One of the most frustrating situations a "true" security expert has to face is organizations who approach us who obviously are merely interesting in implement security as a means of complying with "something". That "something" can be a legal mandate, a corporate policy, or a reaction to something that made the news. It is more or less security theater.
In the current tough economy we are now facing, I have seen a slight drop in organizations wanting security theater, since those interested in compliance are currently more interested in keeping the doors open. Organizations wastefully spend budget for what amounts to nearly useless security as a means of checking an item off of a list, but the item is not even on the list of some organizations right now. In some companies the item may be at the bottom of the list, but the items above it are so enormous, that it may as well not be on the list at all.
What this really means is that organizations looking at security are either being reactive (reacting to a real problem), or are proactively looking at security because they are convinced that a lack of security will lead to huge problems. These organizations do not want a checkoff security item, they want REAL SECURITY.
What this means for the industry is that security organizations who are providing little more than great buzzwords and complicated jargon to their potential customers are going to end up bankrupt, if this continues.
...at least I hope that is what happens
Lots of companies get away with pulling the wool over our eyes all the time, but they eventually get exposed for what they are. I hope we all become more intelligent about security and can all work together to weed out the trash.
GraniteKey Videos - Go To http://www.youtube.com/granitevideo For The Full Channel
Saturday, April 4, 2009
Wednesday, August 13, 2008
Cyber "Street Smarts"
Yesterday I was helping my next door neighbor set up a new laptop for his son. I am frequently called to service by my neighbors when they are in need of computer assistance, and gladly help them when I can.
As I was finishing up some work on his computer, he inquired about a computer he had seen me carrying into my house a few weeks earlier. He asked me if I had been able to rebuild it after the viruses had "messed it up". I told him that the reason I had to rebuild it was because the motherboard had died, and that my computers never get viruses. This obviously took him by surprise for a moment , and then he said "Oh, that's because you know what to put on your computer to protect yourself." I told him that I did not use any other "protective" software other than a virus scanner. This surprised him even more, since he too uses a good virus scanner, and since his computers, and the computers of most people he knows (and most people I know, for that matter) are constantly getting "infected". How do I do it, he wondered?
I gave him a simple analogy. If you take a civilian, arm him with a gun, and put him in the middle of high crime neighborhood, and do the same with an experienced plainclothes police officer, who do you think has the highest likelihood of not getting killed? "The police officer" was his answer. "Why?" I asked him. "Because he knows what to do to keep from getting killed.", my neighbor replied. "Exactly!" I said.
The officer knows how to avoid getting killed because the officer understands the threat landscape. I avoid getting infected, because I understand the cyber threat landscape. I simply never let my guard down in cyberspace, and despite the fact that I spend at least 5 times longer on a computer than my neighbor, I do not get infected by malware, viruses, popups, and any of the other annoyances that others I know must constantly deal with. I have taken the time to understand where the threats are coming from, and how to avoid becoming a victim of the threats. Sure, I use and recommend tools such as popup blockers and a good virus scanner, but those are there as my "backup". Most cops rarely have to as much as draw their sidearms, let alone have to use them. They take the time to understand the threat landscape, and go forth with that knowledge.
I wish that we could get the corporate customers we, as security experts, work with to buy into this notion. Nearly every one of them are more interested in what "product" they need to "get secure", and not in having us help them understand the threat landscape or "Threat Model".
Perhaps one day they will learn.
As I was finishing up some work on his computer, he inquired about a computer he had seen me carrying into my house a few weeks earlier. He asked me if I had been able to rebuild it after the viruses had "messed it up". I told him that the reason I had to rebuild it was because the motherboard had died, and that my computers never get viruses. This obviously took him by surprise for a moment , and then he said "Oh, that's because you know what to put on your computer to protect yourself." I told him that I did not use any other "protective" software other than a virus scanner. This surprised him even more, since he too uses a good virus scanner, and since his computers, and the computers of most people he knows (and most people I know, for that matter) are constantly getting "infected". How do I do it, he wondered?
