(IoT) Security doesn’t matter * * * * Some restrictions apply Not valid for security‐specific products Void in some cases of top‐line and bottom‐line impact I am neither a lawyer, nor an MBA Who is Darin White? • 12 years with BlackBerry, recently we broke up. Amicably. • 9 years product security: hacker, product manager, leader • Hundreds of security decisions across hardware, OS, apps, protocols, cloud, on‐prem software… as part of a team • Maker/Photographer/Creative Instigator ‐‐‐ makebright.com Why talk about security wrt IoT? • Everything old is new again with each watershed in tech/mktg • In the rush to capitalize on the IoT enthusiasm, companies rush in, and security is deprioritized • As a former security guy, I can’t help but look at all these awesome new gadgets and think subversively about how they may be misused • Maybe it’s helpful to the IoT ecosystem to start a discussion around security that is sensitive to the pressures and constraints of for‐profit manufacturing of hard products, often in a start‐up model • Selfishly, I want all this utility and I want it to be reasonably secure. Your one takeaway, the TL;DR Make an explicit decision on security investment for your product The Fight Club equation paraphrased • N – number of customers • R – probable rate of security compromise • C – average cost per security compromise • S – cost of securing your product IF ( S > N x R x C ) THEN dont_secure_product(true); * This is not math The caveats • Security is like insurance: you don’t need it until something goes wrong • How do you quantify financial impact of compromises? • Costs of doing security are more certain than costs of not doing it • The big one: this is mostly subjective On‐going costs of security • Informed (re)design‐time security guidance • Architect/Dev/QA/Sales/Marketing security training • HW/SW development that is security aware and checked for compliance • Plan/People to handle response to security incidents • Process to monitor/fix/ship fixes – using any OSS in your product? • (Re)Assess third‐party components and monitor/update/ship patches • Stewardship of crypto key material • Tool purchase • External audits • Delayed time to market • Certifications • Internal threats • Trust issues with manufacturing partners On‐going costs of not doing security $0.00 *… so long as no security‐related issues crop up Otherwise, bad outcomes • Revenue loss • Brand damage • Lawsuits • Loss of life (see Lawsuits) • Extortion by bad guys Measuring security • It’s pure folly • All metrics can be gamed • Lots of players make money helping you try to measure • How much security is enough? A medium amount? • I am likely now disavowed by the security industry Security… what does that mean? • Confidentiality • Privacy – an important sub‐bullet, but only if you’re over 30 • Integrity • Availability Relevant IoT examples • • • • • • IOActive’s work on smart power meters Sony’s Playstation Network Disrupting Iran’s nuclear program (Stuxnet) and other SCADA scariness IP‐based video cameras Insulin pumps and pacemakers Smart parking meters • We always get the headline; rarely get the follow‐up • What are the material and persistent consequences? • Do they justify investment in security? (probably in Sony’s case) Recommendations • IF your product doesn’t pass the Fight Club equation, then just get back to your new feature development, prototype problems, manufacturing challenges, marketing plans. • ELSE tackle the low‐hanging security fruit: map the attack surface, secure your comms channels, run some point‐and‐shoot assessment tools, tap the enthusiasm of your security‐keen staff, partner with hackers who are active in your product space • Above all, make a decision Questions/Beer? I am Darin White Follow @DarinTheGreat Please read makebright.com Please hire me to tell the story of what you’re doing