Mar 10, 2021
In this episode of Cyber Security Inside, Tom and Camille get into the logistics of securing connected devices and systems that exist outside of a firewall. To get the latest on preventing tampering at the edge, they tap into the experience and insight of Eran Fine, CEO and co-founder of NanoLock Security, a groundbreaking cyber security company.
Don’t miss it!
Here are some key take-aways:
• The challenge with securing edge devices and preventing adversaries from changing the parameters is that many of these devices are low in energy and computational power, and using a low-end operating system.
• In the world of connected devices and IoT, threats and adversaries can come in various shapes and forms.
• Things like smart meters have been manipulated for fraud and theft. Many times these types of attacks go unnoticed by standard protection methods because they’re inside of the device or built into the performance of the device.
• Many devices — IoT devices, PCs, servers, etc. — need routine updates. The key to ensuring the update sent over arrives without tampering isn’t encryption; it’s to give the update a specific signature.
• You need to take a multi-layer approach to securing devices at the edge. You need to protect the backend, you need to protect the network, and you need to protect the devices.
• The more powerful and open a device is, the more complicated protection becomes.
• AI and machine learning can help us recognize patterns and malicious behavior vs. normal behavior.
• The best advice for designers: have a multi-layer approach to security, assume that your adversaries are smarter, and apply a zero trust approach.
Some interesting quotes from today’s episode:
“The target of the adversary is to change the parameters…What we're making sure is that the devices stay as the owner and the originator designed devices to work as.”
“Our assumption is that connectivity can come in various shapes and forms and adversaries can come in various shapes and forms. And our target is to protect from the known and unknown manipulations.”
“It's all the way from a simple manipulation and stealing personal information, to breaking the device, to making something which is harmful beyond the specific device itself.”
“So we're not trying to encrypt the data. What we’re trying to do is sign it in a way that what came out of the headquarters was sent over the air. When it got to the device, it has the same signature, the same parameters. And then we verify that that's our secret sauce. We verified with very low resources that the originated content is truly the one that was sent.”
“It’s below zero trust. Zero trust usually has an anchor. I trust a processor. I trust something. We actually came with the approach of trusting nothing — neither the device, nor the processor, not the network, even the operators, the owner. We just don't trust anything within the flow.”
“And what we're saying is we don't know what we're trying to protect against. We're assuming the following: If this is not signed properly, if we don't recognize the signature, we will make sure that it never gets to the non-vaulted memory.”
“So you can hack the network. You can even hack the processor. You know what? I can even steal your password. And still, even if I'm inside with all the credentials, we can still prevent catastrophic manipulation from occurring by the sheer fact that the commands you are sending will not get through.”
“Phishing is not an attack. Phishing is the first part of the attack. Phishing is the way to lure you into doing something. And if I ended up doing only this, okay, so I have the credentials. But then comes the second part where I have your credentials and I'm trying to make a change or own your device.”
“The edge devices that we're working with are single purpose devices. It's easier to protect those devices. When you speak about a server, you have so many attack vectors — some of them are physical network, applications running inside — it’s almost impossible to protect those devices. And more and more capabilities have to be developed.”
“The assumption is that the adversaries are smarter. And if you think that way, you're better off. Designers of devices have to take into consideration that if there is a motivation, people will be able to penetrate your device. And they're always smarter than you are.”