Perhaps it s because of the thematic thread that I ve beenfollowing at AusCERT today along with some of the people I vespoken to during the course of the conference but its hard toescape the conclusion that the Internet of Things will create ahost of new attack vectors that will probably only become clearafter we have enthusiastically adopted a new technology: that sthe way it always goes. Adoption always comes before mitigation. Google is registeringhundreds of thousands of Android devices each day, as MurrayGoldschmidt of Sense of Security noted in his talk. And it s easy to see how adding smarts to cars will beirresistible to the corporate sector.
Can you, for example, imaginea CFO avoiding using the information available if the car helpsreconcile expense sheets? All it needs is for the vehicle to havean operating system that plays nicely with business IT systems like Android a suitable app, and a WiFi connection. That kind of capability might even be completely invisible andseamless. However, we lack any good way to deal with such things from asecurity point of view not just because of the problems thatGoldschmidt and Tim Vidas talked about in the Android ecosystem,but also because security capabilities are lagging so far behindthe threats. When people discuss endpoint security, they re not talking about anew discipline.
In the first half of the 1990s, a Unix expert of myacquaintance working for then-major Australian technology companySoftway, said there was no point in ever trying to secure anetwork . You can never guarantee that you have blocked all malicious trafficon a network, he explained, but if every single host on the network in modern parlance, endpoint is secure, then the securedhosts will ignore the malicious traffic. In discussion with various vendors here at AusCERT Palo AltoNetworks Brian Tokuyoshi and Tal Be ery of Imperva among them the idea that a network of perfectly secured hosts is a securenetwork still holds true. It s securing the hosts that s the problem. Cell Phone Leather Pouches
For example,Tokuyoshi said it s impossible to secure an endpoint you can tsee and don t control. In the current enthusiasm for BYOD, youcan t see the endpoint because it s in the user s hands . And,as Be ery said to CSO separately, there are just too manyendpoints; so individually securing each device would become animpossible burden. And that s only talking about the endpoints that people believeneed to be secured. Blackberry Protective Case
Many devices have a very small footprint inpeoples consciousness. They re there, but we don t think aboutthem. When Paul Vixie discussed the DNS Changer attack inThursday s keynote, he noted that broadband routers had beenturned into part of the attack. They re similar in design,frequently use identical code for key functions like the Webmanagement interface, and if compromised, a simple change to theconfiguration that points the user to the wrong DNS will beinvisible to most users. An infosec professional will remember that a simple broadbandrouter is an endpoint that needs to be protected, but many or mostpeople do not. China Cell Phone Hard Covers
Which returns me to the starting point of this discussion.Companies are already struggling under the burdens of BYOD, andwe re only a handful of years away from seeing the beginning ofthe next explosive multiplication of devices. Is the securitybusiness ready for a world in which the attack vector is aMercedes? #auscert2012 Follow @CSO_Australia and sign up to the CSO Australia newsletter .