Hacking in the Holidays was a positive take on the word “hacking,” with a few holiday suggestions for engineers. Unfortunately, though, the term is associated with a lot of bad connotations. It’s been used in most of the headlines talking about the suspected Russian hacking of U.S. government sites as well as major corporations. It’s interesting that the topic was all over the internet for a week or two, but has since subsided into the background news noise.
While security has fallen from the top of the news feeds, hopefully it hasn’t been banished to the bit bucket for programmers, developers, and managers who have to design and create IoT and IIoT solutions that have flooded the consumer and industrial space, with more to come.
The latest hack involved SolarWinds, which provides IT, network, and database management services. Specifically, its Orion Platform was attacked, and nefarious code was subsequently incorporated into an update that was distributed automatically to hundreds of companies and organizations. This allowed the attackers to gain access to systems using the Orion Platform. The evidence points to Russian involvement, and there’s evidence that a second group was targeting SolarWinds.
There are two aspects that developers need to consider. The first is the scope. The second is the dependency. These attacks are significant due to the number of companies involved. Typical hacks of a single company may expose information about thousands or millions of people, which is bad enough. However, these attacks exposed multiple companies and thus exposed many more to the attackers. This includes assets that are often more critical than a credit-card number, although that can be devastating to an individual.
The dependency is about the level of trust given by a company to a third party. In this case, companies essentially exposed their internal systems via automatic updates. The challenge is that the updates were designed to help manage and protect the system.
The attacker’s approach is typical of a malicious actor. Find a hole. Exploit it and keep quiet, enabling subsequent infiltration and further damage. They essentially bypassed other protections, such as firewalls, by piggybacking on a good actor that was compromised.
The challenge these days is that companies depend on a hierarchy of software and firms providing the underpinnings of a system from the boot code through the operating system to end applications. IoT has exacerbated this issue—the communication stacks are extremely complex, and it’s critical to secure them.
At least these days, most companies are attempting to incorporate security through all layers. Unfortunately, programmers tend to discount or ignore security, especially in the open-source community that’s developing more and more software. Hacks on the npm ecosystem of JavaScript libraries caused a furor in the past because of the dependencies of so many applications. Even the accounts of the public repositories can be an issue.
This isn’t to say that developers should stay away from using these tools; rather, security needs to be layered and part of their design process. Bypassing a protection is bad, but it should not always be catastrophic. Using a single protection method like a firewall or secure boot must be avoided. And obtaining all your protections from one source isn’t a good idea either.
It’s totally impractical to build an IoT solution by yourself, regardless of the size of your company. Pick your partners carefully and make your security as robust as possible. Hopefully the next holiday season will be better.