All IT security conferences have one thing in common: Speakers have dozens of ghastly, yet funny, stories of blunders.
Kellman Meghu, Check Point Software’s Toronto-based head of security engineering, told a couple at a keynote during the annual SecTor conference in the city on Wednesday.
Like the vendor who installed a cash dispensing machine in an undisclosed mall with its IP address clearly visible on a label on the front of the device. Nearby were two Ethernet ports. A colleague of Meghu’s was able to connect to the machine at night and download a list credit card numbers used that day — in fact, he could command the device’s printer to print them out.
Then there are the researchers at the University of Michigan who in August revealed they could hack into an unencrypted wireless controller in a municipality overseeing nearly 100 networked traffic lights and change their timing.
“I thought we solved this problem,” Meghu complained. “I thought we knew the basics. And this is what concerns me. How many times have you seen (IT) security failures — we’ve seen tons at this conference — that really came back to stuff we already know and we should have taken care of? It’s almost embarrassing.”
With the Internet of Things, soon everything will connect to the Internet, he said. “And what really frightens me is we’re going to repeat all the problems mistakes we made in the 80s and 90s again” of connecting devices to the network and then worrying about security, “except now we’re going to do with the critical devices connected to very important things”
“The way this is going in the next couple of years, very critical systems like heating and dams and that are going to be connected they’re going to make some bad mistakes we probably shouldn’t and someone’s going to die –potentially a lot of people will die — and this will cease to be funny.”
He blames vendors in part, but also IT departments and who talk grandly about security strategy, but end up asking the “stupidest” questions about device performance in requests for proposals and proof of concepts like “how fast can you forward a packet,” and “describe your power system.”
That’s because a lot of organizations think all security appliances are the same and that policy controls will make a system tight.
Instead, he said, IT security should start at the business logic layer find out what the organization needs –what data needs to be protected, who needs access, what devices they have can have access — and work from there. Around it gets wrapped threat protection products for pre- and post-intrusion. The last thing that should be discussed is performance.
“We need to migrate to a concept of understanding people and devices and applications and data,” he said in an interview. “That must be what your (security) policy is about. These devices are fully capable of understanding that concept and protecting on it. I just don’t think as an industry we’re using it enough.… If you don’t have a policy like this you’re not going to be able to secure your environment because it’s going to be wide open” to attackers.
Despite the continuing stories of data breaches and blunders, “I’d like to think there’s a positive way ahead.,” he said. “I’m already seeing a shift in the industry where security companies are less inclined to compete against each other and starting to work together… Attackers have advantages over us because they work together to make their malware better. But we don’t work together to make our security products work better.”
On the other hand, Check Point hasn’t joined the fledgling Cyber Security Consortium or the Cyber Defense Consortium. That’s because they are sharing similar malware feeds, not threat intelligence, he replied.
As for the readiness of Canadian enterprises to face cyber threats, he said “there’s a lot of really good security people in these companies, but they’re not empowered to do what they need to do. They may not have the visibility at the higher level they should. They’re doing the best they can with what they have, but at a business level its still a bit of a challenge to get (executive) mind share to say ‘This is important to your business’.. because we’re still a cost centre to them. Nobody wants to talk about that, they want to talk about how to make more money. We’re the depressing side that costs them money.”