Stop Lingering
Software updates hold the key to cyber security
- By John Szczygiel
- Feb 01, 2017
Security threats are on the rise and as IT
security teams increase their scrutiny of all
network-connected devices, it’s time for
some new thinking about the design and
maintenance of building security systems.
Building security systems are inherently
part of the Internet of Things (IoT), however they tend to be
woefully neglected network devices. This point was underscored
in a recent Distributed Denial of Service (DDOS) attack, which
enlisted IoT and security devices into a robot army directed at
the Internet services provider DYN. Many of these devices had
fundamental design flaws or default passwords that made them
easy targets.
Fixing the Flaws
Today, many building security systems contain embarrassing
rudimentary cyber-security flaws. Many remain on the same
software and firmware versions for years at a time—even when
critical patches are available. Too frequently, companies adopt
the practice of deferring software maintenance until the system
breaks or a new feature is needed. Quite often, building security
systems are running obsolete operating systems along with outdated
application software and device firmware with known exploits.
For example, some of the devices used in the DYN attack
were running firmware that was years old with known vulnerabilities
that had long ago been patched by the manufacturers.
Security systems installers are complicit in sustaining these conditions by failing to offer pro-active maintenance plans or properly
advising customers of the need for regular system patching.
Security system manufacturers often compound the problem by
making updates expensive or time consuming to obtain and apply.
And yet, our building security systems are becoming more
connected via the network and Internet. While things on the Internet
are changing by the second, building security systems may
be stuck in the past. These factors make building security systems
prime targets for miscreants astonished at the luck of finding a
highly interesting plaything with such obvious flaws.
But in many cases this is not a technical problem; it’s mostly a
focus and financial issue. It’s the same dynamic that causes governments
to require annual vehicle inspections or health plans to
require periodic physicals or Apple to give you so many annoying
prompts to upgrade your iPhone.
Most people just don’t have the time, money or inclination to
pay attention to maintenance. Unless we are compelled to do it,
there is always a reason to avoid doing it. So there is the answer—
we must be compelled to do it.
This position is validated by information published in Cisco’s
Mid-Year Security Report 2016. This report details the major differences
between the strong auto-update policies of the Google
Chrome web browser and the weaker update policies associated
with Microsoft Office. The strong Chrome “opt-out” update policy
drives around an 80 percent compliance with updates. Meanwhile
Cisco’s statistics show that most users of Microsoft Office stay for very a long time on their installed version, even
when updates are available.
“Many large vendors are holding up their end of the security
bargain by releasing notifications, fixes, and distributions of vulnerability
patches in a timely manner. But this attention to patching
is not reflected in end users—and, as a result, they are compromising
the safety of themselves and their businesses.”—Cisco
Mid-Year Security Report 2016
These facts point to the reality that security is strengthened
through a process of evolution and also that many of us need a
stimulus to evolve. To support this end we need an updated approach
to building security system maintenance.
The Value of Convenience
As consumers, we value convenience, cost and functionality perhaps
at the peril of cyber security, at least until there is an incident
involving one of our services or devices. At that point, we
will turn to the provider or installer of the device and accuse them
of malfeasance in the provision and support of “their” system.
The provider can certainly be blamed for failing to implement
good security hygiene in the design of the device. The installer is
accountable for leaving default passwords and open ports configured.
But who is accountable for failing to provide continuous
monitoring, vulnerability assessments and maintaining patch levels
for building security systems?
As Shakespeare wrote, “the fault my dear Brutus lies not within
the stars, but within ourselves.”
How can the manufacturer be responsible for vulnerabilities
discovered in underlying components long after the device is purchased?
How can the installer be accountable for keeping systems
patched and up to date when the customer chooses not to pay for
routine maintenance? How can the customer be blamed for not
wanting to upgrade with a working system and risk some type of failure or outage? How can anyone be blamed when there is an
explosion of devices and software that need constant attention?
To stop the blame game from continuing within the security
industry the path forward requires three essential changes to
the typical approach to design, installation and maintenance of
building security systems:
All parties need to increase their “cyber IQ.” Everyone from
manufacturers to installers to customers needs to understand and
appreciate how their choices and actions impact network security.
Ultimately security is a set of choices inside a race of imagination.
If we don’t work to understand the threat, we are choosing
to fail before the race has even started.
We need to adopt business models that contemplate a living
system versus a one-time sale. There is 100 percent certainty that
a system remaining unpatched for months or years will eventually
contain a known vulnerability. Everyone in the value chain
needs to be prepared for this reality. Manufacturers must include
security patches in subscription services, installers must
insist on contracted maintenance and provide routine upgrades,
customers will need to accept and pay for updates that are not
driven by features.
A technical model that minimizes transition risk and makes
upgrades almost invisible to the customer. This is primarily
a challenge for the manufacturers. We have to learn from the
Google Chrome model and find ways to update software and
firmware with minimal cost and interruption. We must implement
strong auto-update capabilities that are readily available
and seamlessly installed. We must take responsibility to monitor
our own devices to ensure that they are secure and not recruited
to form a bot-net army.
Fortunately much of what we need to respond to these conditions
is available to us today. Cyber security education is widely
available to us. We can follow secure development practices as
we create our products. We can perform continuous monitoring
and vulnerability testing of systems while in production. We can
deploy patches uniformly and quickly across numerous devices in
a cost effective way without inconveniencing customers. We can
have the discipline to avoid insecure products and practices when
delivering our solutions.
Many industries have proven that all of these things are possible.
Now is the time for the security industry to step up to this
challenge, as we are compelled to do it.
This article originally appeared in the February 2017 issue of Security Today.