Emerging Tech, Cybersecurity and Incident Response: Not a Question of If, But When and How Bad – or How Good

_TH47264CompTIA Chief Technology Evangelist James Stanger travels the world speaking about cybersecurity, today’s IT technologies and emerging tech, so we sat down with him to learn more about the security implications of emerging technology.

CompTIA: What is emerging technology?

James Stanger: To some people, emerging technology is a really cool idea, a new innovation. It’s something that is cutting edge, and won’t be implemented for a dozen years or so. But to others, emerging technology is all about adoption. It’s the new, disruptive technology that’s being implemented by early adopters. I think there’s a big difference between innovated tech – the stuff found in the lab – and the adopted tech. Is emerging technology visionary, or is it something that’s being adopted in the workplace and being used every day?

Some people may call artificial intelligence (AI) like Siri or Alexa emerging technology, but is it really emerging? It’s in the here and now. It has been adopted. Companies are busy using the Internet of Things (IoT) right now. Emerging technology is something that recedes into the future, in a sense.

In my mind, emerging technology is emerging into the real world on some level. For example, using AI in software. Soon, our spreadsheets will tell us, “You just created this pivot table. Here are suggestions for what to do next based on what 10,000 other people have done.” That’s what I think of as emerging technology in terms of AI.

CompTIA: What are some of the security concerns related to emerging technology?

Stanger: As technology finds its way from the visionary to the real world, there’s an inevitable rush to market. As we rush IoT devices to market, just as we rushed operating systems and platforms such as Windows 95, Linux kernel 1.0 and various routing devices to market in the past, the security isn’t thought of because we’re stampeding to get it out in the world.

A lot of emerging tech doesn’t have enough security built in. At least in my mind, the software used in these devices isn’t bad in and of itself. But, clearly corners have been cut. That leads to buggy software and poor security practices as all of the pieces needed for implementation are put together. IoT requires a pretty sophisticated approach to firmware, storage, sensors and network transmission. Each of these elements has to fit together well. Often times you end up with a software or hardware development cycle that just isn’t thought through. It has flaws that can be easily exploited. That leads to gaps – or what I call interstices. And it’s in these interstices where hackers love to thrive.

A lot of devices are getting enlisted as bot-nets. Some of the good guys are saying they don’t want that to happen, and they upgrade the devices themselves so they can’t be overtaken. It’s a bit like the Wild Wild West out there.

CompTIA: Should the same security precautions be taken with IoT devices as are taken with computers, networks and servers, or are there other considerations?

Stanger: A lot of these IoT devices tend to be, in a sense, dumber than the devices we’re used to. Our phones are a bit smarter because we can tell them what to do and turn them on and off. With a lot of devices, there’s not much of a user interface. It’s a piece of hardware that grabs processes and sends. But, that device is very, very good at collecting and sending data. So, you’ve got to be careful.

The first precaution is to ask, do you really want that thing in your life? I don’t want to have those things in my house because I’m not sure how secure they really are.

Second, if you connect it to your Wi-Fi, segment your network. Create an isolated network for your IoT devices that’s separate from the trusted network with your computer, phone, tablet and gaming systems.

Third, decide if you want to register your device. IoT devices send unstructured data, and they can do this with or without a registration. If you register the device in your name, it’s no longer unstructured data about an anonymous person; it’s data with your name attached to it. Companies are clever and will find ways to incentivize you to register. One day, I’m sure some form of service will be created by someone where you can register and manage all of your IoT devices. Until then though, it’s kind of wide open.

Lastly, consider what information you’re sharing and when. I’m not sure I need a bad guy knowing I’m out of town. Rather than sharing information about how mobile you are and that you’re traveling, consider reporting back after the fact, once you’re home again.

CompTIA: What about IoT and privacy?

Stanger: The companies that are collecting and crunching all of this new data need to make sure they’re secure. In Europe, there’s the General Data Protection Regulation (GDPR), which goes into effect in May 2018. GDPR and other similar laws levy huge penalties for those who aren’t prepared. Movements and executive orders around the world are also pushing privacy to the top of people’s minds.

Privacy is perhaps the biggest concern when it comes to IoT. If companies don’t have their security in order first, then they’ll have no hope of being able to provide the privacy guarantees that individuals and governments want. You can, in a sense, have security without worrying about privacy. But if you want to ensure privacy, you’d better first have your security ducks in row.

CompTIA: What types of cyberthreats are out there, and how can people protect themselves?

Stanger: Well, the fundamentals still apply. Don’t use the same password for all of your things – even though everybody does. If you use the same password for all of your pictures and Twitter and your bank account, the bad guys can wipe everything out. In some ways, it’s not quite fair to place so much importance on just one factor of authentication – the password – and the typical end-user. But right now, we still live in that world.

Use a strong password, following the guidelines given to you by the service you’re using. For example, on Facebook, follow their guidelines. On LinkedIn, follow theirs. Each company uses their own algorithms and platforms, so the recommendations may vary.

If you can, use multifactor authentication – combining what you know, such as passwords, with what you have, such as a token like a text message sent to you from the service. Then there’s what-you-are type of authentication – biometrics, like the thumbprint on your smartphone. Try grabbing good password-vault software that allows you to securely store your passwords so you don’t have to create and remember so many different ones.

