A blogpost by Ola Lennartsson
It is impossible to make any building or any computer network 100% secure. At some point, you must open a door to let someone in or out, or you have to let a user connect to a server or send an email, etc. Once you have accepted that, you then realise that in the real-world vendors, integrators and users must constantly make a choice between convenience and security. How hard do you want to make it for an attacker to get in versus how hard do you want to make it for your employees to do their work?
We know that it is human nature to take the easy option – heck, I rarely change the password on my home router, even though I know I really should – because it means I have to change it on all my devices, on my wife’s devices, on all my kids’ devices, on the TV, etc. So, I just leave it to the password I chose months ago.
Unfortunately, recent events have shown that the IoT industry has also often erred on the side of convenience, rather than security – leaving many companies and organisations exposed. And users, be they small or large businesses often say, “but we aren’t a high-profile target”, or “why would anyone want to look at our cameras?” What they don’t realise is that cyber-attacks are now far more horizontal than ever before. An attacker may not care about your camera, or even about you or your company. They may simply want a way in to one of your suppliers, or your customers. We are all so interconnected, that we must acknowledge that our security affects other people, too.
And attackers are no longer Matthew Broderick geeks mucking about in their bedroom. They are professionals. They get paid to attack your network. They have white boards. They have spreadsheets. They even get paid a bonus if their code is successful.
So, what to do about it? Surely, we need military-grade encryption? NASA-level boffins working on Blockchain-based security? James Bond-style biometrics that require a DNA sample and a letter from the Queen?
That might be pretty cool, but the reality is that we need to get the basics right. Stop hardwiring passwords into devices. Force users to set a new password when a device is installed. Don’t enable admin rights by default, etc. Once everyone in the IoT industry has reached the bare minimum of network security, then we can start investing time and energy into more complicated and advanced defences. But for now, lock the windows. Close the doors. Don’t worry about getting from A to Z, focus on getting from A to B. Then to C.
Right, I’m off home to change the password on my router.