I gave him a simple analogy. If you take a civilian, arm him with a gun, and put him in the middle of high crime neighborhood, and do the same with an experienced plainclothes police officer, who do you think has the highest likelihood of not getting killed? "The police officer" was his answer. "Why?" I asked him. "Because he knows what to do to keep from getting killed.", my neighbor replied. "Exactly!" I said.
The officer knows how to avoid getting killed because the officer understands the threat landscape. I avoid getting infected, because I understand the cyber threat landscape. I simply never let my guard down in cyberspace, and despite the fact that I spend at least 5 times longer on a computer than my neighbor, I do not get infected by malware, viruses, popups, and any of the other annoyances that others I know must constantly deal with. I have taken the time to understand where the threats are coming from, and how to avoid becoming a victim of the threats. Sure, I use and recommend tools such as popup blockers and a good virus scanner, but those are there as my "backup". Most cops rarely have to as much as draw their sidearms, let alone have to use them. They take the time to understand the threat landscape, and go forth with that knowledge.
I wish that we could get the corporate customers we, as security experts, work with to buy into this notion. Nearly every one of them are more interested in what "product" they need to "get secure", and not in having us help them understand the threat landscape or "Threat Model".
Perhaps one day they will learn.
Wednesday, August 6, 2008
The Relationship Between Parenting, Voting Machines, Mortgage Meltdowns, and Pharmaceutical ePedigree
Humans are generally well intentioned beings. We do not, however, begin life that way. Any of you who have children can certainly relate to this. A child is perhaps the most self centered being in the world. Children will fly into tantrums, hit, kick, bite, steal, and do whatever it takes to get what they both need and want. This is not because children are inherently evil. They simply do not know any other way to survive. When we attempt to teach our children how to do better it is no surprise that they do not welcome this gift of wisdom. After all, their method works to achieve the results they want, and changing gears is just too much work.
Some parents persevere in the endeavor to make their children understand the importance of being well mannered, sharing with others, and honesty. These parents are generally rewarded for their efforts in the long term, yet are often left biting their nails in frustration in the short term. It is, by any stretch of the imagination, no easy task, and many parents seek the assistance of others as they endeavor to stay the course in raising their children while attempting to avoid the pitfalls of frustration which so often force even the most determined to give in. We ask those we trust and love for assistance. We hire professionals into our homes to help us build better offspring. We send them off to schools to learn what they need to know to be all they can be. We buy books and study them, hoping to glean some insight on how to do better.
At times, however, we end up with children who don’t seem to reach maximum potential, and they grow into adults who struggle to make it in an often difficult world, and who frequently wreak havoc on a seemingly well designed sociological master plan. There is no need to expound on this; we all know what I am talking about. As Ayn Rand so eloquently illustrated in “Atlas Shrugged”, there are those that exploit and there are those that are exploited. Remarkably, the “exploiter” often begins life as the “exploited”. This is not always true, but it is true often enough to be noteworthy.
Why is it that we sometimes fail at this project? Volumes have been written with so many reasons and theories that it has created a multi-billion dollar industry for writers, doctors, psychologists, and the list goes on. Some suggest it may be diet. Others suggest it is the way we teach our children. Some feel it the music they listen to, the TV they watch, or the games they play. The way we raise our children changes with each generation, based on who is considered the expert of the day. One common thread which seems to remain intact, however, is perhaps the most valuable information of all. Parents who truly CARE about how they are raising their children seem to achieve success.
