Increase transparency for more security

Cristina De Luca -

January 08, 2022

Security through obscurity, the practice of “hiding” information to presumably keep it out of the reach of cybercriminals, has always been a controversial topic in the infosec community. And it is increasingly being challenged. Many point to it as a big mistake, capable of putting companies at a disadvantage in the face of attacks on their network. Cybersecurity has become too important to be left to a few anonymous IT specialists working in the bowels of a bank, government agency, or hospital. 

On the other hand, transparency continues to be seen as more beneficial for organizations that want to protect their network and respond to threats proactively and not put everyone at risk: the company itself, its customers, and its suppliers. It helps developers and their customers to understand the various components of their system and locate issues that may lead to vulnerabilities.

Unforeseen security vulnerabilities are a fact of life in today’s technology landscape. Security is a collective and shared responsibility and requires cooperation between vendors, system providers, and end-users to implement mitigations quickly and effectively. But without a commitment to transparency – especially from technology industry leaders and vendors – building public trust and security assurance simply isn’t possible.

Electric vehicles are said to be a good example of the value of cooperation and transparency in cybersecurity. Many models require extremely sophisticated software that must be updated frequently. For example, Tesla distributes updates to owners at least once a month. 

To provide updates, an electric car manufacturer requires worldwide access privileges to its cars’ onboard computers. Naturally, car owners want to be sure that this does not expose them to hacking, theft and remote vehicle locks, or being spied on while driving. For this reason, electric vehicle manufacturers need to be extremely open about their cybersecurity so that owners, or trusted experts, can assess whether the company’s systems offer effective protection. 

Many vendors have developed new ways to address government and customer concerns for more transparency. Increasingly, independent laboratories are issuing globally recognized safety certificates for a growing range of telecommunications products. 

As for mobile devices, at the dawn of the 5G era, the best we currently have is the Network Equipment Security Assurance Scheme, or NESAS. Jointly defined by 3GPP and the GSMA, this globally recognized system tests, not only products but also how they are developed and maintained (including the installation of firmware updates). NESAS also has a dispute resolution mechanism to deal with complaints from companies who believe their products, or those of competitors, have not been fairly evaluated.

The testing of network devices is carried out by independent test service providers on the basis of firmly defined evaluation frameworks and safety catalogs. In addition to product safety, the safety aspect throughout the product life cycle is also audited in a complementary procedure.

Transparency is also key to the security of operational technology assets. In a complex industrial environment, it is difficult to have a reliable inventory of all the devices on the network. And no one can manage what they don’t know they have. Therefore, the first rule of a converged IT / OT security system is to ensure total visibility, which starts with some form of inventory survey and goes through continuous network monitoring, which includes the ability to update the virtual map inventory with the addition of new IT components or elements and the removal of decommissioned assets. It also includes the ability to track all traffic across the entire system, flagging any non-standard activity and generating alerts according to the severity of the risk in each case.

When detecting new vulnerabilities in OT networks and devices, organizations rely on their asset inventory to decide the severity of the vulnerability, how to patch the device, and how it affects their environments. With an automated asset inventory, industrial organizations will increase the productivity and efficiency of their OT teams by quickly managing their asset data to detect and protect their environments in a single dashboard.  

How is this transparency built? 

Establishing an end-to-end security assurance framework that can be applied across the entire lifecycle of any product can help improve transparency and provide better security. Invest in and support internal offensive security research teams and support the contributions of external security researchers through bug bounty programs and research grants, too. These are proactive approaches that seek to ensure customers can trust an organization’s ability to collaboratively and reliably discover, mitigate and disclose vulnerabilities.

Collaboration is also key to elevating security assurance. This involves cross-functional work between industry partners, academic institutions, and governmental organizations on policies, standards, mitigations, and research to accelerate a shared understanding of security.  Open cooperation is the best way to ensure security. 

Participating in industry consortia and standards bodies to help ensure that technology projects meet evolving security, privacy, and safety standards is a good move. Some examples include the Trusted Computing Group (TCG), the Confidential Computing Consortium (CCC), the 3rd Generation Partnership Project (3GPP), the National Institute of Standards and Technology (NIST), and the International Organization for Standardization (ISO).

As vulnerability research and attack methods continue to become more sophisticated, it is also important to support the evolution of industrial product design, assurance, and risk management standards. MITER and several industry leaders are working to extend the community-driven Common Weakness Enumeration system to include new hardware weaknesses, as well as enhance their Common Vulnerabilities and Exposures (CVE) and Common Attack Pattern Enumeration and Classification (CAPEC) systems . Other opportunities include ongoing efforts by the Forum of Incident Response and Security Teams (FIRST) focusing on the Common Vulnerability Scoring System (CVSS) and the Special Interest Group (SIG) Product Security Incidence Response Teams (PSIRT).

Finally, industry leaders should raise the level of transparency by making product security metrics available in the marketplace. This should include details on internally and externally identified threats, for example.

“I predict that enterprises around the world will begin to resist the lack of transparency from application vendors about the components they use to deliver their solutions. The lack of visibility given to closed devices, virtual machines, and application platforms leaves enterprises in the dark when zero-day vulnerabilities are discovered in the software components used to build these platforms. Enterprises are no longer willing to wait to see the vendors’ approach,” says Ron Culler, senior director of technology and solutions, ADT Cybersecurity.