My company has started holding something we call an un-conferance... basically it is an open space where we can give less formal conference style talks (see https://en.wikipedia.org/wiki/Unconference) but more on that later.
Anyway a friend of mine gave an interesting talk at the security un-conference today on actually talking about security that brought to mind an interesting
conversation I had with a group of pen testers after the Belfast Bsides event
this last year.
He spoke about communicating the reasons for security operations to happen with the customers/consumers it will effects and likened it to having airport security being one of the worst experiences when travelling to the point where taking a flight used to be a simple and great experience people would have looked forward to having become a tiresome pain- waiting in lines to be checked over, and even having your favorite soft drink taken off you. Most people will tell you the security in airports now is one of the worst parts of travelling a classic security vs convenience situation is created.
So if we tell people why we are doing the checks will it
make people more receptive to adopting the change? Or another side would simply
having to explain the threats to the people affected make it very obvious that
even if that threat is severe the risk is low enough that it doesn’t warrant
the inconvenience?
This was a core point of his talk, we always hear
about threat but rarely hear about risk and I remembered this conversation I
had in the post-conference celebration with a group of pen-testers in about
automated vehicles. One of the days talks focused on how manufacturers of these
vehicles so far were not putting an emphasis on security and how you an easily
break into them, this also happened with the hackers ale to take control
remotely of a partially automated range rover and force it to stop, so a fairly
hot topic. Now regardless of how you feel about the possible threat of this
happening I didn’t and still don’t believe it would be a reason to not use
automated vehicles. My argument for this is that yes the threat is severe but
the risk of them getting hacked is trivial.
Now before you jump on the “your insane, it’s terrifying” …
yes the risk is a terrifying prospect but let’s assume the security on the car
systems is essentially absent and just pretend that a there is no security
whatsoever and you can log into its open hot spot log into a shell and type a
command to have the car go or stop. Even then there’s a barrier to entry, the
person attempting would need a level of IT skills, a background knowledge of
the software its running on and equipment with the ability to extend the range
of there connection long enough so the vehicle doesn’t leave it. Of course the
level of fear of the threat will never allow such minimal precautions but
remember the people who managed to get the car in the news had all that
equipment experience and training. They proved it possible not likely, you
could achieve the same out come with a pair of snips and an idea what the brake
line looks like. I believe that method of attack would be only used for
assassination or terror. But the mindset of the pen tester is different, they
see attacks everywhere they were insistent kids would find ways of doing this
and just murder people for the fun of it and even after there was convictions
of what is clearly pre-meditated murder and the security brought up to high
levels you would still get the odd person who would sit there and figure out
how to brake it.
It’s hard to argue with what is possible. Even with the more security you put on
something, in this example an automated car, the higher the barrier to entry of
attack is… but it will always be a possibility. I think with the level of fear
in automated cars the manufacturers will put effort into securing them
especially if there liable for negligence leaving that risk trivial but please
tell me what you think?
There is an important take away from this however.
- When you’re focused on the possibilities and not likelihood it’s easy to overestimate the level of mitigation required.
- Security needs to be invisible, effective and at least appear seamless to the end customer.
- When explaining risks to someone who doesn’t agree, pushing that risk possibility can make your argument sound even more ridiculous or far-fetched (this is where people get annoyed with airport security).