I need to stop for a moment and define what I mean by CARE. Truly caring about someone or something is, at its core, an unselfish act. It is about recognizing and setting aside personal gains, ego, fears, and barriers in order to focus on the achievement of an initiative which can stand as a testament to excellence. It is not about forcing your child to go to medical school so you can proudly boast to your friends associates that your child is a doctor. It is about doing what it takes to raise a child that can stand on his (her) own and proudly proclaim that all that he has become, whatever that may be, is in large part because you cared enough to guide him to find his passion and reach his maximum potential. To succeed at this, however, requires commitment and good judgment. The kind of commitment and judgment I am referring to is of the type that comes from careful introspective analysis in a non-egotistical manner. This is the type of commitment that considers the wisdom of others who have faced such challenges and have risen above them despite the obstacles they faced. This is the type of commitment which does not hand the task at hand over to someone else to do, while stepping back, only to lay blame on someone else when the outcome is not what was expected. This is the type of commitment and good judgment which is not afraid to question the judgment of others and raise the difficult questions, despite the fear associated with “rocking the boat” or questioning “common wisdom”. This is also the type of commitment and good judgment that leads to perhaps the most difficult task of all: The ability to admit when you have made a mistake and to change direction to fix the mistake and get back on track.
So what does this have to do with voting machines, our national mortgage crisis, and the current ePedigree solutions being proposed for ensuring authenticity of drugs from the global supply chain in the Pharmaceutical industry?
As we made the move into the modern age we live in, replete with technological marvels only a true Luddite would not embrace, we found ourselves with an ever-growing need to shed ourselves of many old ways. Voting on paper seemed to make no more sense than filling out withdrawal slips at a bank or writing checks at the grocery store. Sure, there are still those among us that embrace the old-fashioned way of performing these tasks. By and large, however, they are a dying breed. Paper-based voting systems required too much space, time, and money to tally the votes. It was clearly time to digitize the system. Voting machine companies and election committees from various states got together and began hammering out the details of the project, and the voting machines hit the ground running. Then disaster struck. Academics, reporters, and whitehat hackers discovered that the security of these systems was entirely inadequate for the purpose they were designed for. State election officials began decertifying these machines, and the court of public opinion pointed at the voting machine manufacturers and accused them of everything short of treason for their lack of attention to security. Being a security company, we decided it would be a good idea to study this situation and perhaps offer some assistance. As we discovered, the level of security of the voting machines was not a major concern for nearly all state certifying bodies at the time that these machines were first certified by the State. Some voting machine companies clearly understood what it would take to build a secure system, yet the requirements did not dictate a need for a secure system, and the voting machine companies couldn’t justify spending the money for security as it would make them uncompetitive.
Who is at fault here? Is it the election committee’s fault for not validating the security of the system? Is it the voting machine company’s fault for not insisting that the system had to be more secure and spending a little more money to make the security at least reasonable? Is it the fault of the American public for not seeing this coming? These are tough questions, but one question is easily answered: Who ended up paying for the failure? Yes, dear reader, we did.
Then there is the mortgage crisis we are all now quite familiar with. Almost everyone in the financial world knew of the enormous risks associated with sub-prime mortgages. Economists, academics, realtors, and simply sensible people tried to warn us of the dangers of what was happening in the market. Still, countless people continued to play this dangerous game, hoping to avoid being burned. Many people deluded themselves into believing those who characterized the experts that were warning us as “fear mongers” and “out of touch financially”. Hindsight is 20/20. We are paying the cost for this failure.
Now we come to the enormous ePedigree initiative. Counterfeit drugs are an enormous problem. Some estimates claim as much as 30% of drugs coming from some nations are counterfeit. Counterfeiting drugs has become a multi-billion dollar industry worldwide. Many operations which once dealt in illegal narcotics and other illegal drugs have turned to counterfeiting due to the enormity of the market and the relative ease with which those who deal in counterfeit drugs can operate (compared to those who produce illegal drugs). Clearly, something had to be done to combat this growing menace. The United States government, in cooperation with governments all over the world, decided to take action by requiring a pedigree for each and every drug produced and/or sold in the United States. By requiring a traceable pedigree for these drugs from producer to consumer, and every step along the way, in the event of a problem the point of breakdown could be detected, isolated and addressed. Initially, the rollout for this system was slated for 2010 (2009 for California), and has been pushed back to 2011. This is, without a doubt, a huge project with an enormous number of complexities involved in implementation. One of the first steps in this process that stakeholder have focused on is determining what technologies and methods would be employed to track these drugs. Will it be 2D barcodes, RFID, security chips, databases, auditing & legal resource? The list goes on. How will the information be shared? The complexity is staggering.
