Black Hat Asia: Decentralise security, devalue cyberattacks

Rather than attempt to thwart hackers by making it costly and difficult for them to launch attacks, which will also increase costs for the defenders, a more effective strategy may be to deflat the value of successful breaches and employ a decentralised security approach.

With billions of Internet of Things (IoT) devices expected to be connected to the web by end-2016, a more appropriate tactic would be required to better combat potential attacks, said Dino Dai Zovi, mobile security lead at Square, during his keynote Thursday at Black Hat Asia 2016 held in Singapore.

"With IoT, there's need to decentralise trust... Having ultimate trust in all these devices will be increasingly dangerous. If we can decentralise trust, we can ensure overall safety," Zovi said, noting that distributing control and data sharing on these devices would prevent one breached device from being used as ransomware or to infect others on the same network, such as a personal home network.

There also should be "an anchor of trust" tasked to provide the main layer of security, where a hardware-based mechanism would most easily facilitate this. He pointed to a smartphone as the most likely trust anchor in the IoT space.

A totem also would be needed to help identify the item of trust and ensure a machine or network was communicating with the actual IoT device that had not been modified in any way or was not a software emulator. This would be inherent to and difficult to extract from the device, with the authentication process carried out on the device.

However, would a decentralised security strategy be in conflict with a business landscape environment where enterprise were focused on consolidating their IT environment and centralising IT management?

Matt Alderman, vice president of strategy for Tenable Network Security, acknowledged these two opposing views but noted that organisations could look to decentralise data.

He highlighted the potential role cloud service providers could play in supporting this approach, especially as more businesses outsourced their IT infrastructure to these cloud platforms. It would be more conducive to adopt a decentralised security strategy on a cloud model than on-premise data center, where organisations were looking to consolidate their resources, Alderman told ZDNet on the sidelines of the Black Hat Asia conference.

He also lauded Zovi's call to devalue the success of cyberattacks, so hackers would feel less inclined to develop an exploit since their efforts would outweigh the returns.

Zovi had noted, for instance, that there were millions of unpatched Android devices due primarily to the patching culture of the ecosystem, where manufacturers often were highly sporadic or slow in releasing updates and some users were unwilling to update their device as the updates might not work as well on older models.

The high number of unpatched devices triggered a doomsday prediction for Android users when the StageFright vulnerability emerged, but he noted that the widely fragmented Android ecosystem made developing exploits tedious and costly.

To launch StageFright with success, for instance, would require hackers to tailor exploits for every Android variant. "It requires invested effort on the hackers' part," he said.

He added that the potential for attacks was further limited because Google Play Store would scan apps on devices to identify and remove malware as well as apps before these were downloaded from the app store.

Zovi also suggested the abolishment of passwords and PINs as these were no longer proving effective and should be replaced with two-factor authentication (2FA). He pointed to how tech companies such as Yahoo already were allowing their users to log in with their username and 2FA instead of a password. Yahoo users logging into their account from their desktop also would receive a notification on their mobile device to confirm if they were attempting to access their account.

"Strong something you have, plus weak something you know, is the future," he said, quoting a recent tweet from his colleague, Tony Arcieri.

Alderman agreed: "What you have [such as a smartphone as a 2FA device] is more important than what you know [such as PINs and passwords], [but] currently the reverse instead is practised. Dino's point was that we should leverage what we have more strongly than what we know."

Asked about security challenges organisations in Asia faced today, he pointed to the need to identity "blind spots", which had become difficult especially in this region where the adoption of mobile, cloud, and IoT was higher.

The shortage of relevant skillsets also was more pronounced in Asia, pushing more businesses to turn to security services providers to resolve the skills gap. This, however, would impact the organisation's ability to respond and, hence, contain security attacks and breaches, he noted.

One potential advantage this region had, though, was its largely greenfield environment and opportunities to learn from the mistakes of other regions. This offered Asian markets more leeway to rethink security approaches and assess more efficiently ways to deploy security, he said.

In comparison, the US and Europe had formed "a checkbox mentality" with regards to security, in which companies in those region would implement security measures primarily to comply with government regulations and policies. "So they do so not in the spirit of protecting their environment, [where] This checkbox approach has created some problems today in their security landscape," Alderman said.