Mike Weber, Coalfire: Meaningful IoT Regulations Are Challenging to Implement
When it comes to taking care of their data, companies have a few options, but oftentimes, they rely on expert solutions to round up their bases in terms of security. That's where Coalfire often steps in. Mike Weber, the company's Vice President, has been with the company for over eight years and has agreed to have a chat with TechNadu about some of the biggest issues we face today.
Weber has been in the industry for a long time, so he has a lot of things to say and advice to give. We talked about Coalfire, IoT security issues, his own security protocols, and more. Keep on reading to find out!
TechNadu: Coalfire is a company that handles all aspects of security for a wide range of industries. What are some of the most important tools you provide and what makes them stand out in a sea of cyber solutions?
Mike Weber: Our company specializes in helping our customers overcome their greatest cybersecurity challenges. Our team consists of cyber risk advisors, compliance specialists, security architects, and cybersecurity experts. My team, Coalfire Labs, provides technical services to our clients in the form of ‘offensive’ services designed to exercise and measure an organization’s defensive capabilities across their enterprise, from the people that drive the business through the technologies it relies on. Our clients find the most value in services that are engineered to measure the effectiveness of their security program overall – testing the aggregate impact of their investments through emulation of adversaries that represent a threat to their business. We do this through red team engagements as well as threat modeling and attack simulation.
TechNadu: Coalfire also offers cyber risk analysis and provides solutions to enterprises. What exactly are you looking for and how do you detect these cracks in security?
Mike Weber: Our Cyber Risk Advisors help our clients build cybersecurity programs that align with the unique aspects of their business. In many cases, blind spots in enterprises are due to a misunderstanding of asset value or not acknowledging certain threat vectors. By starting with identifying assets and characterizing operations, we can quickly drive to the most critical objectives of an enterprise security program.
TechNadu: One of your focuses has been IoT security. In general, what are some of the biggest issues you encounter during your scans?
Mike Weber: Our work in IoT has been to assess the security of IoT solutions. While the hullabaloo is generally all around the end-device, the security of these systems is supported by a variety of systems that include the field devices, telemetry systems, workload management, customer instrumentation systems, data warehousing, manufacturer management and development systems, data sharing / B2B systems, and all the associated applications that are needed to manage this complex infrastructure. While the security of these devices generally doesn’t hold up when a ‘bad guy’ gets physical access, of course, the majority of the risk is borne by the supporting systems and applications.
In our experience, we’ve seen everything from connected vehicles to electronic toys to irrigation sensors that share common flaws beyond the security vulnerabilities of the physical devices in the field. The most significant issues we find are surprisingly in the consumer-facing applications. As these systems are developed leveraging new offerings, we find most often that there are unprotected interfaces or unvalidated access controls that stem from ‘sloppy’ security development processes. The most egregious security issue we’ve found was in a device that was shipped with an application for the consumer to manage the device. By exploiting flaws in the application, the device could be reprogrammed to download arbitrary firmware updates, ultimately exposing all the data the device was collecting and allowing it to be used as an attack platform against other devices accessible to it.
TechNadu: When it comes to IoT devices everyone can get, very few, if any, can be trusted with the data they gather. What are some security measures everyone should deploy in their own homes to keep their privacy safe and their data safer?
Mike Weber: Asking a career security person that question is a hard thing to answer with anything other than “don’t”. But as technology becomes more ubiquitous in our society, it’s getting increasingly harder to prevent it from invading your home. I, as a tinfoil-hat wearing security geek, have avoided succumbing to this for years. Over the last year, however, I’ve given in and have gone all-in on home automation. Hard to deny the value of the technology! The gadget-geek in me loves the efficiencies and conveniences of it! But now I’ve got this concern that my privacy could be compromised if these connected systems are compromised. To avoid this, I take certain steps. Some steps are silly, some are legit. I start with the easy things – enabling 2-factor authentication everywhere I can, and refusing to fall into the oh-so-easy trap of reusing passwords (there’s a lot of interfaces to work with – it can get rather tedious to use password vaults or other solutions, but in the long run, it’s well worth the peace of mind).
Next, I try to use well-supported products from well-known companies. If a component seems “cool” but it’s from a seemingly sketchy outfit that clearly doesn’t invest into tech writers in their online documentation or perhaps has a bizarre mix of fonts in their documents I stay away (or other signs that signal a less-than-professional shop). That might be one of the sillier ways to stay slightly more secure, but I’ve found that the less investment a company makes into their product, the less likely it is that they have security checkpoints built into their SDLC. Finally – if the system doesn’t require a specific piece of information for full functionality, I don’t provide it. This can be a bit of trial and error to determine what’s specifically required, but it’s yet another step to take to help avoid loss.
TechNadu: For years, there's been talk about the government getting involved into imposing some type of security rules for IoT devices. Do you think that's a good idea or will the industry self-regulate eventually?
Mike Weber: I believe California is the only state with regulation surrounding IoT devices – and it’s reasonably weak on that front. But it’s groundbreaking in that it’s a bona fide requirement on this new technology and I applaud California for taking this step. Ultimately, I think it will be a challenge to have meaningful regulation around these devices given the vast landscape of technologies that fall under this umbrella. Part of this industry will self-regulate as data security and privacy are drawing increasing attention. However, there will always be market entries and mistakes that could result in harm to people or businesses. Systems that have the capability of causing immediate physical harm should be regulated.
So I guess what I’m saying is that I *really* want to see a six-ton autonomous bus face strict regulation and requirements to uphold certain security tenets and be sent through pre-market validation of the technology so it doesn’t run me over when I’m downtown on the 16th street mall. But my refrigerator and my thermostat in my house? I’m not a huge fan of getting hit with a premium that a program like this would cost a manufacturer and that would surely be passed on to the consumer.
TechNadu: You’ve been in the industry for a long time, and a lot of things have changed since you started out. How has the rise of the Cloud affected things? Is it easier or more difficult to keep enterprise data safe? What are some of the challenges?
Mike Weber: The technology shift that the cloud has brought has reinvigorated discussions about data security. 50 years ago our industry began to shift from a single-user to multi-user computing models. Multi-user systems were considered a risk as there was less segregation of user space from storage through networks and memory. But by the nineties, we had interconnected and exposed systems across the globe. The internet ushered in a whole new security concern. Now we’re got cloud providers of all types – from simple cloud storage platforms through serverless application architecture. With each change there have been challenges, and each change has aligned with an explosion in the availability of these services and the amazing innovation that occurs along with it.
Each of these shifts have brought their own security concerns, and they are exacerbated by the “rush” into these technologies. Just as we saw the internet littered with insecure applications as companies rushed to be on the web, we’re finding insecure solutions being built on cloud provider platforms based in large part on configuration vulnerabilities. Insecure data storage, access key exposure, overly-broad access privileges, and ineffective network controls all stem from design and administration flaws. The cloud provider solutions are secure, the application code is (frequently) secure, but the administrative processes and architecture choices can leave these secure components vulnerable.
We would love to hear back from you so you can tell us what you think about what Mike Weber has to say. How do you stay safe online? Drop us a note in the comments section below the article. Share the article with friends and family and follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.