As a security expert, I thought it would be prudent to get involved in this process. Surely, I speculated, the organizations tasked with implementing such systems would be extremely interested in making sure that the security of the system was validated. I was perhaps a bit naïve in my zeal. Organizations involved in the Pharmaceutical manufacture and supply chain are clearly focused on compliance with a law which failure to comply with will lead to a complete inability to do business. I have witnessed a great deal of activity at the tactical level – putting together the components to comply with the law, but have yet to see any activity at the solution security level. The law simply does not call for validation of system security at any level that a counterfeiter could sidestep – these organizations are not allocating resources and mindshare to anything other than compliance. Hackers and perpetrators are much more determined, sophisticated, and resilient than government regulations around compliance. We all intuitively know this, yet where is the duty of Care to do something about it. Will this “Care” only emerge after enough people have died, or enough money has been wasted on a broken system, where people will be then be galvanized to be the hero and fix the problem, once the appropriate resources and attention has been allocated. What kind of “Caring” is this? Can a company afford to care if nobody else does?
So then I need to ask the same questions I asked earlier. Whose responsibility is it to validate the security of the system? Who is expected to CARE enough and demonstrate commitment and good judgment? Whose fault is it when the Pharmaceutical industry spends billions of dollars implementing a system that, if implemented without careful consideration of the security issues surrounding the deployment, is doomed to fail as did electronic voting systems and the mortgage markets? Only this time, people’s lives are directly at stake. Who is going to pay to implement the system, then pay to fix it when it fails, not to mention pay for the recourse to remedy wrongful deaths?
You and I will, of course.
So whose responsibility is it? Who will step up to the plate? Who can step up to the plate?
Some parents persevere in the endeavor to make their children understand the importance of being well mannered, sharing with others, and honesty. These parents are generally rewarded for their efforts in the long term, yet are often left biting their nails in frustration in the short term. It is, by any stretch of the imagination, no easy task, and many parents seek the assistance of others as they endeavor to stay the course in raising their children while attempting to avoid the pitfalls of frustration which so often force even the most determined to give in. We ask those we trust and love for assistance. We hire professionals into our homes to help us build better offspring. We send them off to schools to learn what they need to know to be all they can be. We buy books and study them, hoping to glean some insight on how to do better.
At times, however, we end up with children who don’t seem to reach maximum potential, and they grow into adults who struggle to make it in an often difficult world, and who frequently wreak havoc on a seemingly well designed sociological master plan. There is no need to expound on this; we all know what I am talking about. As Ayn Rand so eloquently illustrated in “Atlas Shrugged”, there are those that exploit and there are those that are exploited. Remarkably, the “exploiter” often begins life as the “exploited”. This is not always true, but it is true often enough to be noteworthy.
Why is it that we sometimes fail at this project? Volumes have been written with so many reasons and theories that it has created a multi-billion dollar industry for writers, doctors, psychologists, and the list goes on. Some suggest it may be diet. Others suggest it is the way we teach our children. Some feel it the music they listen to, the TV they watch, or the games they play. The way we raise our children changes with each generation, based on who is considered the expert of the day. One common thread which seems to remain intact, however, is perhaps the most valuable information of all. Parents who truly CARE about how they are raising their children seem to achieve success.
