In January 2002, in response to growing complaints after several years of continuing streams of Windows vulnerabilities being exploited by malware, Microsoft CEO Bill Gates sent an email to all Microsoft employees saying security should be the top priority of the company.
Imagine how much better life would have been if Bill Gates had felt that way in 1984, before Windows 1.0 shipped. Imagine if Windows 95 had been developed after nearly a decade of taking security seriously? Heck, throw Linux, Unix, Java and Flash in there, too – we've had several decades of recurring vulnerabilities in those pieces of software also.
From 1995 on, exposure to internet threats has been a given for the majority of software. And, 2015 will be a similar transition point for an entire new generation of computing “things” connected to the internet, with ubiquitous mobile and wireless connectivity this time. Welcome to the Internet of Things.
There's been no shortage of hype about how many “things” will be on the Internet of Things, and plenty of security presentations pointing out vulnerabilities in baby monitors, home energy systems, insulin pumps, automobile systems, etc. It is like a horror movie where the heroine hears creepy noises and starts walking through the house in the dark. It makes me want to scream: “Haven't you seen this before? Turn the lights on this time!”
We don't have to be doomed to repeat the mistakes of the first generation of PCs and servers. We can learn some lessons and avoid many of the pitfalls. Since the Internet of Things is still in its infancy, the software community has a chance to build in new and better approaches to security. For that to occur, manufacturers and vendors must learn from the past and take a long, hard look at security during the design and development of internet-related products.
The security community needs to do its part, too. CISOs need to make sure that security is considered in requests for proposal (RFP) for all procurements of “things.” Contracts for developing software that will run on those things should include requirements for vulnerability testing and “fuzzing,” as part of secure development lifecycles, and support safe, reliable mechanisms for installing updates. Don't forget to include security requirements in services contracts as well – especially in the wireless data services that will provide the connectivity that will make those things productive for users and attractive for attackers. The security industry must also focus on reducing the cost of dealing with old threats, and adding new-generation capabilities to deal with threats aimed at these new targets.
It is not all doom and gloom. We have made some real progress. Standards for secure software development, such as ISO 27034, are maturing; the availability of secure objects for embedded systems has grown; and good application vulnerability testing tools and services are available. Operating systems do take security much more seriously and application store mechanisms (whitelists) can greatly raise the barrier to malware. But, the Internet of Things will be a heterogeneous world, and managing all the security features and settings across thousands of diverse endpoints will bring its own challenges.
We have CEOs and boards of directors talking about security – all the way up to the Executive Order from President Obama. But, that's only because we have failed at building security in. For security to succeed in the Internet of Things era we must address security early on, during the development stages. That is the only way to stay out of the headlines.
John Pescatore is director of emerging security trends for the SANS Institute. Prior, he served as Gartner's lead security analyst for more than 13 years.