CES Countdown #4: Who's securing the CE device's end user?

Computer security fuels many excellent conferences. CES is not typically one of them, but the current state of the economy is compelling conference goers to refocus on their core priorities...and security is one of them.

Some readers will argue that if we're talking about the best possible security for end users, we're at the wrong show -- Macworld's a little to the west. But as security researchers proved when they spanked OS X at last spring's CanSecWest conference, the world is moving on from the impenetrable-Apple era.

The issue for consumers at this point is simply to take security seriously -- get protection, keep it current, and use common sense when the Nigerian princes and m4k3-mon3y-f4$$$t crowd sends e-mail. Alas, neither CES nor anything other than direct exposure to the consequences is apt to change the habits of consumers who aren't already open to the message.

Many consumers might expect more security protection from their ISPs, especially in an era when cable boxes, HDTVs, and even more basic appliances sport their own IP addresses. The problem is that any sense of responsibility providers might feel in that direction is swamped by another "security" concern -- that of media companies that feel that ISPs and even hardware manufacturers are responsible for securing digital handcuffs on content.

It has been a full year since widespread coverage emerged of Vista's thuggish HDMI implementation. Frankly, 2008 wasn't exactly a big year for raising consumer consciousness of digital rights management issues, and though a couple of panels are slated for CES 2009 this week, you'd have to be wonderfully sunny-minded to think that ISPs are paying one-tenth the attention to saving Joe Enduser from the botnet hordes that they are to keeping various DRM-desiring concerns (and their respective lawyers) at ease with ever-faster bandwidth offerings.

One more thing consumers can do to embiggen their security in 2009? Keep a close eye on Congress and the White House. A slew of stories throughout 2008 indicated that the incoming crop of politicians merit a watchful eye from security- and privacy-conscious Americans. (Not that the last didn't, but we're looking ahead here, not behind.) The President-Elect is computer-friendly, but that doesn't necessarily translate to greater security and privacy protections for citizens. As corporations accede to customer pressures to anonymize data more quickly, expect the feds to request both longer periods of data retention and more data retention by ISPs.

Security and the set-top box

Scott M. Fulton, III

When you hear the topic of security for Internet-facing consumer media devices brought up, what you're probably hearing is a discussion about preventing the consumer from being able to access unlicensed or unprivileged content. That's certainly important, but for the vast majority of users who may at some point in the near future have IPTV capability embedded in their HDTV sets or set-top boxes whether they use it or not, it's not nearly as important as protecting their own devices from incursion. What data could a set-top box possibly contain that would be of interest to an Internet-based attacker? If that attacker can spoof any of the cable industry's components that can trigger diagnostic access, that remote source could conceivably have access to lists such as recently watched on-demand channels, and favorite channels. But as we ourselves witnessed at CES 2008, there's something else potentially that's at least addressable through set-top boxes: other computers in a home's local network. Assuming consumers are smart enough to install firewalls on their PCs, in order for STBs to access those PCs, their media directories need to be exposed to access by the STBs' exclusive IP addresses. Whether an STB can be developed into a convenient "stooge" for a third-party attack is a topic that few, if anyone, have addressed. But a home network is only as vulnerable as its weakest link, and as long as consumer electronics components are treated as equal citizens in a home network environment, at some point, we need to expect STB security to be at least as foolproof as PC security.

The picture's more nuanced on the enterprise side, where budget cuts and a treacherous economy are putting pressure on security spending exactly when certain folk might be most tempted to ill-gotten gains. Again, follow the money: An infosec pro whose system is hacked is apt to be fired or otherwise adversely affected, whereas an end user whose system is hacked has very little financial recourse to punish an allegedly security-lax ISP. (Especially if the problem stems from something the user clicked or installed with his own two typing fingers.)

That said, some infosec professionals are warning that a lot of businesses are slacking on protection -- even legally mandated protection -- figuring it's better to solve a problem (clean up a hack, pay a fine) in 2010 than to go broke in 2009.

The chaotic IT environment during mergers and acquisitions (so popular among strong companies when rivals are struggling) means that even relatively hardened targets can become soft for the patient and clever hacker. One expert we talked to characterized some security-poor companies as having crossed fundamental safety lines, even blowing off compliance with standards that don't have an immediate bottom-line impact (e.g., SOX).

"You used to see companies pushing risk into their next budget cycle, covering themselves in the present and pushing speculative risk into the future," our source said. "Now the pressure just to survive the current budget cycle means some risks that were previously unacceptable are going untreated."

What to do, what to do? Joel Scambray, author of Hacking Exposed: Network Security Secrets & Solutions and CEO of Seattle-based security consultancy Consciere, says that smart companies will make it through the haze by sticking with the fundamentals. "Understand the business you're in, define achievable goals, review progress against them periodically, and hold people accountable -- for successes as well as failures," he says. "Good infosec fundamentals, like thrift, diversification, and saving, are once again back in vogue."

Scambray even sees a few trends that bode well for security beyond the current climate. Firms are beefing up detective and reactive infrastructure, including security-event information management and forensics capabilities, "because many enterprises have learned the hard way that an ounce of preparation is worth a pound of cure." He sees ongoing "housebreaking" of application software development, editing the process into manageable and thus securable practices.

There's also a return to fundamentals -- reviewing and refining internal security procedures, developing meaningful security metrics that align with organizational objectives, and managing compliance-and-audit fatigue with "sensible programs that meet well-established standards of 'due care,'" standards that can even be extensible to third parties.

And, Scambray says, candor with stakeholders is key. Even though, as he puts it, "as we've witnessed again recently with the Madoff fraud, a secretive smile and the wisp of something exclusive can fool even the most sophisticated," the current austere mood means that pragmatic security talk can "win friends and convert enemies for the information security profession." The times may be hard, but maybe that means that businesses are ready to hear hard security truths.

Now, can someone convince the civilians not to answer those e-mails from the Nigerian princes, and convince the ISPs that consumers care about more than just the fastest possible bandwidth?