I need to stop for a moment and define what I mean by CARE. Truly caring about someone or something is, at its core, an unselfish act. It is about recognizing and setting aside personal gains, ego, fears, and barriers in order to focus on the achievement of an initiative which can stand as a testament to excellence. It is not about forcing your child to go to medical school so you can proudly boast to your friends associates that your child is a doctor. It is about doing what it takes to raise a child that can stand on his (her) own and proudly proclaim that all that he has become, whatever that may be, is in large part because you cared enough to guide him to find his passion and reach his maximum potential. To succeed at this, however, requires commitment and good judgment. The kind of commitment and judgment I am referring to is of the type that comes from careful introspective analysis in a non-egotistical manner. This is the type of commitment that considers the wisdom of others who have faced such challenges and have risen above them despite the obstacles they faced. This is the type of commitment which does not hand the task at hand over to someone else to do, while stepping back, only to lay blame on someone else when the outcome is not what was expected. This is the type of commitment and good judgment which is not afraid to question the judgment of others and raise the difficult questions, despite the fear associated with “rocking the boat” or questioning “common wisdom”. This is also the type of commitment and good judgment that leads to perhaps the most difficult task of all: The ability to admit when you have made a mistake and to change direction to fix the mistake and get back on track.
So what does this have to do with voting machines, our national mortgage crisis, and the current ePedigree solutions being proposed for ensuring authenticity of drugs from the global supply chain in the Pharmaceutical industry?
As we made the move into the modern age we live in, replete with technological marvels only a true Luddite would not embrace, we found ourselves with an ever-growing need to shed ourselves of many old ways. Voting on paper seemed to make no more sense than filling out withdrawal slips at a bank or writing checks at the grocery store. Sure, there are still those among us that embrace the old-fashioned way of performing these tasks. By and large, however, they are a dying breed. Paper-based voting systems required too much space, time, and money to tally the votes. It was clearly time to digitize the system. Voting machine companies and election committees from various states got together and began hammering out the details of the project, and the voting machines hit the ground running. Then disaster struck. Academics, reporters, and whitehat hackers discovered that the security of these systems was entirely inadequate for the purpose they were designed for. State election officials began decertifying these machines, and the court of public opinion pointed at the voting machine manufacturers and accused them of everything short of treason for their lack of attention to security. Being a security company, we decided it would be a good idea to study this situation and perhaps offer some assistance. As we discovered, the level of security of the voting machines was not a major concern for nearly all state certifying bodies at the time that these machines were first certified by the State. Some voting machine companies clearly understood what it would take to build a secure system, yet the requirements did not dictate a need for a secure system, and the voting machine companies couldn’t justify spending the money for security as it would make them uncompetitive.
Who is at fault here? Is it the election committee’s fault for not validating the security of the system? Is it the voting machine company’s fault for not insisting that the system had to be more secure and spending a little more money to make the security at least reasonable? Is it the fault of the American public for not seeing this coming? These are tough questions, but one question is easily answered: Who ended up paying for the failure? Yes, dear reader, we did.
Then there is the mortgage crisis we are all now quite familiar with. Almost everyone in the financial world knew of the enormous risks associated with sub-prime mortgages. Economists, academics, realtors, and simply sensible people tried to warn us of the dangers of what was happening in the market. Still, countless people continued to play this dangerous game, hoping to avoid being burned. Many people deluded themselves into believing those who characterized the experts that were warning us as “fear mongers” and “out of touch financially”. Hindsight is 20/20. We are paying the cost for this failure.
Now we come to the enormous ePedigree initiative. Counterfeit drugs are an enormous problem. Some estimates claim as much as 30% of drugs coming from some nations are counterfeit. Counterfeiting drugs has become a multi-billion dollar industry worldwide. Many operations which once dealt in illegal narcotics and other illegal drugs have turned to counterfeiting due to the enormity of the market and the relative ease with which those who deal in counterfeit drugs can operate (compared to those who produce illegal drugs). Clearly, something had to be done to combat this growing menace. The United States government, in cooperation with governments all over the world, decided to take action by requiring a pedigree for each and every drug produced and/or sold in the United States. By requiring a traceable pedigree for these drugs from producer to consumer, and every step along the way, in the event of a problem the point of breakdown could be detected, isolated and addressed. Initially, the rollout for this system was slated for 2010 (2009 for California), and has been pushed back to 2011. This is, without a doubt, a huge project with an enormous number of complexities involved in implementation. One of the first steps in this process that stakeholder have focused on is determining what technologies and methods would be employed to track these drugs. Will it be 2D barcodes, RFID, security chips, databases, auditing & legal resource? The list goes on. How will the information be shared? The complexity is staggering.
