The “stuff” of technology can seem like it rules our lives; business technology, home management systems, consumer wearable tech. For people in information security, for a long time it was all about devices, servers, networks and things with flashing lights. The ‘stuff' of networks and network security: firewalls, switches, HIDS, packet sniffers, spam filters, and so on, defined how we thought about the discipline, but as we've learned, ‘stuff' doesn't grab your CEO's password. Nor does it steal the design to your new cell phone, or rip off your entire customer database from your data center. People do that. At times it's on purpose, and sometimes by accident. But when you dig far enough, you'll find a person at the bottom of pretty much every major breach.
For the past several years, as a society and an industry, we've paid a high price for not focusing first and foremost on people. A price paid in records lost, credit cards stolen and the collective weight of increasing government oversight through compliance mandates. But there really is light at the end of the tunnel as we now shift to think in terms of the identity of the user, their behavior and the context of their activity set against what is normal for them. We are, slowly but surely, moving away from the failed, device-centric mindset of ten or more years ago. However, we now run the risk of falling back into those very same bad habits, only this time on a much, much larger scale.
The Internet of Things (IoT) promises so much. Ubiquitous, on tap computing power that is so deeply embedded in our lives that it's everywhere, all the time. Sensors in cars that track our driving skills, body sensors that watch our health, smart power grids acting on information based on the behaviors of suppliers and consumers, smarter houses that know when we're away, manufacturing processes that are self-monitoring and correcting – the list is dizzying.
And so the question arises, how are we going to keep all this ‘stuff' safe and secure?
Here we are again; we're lured into thinking about all those devices and making them safe. Yet the simple, brutal answer is that to make all the things that comprise the IoT safe and secure wouldn't require just good programming, it would require an act of God. We've been unable to make devices secure when there are a few million of them, so any attempt to build a fully secure IoT is nothing short of downright quixotic. So rather than repeat the whole sorry process, why not skip to the end and start thinking now about how to look for the behavior that indicates what devices have been attacked? We can learn from the last five years by extending the approaches we've taken with the ‘Internet of Fallible Humans' and extending it to the ‘Internet of Hackable Things.'