Here’s the biggie: Back your stuff up in a secure way – using a different password or multi-factor authentication. We’ll see these three things come in more and more – having better passwords, more passwords and more factors.

If you think you’ll get hit with ransomware on your PC, set it up to back up every 30 minutes. Then, when you get hacked, instead of paying the ransomware, you can restore from backup. But make sure your backup is secure – there’s nothing like restoring your files from backup only to find that the backup itself is flawed or encrypted by ransomware.

To keep up with end-user threats, there are some pretty good sites out there – PC Magazine, zdnet, even The Register UK and Slashdot, although those last two get a bit more techie. Go to these sites and check out the security channels – not the heavy-duty server security, but the end-user security ones. Every week or even once a month, update yourself on the latest trends. You don’t want to obsess, but you want to develop good situational awareness. Find yourself a trusted resource and listen to good advice.

CompTIA: What are hackers looking for and what do they do with the data they steal?

Stanger: First, they’re good researchers and terrific detectives. They use it to learn more about you and your organization. As they get information from you, they can begin profiling an entire organization.

In school, we talked about directional resources – like encyclopedias or Wikipedia. You wouldn’t want to cite a directional resource, but you can use it to guide you to a better source where the information came from.

Applying this analogy to hackers, even if they don’t get the informational resources – like passwords and account numbers – from you, they can get directional information from you that helps them penetrate an organization. They can learn things like reporting structures, email address structures, what programs an organization uses and how they use it.

Second, they look for weaknesses in the platforms an organization uses and how information flows across the organization. If the CEO emails an administrative assistant to make purchases, hackers can send a good phishing email, and suddenly that admin is wiring the hackers $100,000. They’re looking for how an organization works, how information flows, weaknesses. If an organization’s using an old version of SharePoint or Apache Server, the hackers can see this and exploit the flaws in that version to take control of the system, download passwords or other things.

Once a hacker gets in, you have a persistent threat in your network – someone has come in through social engineering or a software flaw and spread laterally from one system to the next. Even though you’ve fixed it, they’ve moved on and taken over other things and are lurking around, creating shadow users that you aren’t aware of and are inhabiting the company like the rest of us. Thieves used to do the smash and grab, but now they quietly lurk in our closets while we sleep.

You end up with not only lost data, but lost intellectual property. Think about all the data we capture and research – it’s bad enough if that all gets lost or deleted, but imagine if it got tampered with. We have this data we think is valid, but it’s been altered. It’s bad enough when it’s personally identifiable information, but what if hackers got into a Fortune 50 stock market organization and started manipulating data? Over long term, they’re manipulating stock data and news data. That’s scary stuff.

CompTIA: What separates the good from the bad in terms of incident response?

Stanger: Well, it’s kind of a The Good, the Bad and the Ugly scenario, isn’t it? Good incident response is when people have a documented plan and they’ve exercised it. They’ve done mock exercises, desktop run-throughs, fire drills. They’ve practiced. Having a plan and not practicing it is just as bad as not having a plan at all. It has to start with a policy-based approach that’s exercised so it becomes part of institutional muscle memory.

When it comes to the possibilities of a security breach, thinking about the likelihood reminds me of my Dad’s theory about motorcycles. He was a veteran property and casualty insurance man. I asked him if I could get a little street bike, and he replied, “When it comes to motorcycles and accidents, it’s not if you have one, it’s when and how bad.” Needless to say, I never did get that street bike. Similarly, when it comes to security, it’s not a question of if you will get hacked – it’s when and how bad.

So, you’ve got to have a solid incident response policy. That way, your response will be good, useful and adequate. It’s bad enough to end up in the headlines about how you’ve been hacked. It’s a thousand times worse when you make headlines again because your response was as bad as or even worse than the hack.

The bad responses are the ones that may have been planned and written down but haven’t been practiced. The ugly ones are when you have major companies that, clearly, have not even written anything down.

CompTIA: Why do corporations struggle with incident response?

Stanger: Corporate culture usually dictates that we don’t talk about incidents, don’t document, because if we do things that are inadequate, we’ll be held liable. No one wants to provide documentation, because it can be used out of context very quickly. But it turns out we’re held liable if we don’t document and we don’t have a plan. There’s kind of a don’t-document-and-don’t-discuss culture in many corporations. It’s the job of a good security professional to work that culture a bit.

Incident response can’t just be a technical response. It has to be executive driven. It needs to include various departments, from the board, to the executive suite, PR and even marketing on some level. You have to have the right message. The techies may know what to do, but management and the board need to know as well. You need a plan for technology and for communication.

Target responded well – they had good incident response. As soon as they found out, they told people. They said, here’s our plan and here’s how we’re going to prevent it from happening again.

On the other hand, both Yahoo and Equifax held back information for a long time. You need to come out and say, “We know something happened, and we’re working on it.” If my kid got a ticket but didn’t tell me for six months, that would be bad. You have to be forthcoming. In the era of transparency and everyone airing their dirty laundry, that secrecy makes it far worse than it would have been.

This article was featured in the spring 2018 issue of CompTIAWorld magazine. To read full issues, click here!

Leave a Comment