As a security expert, I thought it would be prudent to get involved in this process. Surely, I speculated, the organizations tasked with implementing such systems would be extremely interested in making sure that the security of the system was validated. I was perhaps a bit naïve in my zeal. Organizations involved in the Pharmaceutical manufacture and supply chain are clearly focused on compliance with a law which failure to comply with will lead to a complete inability to do business. I have witnessed a great deal of activity at the tactical level – putting together the components to comply with the law, but have yet to see any activity at the solution security level. The law simply does not call for validation of system security at any level that a counterfeiter could sidestep – these organizations are not allocating resources and mindshare to anything other than compliance. Hackers and perpetrators are much more determined, sophisticated, and resilient than government regulations around compliance. We all intuitively know this, yet where is the duty of Care to do something about it. Will this “Care” only emerge after enough people have died, or enough money has been wasted on a broken system, where people will be then be galvanized to be the hero and fix the problem, once the appropriate resources and attention has been allocated. What kind of “Caring” is this? Can a company afford to care if nobody else does?
So then I need to ask the same questions I asked earlier. Whose responsibility is it to validate the security of the system? Who is expected to CARE enough and demonstrate commitment and good judgment? Whose fault is it when the Pharmaceutical industry spends billions of dollars implementing a system that, if implemented without careful consideration of the security issues surrounding the deployment, is doomed to fail as did electronic voting systems and the mortgage markets? Only this time, people’s lives are directly at stake. Who is going to pay to implement the system, then pay to fix it when it fails, not to mention pay for the recourse to remedy wrongful deaths?
You and I will, of course.
So whose responsibility is it? Who will step up to the plate? Who can step up to the plate?
Thursday, July 3, 2008
Avoiding Techno-Psychology
In a highly popular international thriller novel, the villain kills a brilliant physicist and pokes his eye out to get into his highly top secret lab by using the dead physicist’s eye to open the large steel door to the lab by activating the retinal scanner. Why secure the door with a retinal scanner when a simple secret code would have been much more secure? They had it right in the James Bond Movie, Casino Royale, where a hundred million dollars was protected by a password, which they could not get from Bond, despite beating our favorite brave spy hero while he was chained to a chair. Yet biometric technology is widely deployed for security, when in reality it’s more for convenience or the perception of security. Biometrics are only more secure if they also require a password (most systems will accept a password as a backup if the biometric scanner doesn’t work). It doesn’t take an advanced degree in theoretical physics to figure this out, yet most of us don’t see this because we are infected by Techno-Psychology.
The problems that prevent us from achieving excellence and integrity in our technology driven world are those which we all have intuitively known and understood since we were children. The problem is not a lack of knowledge or skill in technology, for this can be learned by one with intelligence, determination, and resources. It is our intuition often being overwhelmed by a strong current of Techno-Psychology in the river of our business life.
In the business of securing information and products, we have a myriad of powerful security technologies available to achieve our objectives. These technologies are very complex, and understood by few. But what is much more complex than these technologies, is understanding how to apply them in practice, the most complicated aspect being at the most senior management levels.
