Internet of Things Cartoon (C) Nitrozac and Snaggy

The Internet of Things (IOT)

For those of you that haven’t heard the term yet, the Internet of Things (IOT) is the general concept of connecting an autonomous device to the Internet.  Many of you may have already implemented devices at home like a learning thermostat, security camera or photo frame.  These things add neat features to make our lives more enjoyable, with one of the main features of transmitting data to or from the Internet.

If you are connecting such devices to your home network be sure to set passwords and update them regularly.  You should implement at least the basic firewall on your router.  But the problem is that many folks won’t practice basic security hygiene, and through poorly written software the entirety of the network may be at risk.

Sophisticated agents have targeted Xbox consoles and the PlayStation network ever since they were on the Internet, and it’s only a matter of time before they break down many of the devices that will be later taken for granted.  SCADA controllers, which are used in industrial systems (such as HVAC) aren’t even necessarily exposed to the Internet, yet they can be compromised.  For more on that, read on about Stuxnet.

I am not saying all of this to scare everybody and say that there are boogie men…but all of these neat new things are a bit troublesome to maintain securely (even for the big companies and governments mentioned above).  There isn’t a great answer on how to do this yet.  Maybe Google’s OnHub will be an answer?  Only time will tell.

I’m not saying that I’m immune to how cool and life changing some of these things are, but I know it’s only a matter of time before somebody will determine a method to leverage these devices as a platform to run a bot net or simply hop through a network to other devices.  At this point it’s still kind of the wild wild West until the first big breach happens and the media blows it up like the recent car exploits.

Don’t be too much of a Luddite, just be careful out there and keep your head up.


What is Cybersecurity?

I am finally getting over chuckling about every time I hear the word cybersecurity.  The word cyber was coined to describe a human having intimate relations with a computer.  But from what I can remember there really was not a term for computer security specialists until after “hackers” started to come to light in the 80s.  So how did we get to cybersecurity?  I’m going to discuss one angle of it through the eyes of my current role.

The DoD was one of the first organizations to standardize computer security with the publication of the “Rainbow Series” books in the mid 80s and early 90s.  They developed a formalized risk assessment model dubbed Information Assurance (IA).

IA is more of a defensive stance on computer security.  It is based off of implementing specific controls in order to reduce risk.  And like any other government operation, it is very tedious and time consuming (think like doing your taxes, but about 10 times longer).

The general process for the legacy DITSCAP/DIACAP IA is to determine a classification and confidentiality level for your system.  If you are interested in seeing that information it is here.

After you have to determined how you want to classify your system, then you have to implement the standard controls to meet that level of risk.  These controls and a checklist are organized in DoD 8500.1 and 8500.2.  IA is typically not the group that will implement the controls, although this does seem to happen.  IA is more of an assessment role that provides guidance to administrators and system owners on their current status.  It is kind of like being a supply chain manager and assessor.  It is not a glamorous job, and there is a lot of paperwork.

That process has changed a bit now, and the Risk Management Framework has began to be implemented.  Different programs are at different points in the process, but the goal is to have systems be continuously monitored.  At this point in the eyes of the federal government the term IA is now Cybersecurity.  And there is still a lot of paperwork.

This is just the viewpoint from where I see it, and there are a lot of details that are left out since I don’t want to put everybody to sleep.

From a real world standpoint the DoD is doing the best they can with a very large group…their suppliers, partners and, of course, themselves.  There is an awful lot of moving parts to ensure that everything that should be done is actually happening.

I hope to get in to some of the tools of the trade in the coming months.