One of the the most pervasive myths among small business owners is that the manufacturer and software companies, whose products you are using, are taking care of security for your business. You’ve probably heard the term caveat emptor at some point in your life. It means, “buyer beware” and it applies as readily to security products and security vendors as it does to buying a car. It isn’t that they’re evil, it’s just that some vendors would rather promote ease of use over security, even in some security products, and that can be a real problem.
A lot of consumer security hardware like firewalls or routers actually tend to be on the less secure side and you must be diligent about making sure that you’re turning on the right settings, because true security is often pretty inconvenient and can be very complex to implement and that might turn off a buyer wanting a plug and play experience. This reality is problematic for companies who want to sell you their products.
So some hardware manufacturers, and I emphasize some, would rather keep a product simple, even if it compromises security in order to sell it. A great example of this was when Wi-Fi started becoming really popular. Small businesses were suddenly able to add a store bought Wi-Fi router to their network fairly easily and by default, these routers had all passwords and safety features turned off. For years, you could go around Manhattan, for instance, and when you opened up your laptop to scan the airwaves for networks, you would see dozens of networks and they would all be wide open, giving you immediate access into companies’ networks. It didn’t matter what type of company it was, even fortune 500 companies were wide open, or for the most part, and encryption wasn’t turned on.
Since then, manufacturers have made the encryption and passwords turned on by default, because people are now a bit more savvy, but that gives you an idea of how vendors kind of look at security versus simplicity. Where it is happening again today is with the Internet of Things. Usually running on Wi-Fi, these devices can be controlled with your mobile phone, things like a climate control system, your fridge, or even your oven will be controlled via the internet connection. And manufacturers have absolutely no interest in making this complicated. They won’t want to bother you to have to read through an instruction manual to set up your fridge to connect to the internet. So they’re going to try and make this as simple as possible and that usually means not secure. While we hope that manufacturers might have learned from the past and there have been attempts to try and bring up security standards for Internet of Things devices, it’s not standardized yet and even if it happens it might take a bit of time.
“A great example of this,” says John Verry of Pivot Point Security, “ is a case study that was done on a large project for a large utility. They had rolled out in-home smart thermostats as part of a smart grid initiative and they got about 1500 of the systems out there before someone said, ‘Did we ever check the security of those?’ And what was found was that it was relatively simple to fully compromise those systems, because of the nature of both the architecture of these systems. They did have some misconfigured wireless connections. They had three different wireless networks that ran between these two devices, the two versions of ZigBee and then a conventional Wi-Fi, which allowed connectivity to other device in the house, which of course, gave you access to the devices.”
“And then the other thing which is very interesting”, he continued, “ is the way that we were able to compromise and gain an admin level of access that allowed us to insert and send troublesome content back up through the utility to their distribution management system, was that the in-home devices, we found on the internet, the manual for installation of the devices, and they hadn’t changed the default passwords that came from the manufacturer. So there’s an example of where a couple very simple challenges could have created a situation where we would have had a utility potentially having a service disruption of note to tens of thousands of people.
Certain businesses know the term truck roll. A truck roll is very expensive. Really at that point what they had to do was roll a truck or roll a person out to 1300 or 1500 different locations to actually fix these problems which, of course, as you might imagine is very expensive. So there was some combination of truly fixing things and some combinations of putting some compensating controls upstream that protected the utility but did not protect the individual’s houses that the devices were in.”
Software is no different. There’s no such thing as perfect software and those flaws are potential targets for a hacker to exploit. If they put a crack in the armor via software, then they can use that to get closer to your critical systems. This is why Microsoft and other major players constantly provide patches and updates to plug those holes. However some are not being as diligent as they should be to help protect us and ultimately themselves as well.
So if you’re thinking of buying a particular product, or a piece of software, it’s worth your time to look it up on the CVEdetails.com, a free CVE security vulnerability database/information source that allows you to search for any device or software, and it’ll give you an idea of, at least reported vulnerabilities that have been found within the community. Then you can kind of gauge whether or not it’s going to impact you. It’s a resource that you can always look at, as well as, obviously, working with your trusted IT manager, or consultant.