Risk Management

Cyber Interview: keys to reinforcing security-by-design

During an earlier interview on the challenges relating to security by design and connected objects (IoT), Julien Patriarca, Professional Services Director at WALLIX and cybersecurity expert for more than a decade, tackled the issue of responsibility with regard to security.

This second interview provides some solid leads on how to implement the best practices when it comes to security by design.

Why are we not taking security by design more seriously?

Is it an active choice or are we underestimating the necessity of security by design?

Security is often seen as an obstacle in the digital experience. Whether we are dealing with individuals or companies that develop software or connected hardware, strengthening security from the design stage is a continuous effort that organizations and users need to make. The whole process requires time, organization, and a certain amount of discipline, as security by design also extends to the implementation of best security practices during the use of connected objects or software. Take for example vendors aiming to strengthen security by design on their devices by forcing end users to set more complex logins and passwords. They may be reluctant to do so as a foreseeable, and undesirable, outcome of imposing this condition would be a dip in their earnings in the short run. If their competitors happen to prize simplicity of installation and use over security — which is often what end users want — their reluctance is understandable. However, by implementing security by design techniques, not only will these vendors increase their added value and stand out from the crowd, they will also be positioned as players in digital trust, leading the way in making security by design an indispensable feature.

What holds back security by design is how little knowledge and awareness end users have about the stakes involved.

Since the average user may not have been thoroughly schooled in the risks that lurk in the digital realm, vendors that wish to boost security on their products from the outset run the risk of their clients opting instead for solutions that seem simpler to them. We often hear reasons such as:

“I don’t want to memorize another password. “

“I have nothing to hide, so why would a hacker come poking around on my computer? “

I have nothing to hide, so what would a hacker do on my computer?

Users often do not see the big picture on the scale and impact of a hack. It’s not as simple as plain data theft. The massive cyberattack on Dyn, a DNS service provider, in which hackers exploited a vulnerability on connected cameras to launch a brute force attack on the American company, bringing websites such as Twitter and Reddit to their knees, is all the proof you need. This incident shows the magnitude of the knock-on effects when security by design is treated as an afterthought. However, it is worth pointing out that such an attack might have done much worse than bringing the world wide web to a temporary standstill, had its target been state organizations, for example.

It is easy to imagine a scenario in which hackers exploit a vulnerability in connected cameras in order to launch an attack on the host of the website allowing taxpayers to file their taxes the day before the last quarter ends. Cameras flimsily protected with login credentials such as admin/password will then become prime targets for disrupting the tax filing process. If such a scenario became reality, users most likely would not even be aware of their role and responsibility in the attack, and would place the blame of a security breach solely on the tax office.

There is an urgent need to educate users and raise their awareness on the fact that security by design — and maintaining such a level of security — is as important as the way the product or software is used.

Security by design is as important as the way the product or software is used.

This also applies to organizations that often have the most meager cybersecurity budgets until the day an attack jolts them into action.

How can we overcome this lack of security?

Cyberattacks these days get wide media coverage, which is a good start in creating user awareness. Simply by watching the evening news, anyone without particular IT knowledge will be able to see for themselves the consequences of not implementing cybersecurity measures. Explaining computing practices in layman terms to report on events such as cyberattacks makes it possible to engage users who become increasingly aware of the risks of digital technology and connected objects, in turn spreading the knowledge by discussing the topic with people they know.

They will then be better equipped to weigh the impact of their own actions by securing the objects that they use, thus playing their part in strengthening security by design.

1. Stronger and more complex passwords

A simple and extremely effective way to strengthen security by design is to change the password to the connected object or device. In many cases, all it takes is a password that is just slightly more complicated (with 8 to 10 characters and other complexity criteria) to be practically sure of never getting hacked.

A complex password is a 90% guarantee against brute force attacks.

Why? Most of the time, cyberattacks use dictionary or brute force attack techniques, meaning that hackers will use a very large set of words found in a dictionary with all possible combinations like admin/password, password/admin, password1234, etc. until they break through the system and obtain access. Laptops today are powerful enough to run such attacks over an extended period and at extreme speeds. What this means is that, in mere seconds, a weak password can be cracked, granting access to sensitive data that can then be pilfered, modified or used to launch attacks of more epic proportions.

The solution to the lack of security by design is to present the danger in simple language while trying not to cause unnecessary alarm. Since IT controls most of our waking hours (work, healthcare, errands, etc), the specific dangers of these new uses for IT are starting to emerge. We need to learn how to protect ourselves from such dangers, much in the same way we learned how to drive safely, for example. In IT, part of being prepared to take on cyber risks begins with creating stronger passwords. As soon as they become more complex, the risk of falling victim to cyberattacks plunges — that is, unless you are the particular target of hackers determined at all costs to break into your system, knowing that you possess the data that they need, but that is extremely rare. In most cases, it is worth noting, individuals are not targeted in particular. In a dictionary attack, the computer scans the IP address ranges on an ISP’s network or a host, which appear very clearly in logs as the mechanism works instantaneously. It is really only a computer scan with running scripts. Which is the whole point of having a strengthened password to immediately block such attacks.

2. The developer’s role in security by design

Security by design must also be what matters most to developers since they are the ones building the connected object.

When a developer writes code, he needs to factor in use, usability as well as security.

If a program is flawed, hackers can potentially break into the program or connected device by exploiting one or several vulnerabilities. When this happens, the password alone — complex or not — will not be of much help in preventing an attack.

Try as you might, resistance is futile with an armored door guarding cardboard walls.

In this case, what we have is no longer a dictionary attack but a zero-day attack, with vulnerabilities published on the Internet. Here, too, the computer will simply scan the Internet to find the signatures of targeted devices and launch an attack. All the hacker needs is to develop a script with the attack programs in order to take control of the connected object.

As a result, security by design requires two complementary components: 1) a robust software program without any exposed vulnerabilities 2) that forces users, mindful of what is at stake, to change their passwords.

The only solution to bypassing security by design would be to develop an offline, air gapped device, in which case it would not be exposed to such vulnerabilities. But of course, there are still other types of attacks such as social engineering, or data theft using USB drives, which may compromise security on such devices.

For further information, contact our teams or watch this video on 5 use cases in which the security of your data may be in danger!

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

Cyber Interview: keys to reinforcing security-by-design

Why are we not taking security by design more seriously?

What holds back security by design is how little knowledge and awareness end users have about the stakes involved.

How can we overcome this lack of security?

1. Stronger and more complex passwords

2. The developer’s role in security by design

Cybersecurity Trends and Cybersecurity Market Insights for 2018

Cyber Interview: security by design and the IoT - who's responsible?

Related

Related Resource

Products

Solutions

Resources

About