Failure to achieve management excellence in security has lead to security failures that have cost billions of dollars, and in some cases lives. For example the failure of DVD and electronic voting machine security was caused by the sloppy deployment of secure technologies. There was no analysis of failure at the whole system level, focus was on deployment of the technology – much like putting a steel front door and lock on your house while leaving the keys under the doormat or while you still have a sliding glass door in the back. This is clearly not caused by lack of technical skills, these are management problems caused by the way risk is analyzed, communicated, and managed. The cost of failures in security goes on – companies losing over half their revenue from clones and hacks, medical equipment (e.g. defibrillators) being reprogrammed over wireless connections, credit card numbers being skimmed from fake readers, newly issued electronic passports being compromised, tracking of food and drugs, not to mention 911.
Excellence and integrity stop where caring and accountability stop. This is true with baking a cake and is equally true in deploying security. The most important issues in security, in descending order of importance, are understanding the placement of liability, the true objectives of the organization, the impact on the overall system/business processes, and the way success is measured. Understanding the technology is the easiest part of this business, by far.
Traditional management practices can be an impediment to excellence and integrity. For example:
- The pressure to show quick results and measure success based on money spent or technology deployed
- The lack of transparency in complex issues
- The lack of understanding of key drivers for success and how success is defined
- The lack of resources applied to planning and understanding the impact of solutions on people and processes before deployment begins
.. all while the villains are determined to find a solution to their problem
It is understandable why we are dominated by Technology-Psychology in a global, complex world. Our society has been driven by growth for millennium, caveat emptor. However, we are reaching a cross roads, where our collective DNA which has been growth focused may drive us into a wall.
Excellence and integrity in security start with excellence and integrity in management. This is true in security and is equally true elsewhere. It is especially important in domains that are complex, critical, require significant resources, are hard to measure success, and are long term focused – domains such as Environmental technologies and programs (e.g. Ethanol), Charitable Donations, Safety, and Education. The management skills, or rather culture, required for excellence is similar across these diverse domains.
Wednesday, June 18, 2008
Why "Security Theater" Is Always Standing Room Only
The venerable Bruce Schneier (http://www.schneier.com/blog/) is widely accredited for coining the term "Security Theater". Many of you have had the pleasure of experiencing this show of shows in your everyday lives. This is the person at the checkout counter that asks to see your driver's license when you use a credit card, glances at it, and lets you through. I have pointed out to more than one cashier that my name on my credit card does not match the name on my license, just to see what the reaction would be. Most of the time it is something like "We just have to ask to see it.".
Other examples are not nearly as innocuous. Our company has been asked, on more than one occasion, to implement a security chip on a system at the lowest possible cost, and then generate a report for upper level management which would lead them to believe that the system is far more secure than truth would indicate. We, of course, are happy to implement any chip they want. What we will not do is generate a misleading report. In theater lingo it goes something like this: We will build the set, but we will not write the script.
As security consultants, our reputation hinges on the fact that we will not pander to this mentality. It has forced us to walk away from many business deals. What is perhaps the most alarming outcome of our actions is that someone else is inevitably given the job who is more than happy to direct and produce the theatrical production. Perhaps most importantly, technology companies who make claims that their products are secure are NOT HELD LIABLE for failing to deliver on the promise. Just try to sue a company who makes a security tool or appliance that fails, allowing a hacker to get through. Your time (and money) would be better spent trying to get the Middle East to live in peace.
The time and money an organization needs to invest in creating a fantastic "Security Theater" production is absolutely trivial compared to the massive amounts of money collected from unsuspecting theater attendees. What is perhaps the most alarming nuance of all is that once the public finds out that all is not as it appears in the grand production, the organization (or "Theater Company") merely has to create another episode of "Security Theater", perhaps this time bigger, brighter, and throw in some free popcorn (i.e. "Two years of free updates."). Crowds are guaranteed to come in droves.
The late PT Barnum would be so proud.
Other examples are not nearly as innocuous. Our company has been asked, on more than one occasion, to implement a security chip on a system at the lowest possible cost, and then generate a report for upper level management which would lead them to believe that the system is far more secure than truth would indicate. We, of course, are happy to implement any chip they want. What we will not do is generate a misleading report. In theater lingo it goes something like this: We will build the set, but we will not write the script.
