SANS’ Pescatore: Security Needs Rethink For Internet Of Things

Our friends over at InfoSecurity Magazine have an interesting interview with SANS’ Director of Emerging Security Trends John Pescatore about security and The Internet of Things.

Pescatore gets a somewhat skeptical hearing from the enterprise-focused IT security publication. (“Granted, it’s unlikely that anyone would be sending a car an email with a malicious executable, but that doesn’t mean there aren’t threat vectors for hackers to exploit,” InfoSecurity opines, by way of an introduction. Oh really?) But Pescatore brings a “deep field” view to this topic, noting that the security issues around IoT are already upon us in the spent almost two decades as Gartner’s Obi-Wan Kenobi for security, where he advised companies and technology vendors on the best way to navigate the shifting sands of the IT security space.

Speaking to InfoSecurity, Pescatore says the 100,000 foot message is: ‘let’s learn from our mistakes.’ Specifically, that means not looking at intelligent devices, including smart phones, tablets and other smart “stuff” in the same way that we looked at PCs and servers. To that end, he makes a bunch of great points that have also cropped up in these pages in the last year:

+ Bad guys exist – the biggest mistake that many smart device make is to fail to anticipate that their product will be the target of an attack. Failing to envision the enemy is a common refrain among seasoned security folks (Chris Wysopal at Veracode says it often.) “Another thing we’ve learned in roughly 30 years of using the internet is that the big guys find vulnerabilities and they crash it for fun, at first,” Pescatore told InfoSecurity. “And we’ll see that in the internet of things, including denial of service and general mischief. But the second phase is cyber crime.”

+ Patching – with more and more embedded devices in our computing environments, the issue of software updates is going to be huge. “The goal here is to raise the bar a whole lot, because it’s so much harder to update a pacemaker that’s implanted in a person or upgrade the OS in a windmill that’s been placed on an iceberg,” Pescatore said. 

+ Layered security – Pescatore said that manufacturers and their customers need to move away from our knee jerk tendency to want to put software on  endpoints. “That hasn’t worked for 20 years, but it certainly has sucked up a lot of money,” he told InfoSecurity. In other words: forget about putting AV on your coffee maker, or in your car for that matter. 

So what to do about malicious hackers and malware? Pescatore said that hardware based security, like the Trusted Platform Module (TPM) that is built into many late-model X86 processors and ARM chips will do a lot of the heavy lifting, by making it easier to secure communications to and from devices. Mobile carriers may also become choke points for attacks: acting at a high level to block malicious code outbreaks and identify compromised endpoints on their networks.

It’s a good read. Check it out.  Also note that The SANS Institute will be hosting a “Securing The Internet of Things Summit” in late October in San Francisco. The agenda is here.

One Comment

  1. Paul – Thanks for sharing. Security for embedded systems of all kinds is critical. Unfortunately, people want to continue in their blindness. A group of us are putting together a KickStarter project to start building the required foundation. The draft project is at:

    We appreciate any feed back you may have. We have an email string going to discuss the project. Let me know if you would like to be added.
    My LinkedIn profile is