Happy New Year! Leading up to New Years Eve, we reflect on the year before—its ups and downs, what we learned and how we want to grow. Now that it’s officially 2019, it’s time to look forward. As Swimlane’s CEO, I want to spend some time looking forward to challenges facing the security industry in the coming year. This is the first of a two-part series exploring how the internet of things (IoT) and ever-accelerating move to cloud computing present new-ish challenges for security operations centers (SOCs) and individual users as well as possible security orchestration, automation and response (SOAR) use cases.
On the heels of the holiday season, gadgets and devices connected through the internet of things (IoT) are being un-boxed and placed all over households across the globe. While these devices are intended to make our lives easier in a variety of ways, instances of hackers talking to users through their cameras or people fearing their microwaves are spying on them are continuing to spark conversations surrounding security and technology.
I really don’t think people need to worry about their toasters and microwaves rising up against them. The issue with #IoT is privacy.
When toasters attack?
As a security professional, I am intrinsically paranoid, but I really don’t think people need to worry about their toasters and microwaves rising up against them. It is theoretically possible that, through the use of the camera and proper timing, your stackable washer/dryer could hit you in the face, but the bigger issue here is privacy.
Sticking with your washer/dryer, think about the Amazon Dash Button. As it gains popularity, you might start saying, “Well, that’s how I’m getting my laundry detergent.” Next, your washer/dryer—but more importantly, Amazon and Tide—is tracking the amount of detergent you use based on the clothes that you have and detecting when your detergent is low. The nice thing is you get your detergent on time; maybe you even get recommendations on the right detergent based on the clothes you have. But on the flipside, there’s someone who knows that you don’t wash your jeans as much as you probably should. Or less comically, you were doing your laundry in one location and weren’t present in another location where something good or bad might have happened.
So, to me, the security issues for IoT are less about my microwave hurting me and more about it exposing information about my habits and location to the world. And now we have to ask ourselves: How is that information leveraged for marketing or sales? What about law enforcement?
As an #IoT user, you should as yourself: What is my expectation for the information companies are capturing and how much they’re sharing? What did I sign up for when I put these devices in my home?
“I’ll be watching you.”
It’s apropos that the ‘80s band watching your every move was called The Police. I’m not suggesting that we’re in an Orwellian “Big Brother” situation, but our phones, smart watches and fitness trackers—to name a few—do already provide data on our precise location at any given time. Law enforcement, corporations, business owners and advertising agencies alike can pull up a whole list of people through a geofence and say, “These are the people we’re going to talk to because they were there.” Is that bad? Not necessarily. But what if you were automatically included as a suspect for a crime because of proximity? That would be bad.
Where are the limits?
We see the cameras on TVs exposing people being unwittingly monitored. Obviously, everything we’re saying is being recorded by a Google Home or Alexa device. Deciding how problematic this IoT reality is depends on how much you trust the companies that are monitoring you. What is your expectation for the information they’re capturing and how much they’re sharing? If they get a data request, do they just say, “yes,” and send it over? Or do they require those making requests to jump through a bunch of hoops with warrants and subpoenas to access that information?
Even though IoT technology is relatively new, these questions are similar to the conversations we’ve had about our internet service providers (ISPs) and our internet carriers for years: What’s the barrier of entry for the government to ask for all the things that I ask for and look for on the internet? Now, it’s not so much that the carrier that has the information, it’s Amazon and Google. So, you should ask yourself, what did I sign up for when I decided to place said device in my bedroom or bathroom or kitchen?
So the question is: Privacy or security? The juxtaposition is really hard and what we’re talking about A LOT in the intelligence and #cybersecurity communities. #IoT
Privacy or security?
The privacy component here is really hard, and there’s always going to be this juxtaposition between privacy and security: The less I can see, the harder it is for me to identify bad behavior, but the more I can see, the more I can see.
We talk about this a lot in the intelligence and cybersecurity communities. It’s really a zero-sum game. The more you give on one side, the less you have on the other. You could argue for privacy, and you could argue for security. For most, it depends on the question: Were you recently the victim of a privacy violation, or were you most recently the victim of a security breach?
Benjamin Franklin once said, “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.” And that was before the lightbulb! To me, that’s the tough existential question: Privacy or security? As an individual, I prefer privacy, but as the CEO, I see the real-world examples on how privacy protections are compromising security
It’s a balance that is going to consistently challenge us in the face of growing IoT popularity and capability.
*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Cody Cornell. Read the original post at: https://swimlane.com/blog/new-year-new-security-iot/