As security consultants, our reputation hinges on the fact that we will not pander to this mentality. It has forced us to walk away from many business deals. What is perhaps the most alarming outcome of our actions is that someone else is inevitably given the job who is more than happy to direct and produce the theatrical production. Perhaps most importantly, technology companies who make claims that their products are secure are NOT HELD LIABLE for failing to deliver on the promise. Just try to sue a company who makes a security tool or appliance that fails, allowing a hacker to get through. Your time (and money) would be better spent trying to get the Middle East to live in peace.
The time and money an organization needs to invest in creating a fantastic "Security Theater" production is absolutely trivial compared to the massive amounts of money collected from unsuspecting theater attendees. What is perhaps the most alarming nuance of all is that once the public finds out that all is not as it appears in the grand production, the organization (or "Theater Company") merely has to create another episode of "Security Theater", perhaps this time bigger, brighter, and throw in some free popcorn (i.e. "Two years of free updates."). Crowds are guaranteed to come in droves.
The late PT Barnum would be so proud.
Tuesday, April 8, 2008
Medical Device Security In The News
Recently, the Medical Device Security Center published a paper describing an attack on Pacemakers and Implantable Cardiac Defibrillators which would allow the wireless reprogramming of these devices by an unauthorized entity, with the potential of dire consequences to the person having one of these devices implanted in them. News of the exploit made its way into several online news sources, and the medical device community was quick to point out that such exploits have never been reported in the real world.
While this may indeed be true, it is important to note that, almost infallibly, news of such exploits often leads to a "me too" mentality among hackers with the intention of proving it can be done in the real world. Hackers often view exploits as an art form, and strive to create more "elegant" versions of the exploits in an attempt to "one-up" the last hacker. While this may be an annoyance when it comes to consumer electronics, digital television, or computer systems, it is much more than an annoyance when it comes to medical devices.
The time has come for medical device companies to take a more proactive stance about device security.
While this may indeed be true, it is important to note that, almost infallibly, news of such exploits often leads to a "me too" mentality among hackers with the intention of proving it can be done in the real world. Hackers often view exploits as an art form, and strive to create more "elegant" versions of the exploits in an attempt to "one-up" the last hacker. While this may be an annoyance when it comes to consumer electronics, digital television, or computer systems, it is much more than an annoyance when it comes to medical devices.
The time has come for medical device companies to take a more proactive stance about device security.
Friday, February 22, 2008
With Victory Comes Responsibility
The Medical Device Community has been handed a victory by the Supreme Court with their decision in Riegel vs. Medtronic . Without going into too much detail, I will summarize the essence of the article by stating that The Supreme Court ruled in favor of Medtronic in a case where faulty wiring on an implanted medical device Medtronic manufactured failed, and the reason they ruled in favor of Medtronic is due to the fact that the FDA approved of the design.
As the writers of the blog Drug and Device Law very eloquently point out, this now means that medical device manufacturers and the FDA must now step up to the plate and prove to the world in general, that patients are best served by backing off with litigation and letting the professionals do their jobs. Please allow me a little poetic license.
What it all boils down to is this:
As the writers of the blog Drug and Device Law very eloquently point out, this now means that medical device manufacturers and the FDA must now step up to the plate and prove to the world in general, that patients are best served by backing off with litigation and letting the professionals do their jobs. Please allow me a little poetic license.
What it all boils down to is this:
- Medical Device Manufacturers Must Now Take An Even Greater Integrity Based Approach To Insuring Safety Of Medical Devices
- The FDA Must Step Up Their Efforts In Insuring Devices Are Safe
If the Medical Device Community and the FDA fail to deliver from this point forward, Congress will inevitably be granted the power to step in and "fix" the problem. This is rarely a good thing.
Subscribe to:
Posts (Atom)