of the attacks so far have been at the software or networking level, compromising the security of hardware and embedded software has the potential to do far more damage. Gain access to the hardware, and you potentially gain access to far more than a single company.
While the chip industry has been focused on hardware-software co-design, it really needs to be hardware-software-security co-design. Security needs to include everything from obfuscation techniques and authentication to complete separation of signal paths, a security certification for black-box IP that is used in these devices, and an end-to-end supply chain tracking for every piece of hardware and IP that is used in a device.
In addition, security needs to be monitored at all levels. A device that connects to the Internet should be recognized as secure or insecure, or somewhere in between. At the very least, the user of that device should be alerted. But as networks are upgraded, they also should have the capability to reject devices that potentially can bring down entire networks. That means many of these devices will need some level of field upgradeability to deal with new threats, and/or networks will require the ability to shut them out if problems arise. And this will require yet another level of regulation to prevent monopolies from forming.
It’s up to the tech industry in general, and the hardware and software industries in particular, to solve these kinds of issues—and soon. Otherwise, more draconian measures will be implemented, such as registering people to use the Internet (which ultimately will lead to the elimination of net neutrality) and requirements that people use their real names online (which has been suggested but so far never implemented).
It’s always better to build the solution you’d like to have than to have one you don’t want handed down. But as the number of threats continues to increase, and the impact of those attacks continues to widen, the window for fixing these problems without outside intervention is shrinking.
Side-Channel Attacks Make Devices Vulnerable
The number and type of attack vectors are increasing as more of the world becomes connected and vulnerable to hackers.
IoT Security Risks Grow (Part 2)
Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.
IoT Security Risks Grow (Part 1)
Side-channel attacks, botnets, ransomware all loom as attacks become more sophisticated on connected devices.