New Security Group Cavalry: Be Careful With The Internet Of Things

A group of security industry advocates is aiming to promote hacker research and spread the message about the importance of software security to policymakers.

Called the Cavalry, the group, led by Joshua Corman, a security industry thought leader and frequent speaker on data security and privacy, is hoping to engage lawyers and policymakers and educate them about the security issues surrounding the increase in Internet-enabled electronic devices. The public is placing its trust in the manufacturers of the devices -- from modern thermostats to smart televisions to automated washing machines -- but few people truly understand the security risks they represent, said Corman, who serves as CTO of Fulton, Md.-based Sonatype.

"Simply the act of talking about this in an accessible way will create an environment where everyone's efforts will be fostered in a positive way without having it seem like you were just talking into the echo chamber," Corman said. "We're starting a dialogue to educate ... and at least start building those bridges so security becomes a natural part of engineering processes."

[Related: Noted Security Expert: How Will We Be Judged When Our Grandchildren Read The History Of The Internet? ]

id
unit-1659132512259
type
Sponsored post

Corman and other members of Cavalry addressed attendees at the 2014 Source Boston Conference last week, hoping to bridge the sometimes-awkward communications gap between geeky security researchers and the lawmakers considering legislation to proactively address information security issues in a broad range of products.

Cavalry's grassroots efforts began with discussions last year at the BSides Las Vegas security conference and the DEF CON hacking conference. It formalized last September at Derbycon, an annual conference that focuses on best practices for penetration testers. The security industry often gains widespread attention for producing shocking examples of potential attacks against systems but often fails at explaining the broader risks that the demonstrations highlight, Corman said.

The group unveiled its revamped "I Am The Cavalry," website this month and is hoping to grow interest in its campaign to ensure that manufacturers of electronic devices are adequately addressing the security of the often tiny, embedded systems that they create. In addition to manufacturers, Corman and his group are looking for other experts to join the cause, from service providers and resellers knowledgeable about the devices and software to systems integrators and consultants engaged with clients deploying it in their environment. Jen Ellis, director of community affairs at vulnerability management vendor Rapid7, has joined the effort to help bring attention to Cavalry's cause.

Cavalry's first target is the automotive industry, which is seeing a significant increase in software code as it creates ways to monitor and automate vehicle functions. The group also is fostering a better understanding of the data privacy, ethical and security concerns with medical devices and the so-called Internet of Things, the term used to describe the growing number of Internet-connected electronics.

NEXT: Engage Legal Teams, Speak To Policymakers

In a 2014 Source Boston Conference keynote, Andrea Matwyshyn, senior policy adviser and academic in residence at the U.S. Federal Trade Commission, urged security professionals to engage the legal community on information security issues. The legal counsel at many organizations can be an effective tool to foster security program improvements and often play a role in shaping policies that impact the entire security industry, Matwyshyn said. Security experts need to learn how to engage in a meaningful dialogue with non-security experts and keep their attention on the issues that are most important, she said.

"The goal is to make the other side of the conversation feel challenged but not feel stupid," Matwyshyn said. "Know your audience and help bring them along into the formalized language of this community; the specificity of the terms matter."

Security researchers have found myriad ways to hack into Internet-enabled devices, including a way to alter an insulin pump to deliver the wrong dose of insulin to a patient and a way to alter a smart meter, a device that monitors the power consumption in a home, to reduce an electrical bill for a homeowner. At the 2012 Black Hat conference, security researchers gained attention for their ability to remotely target a weakness in the remote starter of an automobile to turn it on and off and potentially gain access to other controls.

Security researchers and those who advocate improvements reach a point where they realize they can't fix it all and get burned out, said Beau Woods, an information security veteran who heads Atlanta-based consultancy Stratigos Security. Wood said he wants to encourage security professionals and especially hackers to stick with a project to create awareness about data security and privacy and foster positive changes.

"For the longest time there's been a lot of [research] activity but not results and impact," Wood said. "A lot of [researchers] get disillusioned and go into another industry or take a different path, but those who stick with it can have a big impact."

PUBLISHED APRIL 14, 2014