Application and device security under the spotlight

Until recently, device security has been of minimal concern. However, recent events – such as hundreds of thousands of IoT devices being co-opted into a botnet and the American casino that had data leaked through a smart fish tank – have highlighted the necessity for robust device security measures for this digitally-connected world that organisations now operate in.

It has been reported that by 2020 there will be 40 billion devices connected to the internet. Every device is a potential threat vector for organisations.

To date, there has been little focus on the security of devices and the applications or software they use. Most of the development has been focused on features and battery life. There has also been little collaboration between manufacturers.

“There are thousands of IoT devices and they are all built differently, they are not using common standards,” says Darron Gibbard, chief technical officer of Qualys. “It is almost like the computer industry twenty years ago, where they are not thinking about security.”

Despite the increasing number of hacks and leaks that have been caused by vulnerable applications and smart devices, security is still not as much of a priority as it should be. Part of this down to suppliers – some believe there are no incentives for them to invest in application security.

However, poor app security leads to reputational damage. For example, some people are still refusing to use the Sony Playstation Network since the 2011 cyber attack, despite the security measures Sony have since put in place. With new UK data protection legislation due to come into force soon, companies will also become more liable for looking after their customer data.

Currently, there is no certification for encouraging suppliers to provide adequate levels of security in their devices and their applications. ISO/IEC 27001 (Information Security Management) is the closest, but it only provides information about how good the supplier/manufacturer is at protecting themselves, not about the security of their products.

The EU’s General Data Protection Regulation (GDPR), which will soon be enshrined in UK law, goes part of the way to address this. While it does not define any standards of expected security, it does focus on privacy by design and the use of personal data.

Because suppliers do not generally advertise the security features of their devices, it is up to purchasing organisations to vet and research potential new devices. “CTOs should look to partner with CISOs to build in security by design into their platform and their vendor choices, rather than seeing the CISOs as gatekeepers or even blockers,” says Uri Sarid, chief technical officer of MuleSoft.

“Instead of trying to place stringent requirements on the business, which they will likely circumvent to avoid project delays, IT leaders must look to structure their application networks in a way where they can create defence-in-depth.”

Organisations may wish to consider employing independent parties to assess new devices and their software before installing them on their network. “There are lots of specialist organisations that will run a penetration test, which will divulge any possible threats,” says Gibbard. “That would be something I would always recommend.”

The UK government recently published the Secure by Design review, which forms part of the government’s Digital Charter and the National Cyber Security Strategy (2016-2021). The risks posed by poorly-secured IT products and services threaten an individual’s security and privacy, and can also form parts of large-scale cyber attacks. Such attacks reverberate across the UK and the global economy.

While none of the recommendations in the Secure by Design review are compulsory, the government is strongly advocating that all manufacturers should comply with these best practices. The code of practice was constructed with the hope that a proposed trustmark scheme would align with the recommendations.

The government’s review also considers a product-labelling scheme to make buyers aware of a product’s security features at the point of purchase. As part of achieving this, the government proposes a voluntary labelling scheme for consumer internet of things (IoT) products to aid purchasing decisions and to facilitate consumer trust in companies. This product labelling would identify if the product is internet connected, the product’s minimum support period and privacy-related information.

These recommendations could eventually form part of a possible certification scheme, similar to the BSI Kitemark quality certification for products meeting stringent safety requirements. When internet-connected devices are found to have adhered to the Secure by Design best practice guidelines, they would be awarded a mark of recognition. For this mark to be recognised, such products would need to be independently tested to ensure they meet the requirements.

At the moment, the guidelines set out in the Secure by Design review are purely voluntary, but there could be possible legislative and regulatory requirements in the future. Paragraph 5.19 of the Secure by Design review states that:

“The government has begun exploring where we can further leverage existing legislative measures to place selected guidelines from the Code of Practice on a regulatory footing. Parts of the Code of Practice are already legally enforceable based on the legal requirements set out in new UK data protection legislation. The government will continue this work throughout 2018 in consultation with stakeholders, such as industry and consumer organisations.”

The government is also apparently monitoring the regulatory action taken by other countries, such as Germany, where the German government recently banned children’s smart watches. “The government’s preference is for the market to regulate itself, and follow the steps set out in the code of practice,” said a spokesperson for the Home Office.

“However, due to the ongoing spread of insecure devices, the government will be exploring options throughout 2018 to examine where key guidelines from the Code of Practice, which are not already legally enforceable, can be placed on a regulatory footing.”

If developers were prepared to invest in their product’s security features, this would become a marketable asset that organisations would be prepared to pay for. “It is giving you a degree of assurance that the device has been tested and built to a standard,” says Gibbard. “As a percentage, I would be willing to pay an extra 10% to 20% for that assurance.”

With the UK government considering legislating best practice guidelines as a statutory requirement, developers need to consider making security an important part of the development process.  This could also become, with appropriate marketing, a selling point for new devices and services.

Likewise, purchasing organisations need to proactively investigate the security of prospective purchases, as well as considering pen testing on any new purchases before committing, to ensure they are reasonably secure.

“Organisations should look for products and vendors that have security by design baked in,” says Sarid. “As a CTO, when I look at incorporating a technology or product in something important, especially if it’s foundational to where I’m going, I want to understand in what sense is security baked into the supplier.”

Nothing is ever 100% secure, but with careful network management and device access rights, the risk can be mitigated. “I want my suppliers to add security,” he says. “Not to add vulnerabilities.”