Possible USB malware IoT test at SIA conference
Upon arrival we were surprised to find an obviously chinese made, portable phone charger on everyones desk.
Conveniently it not only has one but two USB ports.
Provided by the major sponsor of the conference we suspected this is an IoT USB malware security test. So we did the only reasonable thing: Throw it in the trash!
The advice is: “Do not trust, don’t plug or insert untrusted media into your computer OR PHONE!”. We hope we passed the test!
One of the free USB based mobile chargers at SIA which must have been an IoT USB malware security test – so we threw it in the trash.
The problem is: We’ve seen no one else doing that. It seems that not so many people were passing this simple test. Here is a fact: A 2011 test run by the Department of Homeland Security showed that 60 percent of people who picked up random thumb drives or computer disks surreptitiously dropped in government building and private contractor parking lots plugged the devices into office computers (source). Just don’t do it.
Either way, the first two panels hit it off with the right topics: sharing economy and IoT. Here we go with the summary:
The stage at the SIA New York event
Managing Risk and Setting Priorities
The first panel featured Ray O’Hara (Founder of GSRMA; AS Solution), John Kenning (G4S), John Petruzzi (Enterprise Security Operations, Charter Communications) and Tim Wenzel (Executive Protection Special Projects Head and Residential Security Program Manager, Facebook).
To be honest, everyone was looking at Tim Wenzel since he was the obvious (millennial compatible) tech affine person in the room. He said he doesn’t use social media though to everyones’ disappointment. Tim’s security strategy is based on looking at the supplier view and the end user view:
- The supplier view: Really looking at the latest standards such as IPv6, OSDP, 2FA and others. Another good thing to do with vendors is to discuss their security roadmap to understand where they currently are, and where they want to be in say 12 months.
- The end user view: Truly understand the risk that an executive is willing to take. Tim made the point that executives are often risk affine. However security people can’t be in the way doing the right thing for security which is not always the right thing for their business overall.
We really liked how Tim sees himself as partner to the organization and as such sees a “Trust” job title more appropriate than anything involving security.
John Petruzzi raised the most important point: The security industry lacks IT and cyber security talent. This was the single biggest topic that we’ve heard repeatedly in pretty much any statement: People are challenged on the technology side. The security industry needs to move from “enforcement style” to “risk based principles”.
IoT – Embracing Opportunity and Managing Risk
The main consensus on the panel was that IoT is only useful if it is an IoST (Internet of Secure Things). This roots in the nature of the discussions where distant parallels were drawn between garden sprinklers (Internet of Things on consumer level) to industrial IoT. Of course in retrospect to the IoT caused outages last friday this seems appropriate but business grade hardware should (and does) work a bit different and USB malware issues could be a more appropriate point of discussion.
It was getting interesting when discussions started to circle around the technical risk of IoT devices and how they are (or should be) vetted.
For example detection mechanisms to understand that a device is being tampered with to being able to take the device offline asap.
But also problems with ten year old infrastructure that hasn’t been replaced and is vulnerable to new threats.
The comment by Rob Martens to have an endpoint security strategy in place basically providing an internal product threat intelligence function could become essential going forward.
An even better comment he made about capabilities: When talking about security and cloud it is important to understand what a companies’ core capabilities are and what not. For example if someone considers AWS, Microsoft or Google for their cloud provider, they certainly have a better firewall than many of the security companies in the room (but might come with other downsides).
Again the main topic began to revolve around talent. It’s hard to get talent, companies need to establish IT experience internally and so on.
That got a little boring for us and we left.
Some recommendations for the organizer
- Create a panel with only young, millenial security folks. When being thrown on a panel with legacy vendors usually our kind stiffens up since reasons are hardly understood and discussions can’t be made. [hint: we recently organized one! read about our office automation meetup here]
- Establish a “new technology” advisory board that is organizing events or sponsorships in places where IT folks hang out (usually not at SIA events).
- Provide a forum that allows for out of the box ideas and discuss strategies around hands-on-implementation – RSA conferences do a great job here where we could draw some inspiration.