[Interview] Costin Raiu, Kaspersky Lab: We Believe the Next Generation of IoT Devices Can Be Designed In a More Secure Manner

costin raiu defcamp 2018

One of the best things about doing interviews with DefCamp speakers and partners is this:
They generously lend us their perspective so we can take a peek at the future.
Today we’re inviting you to walk a mile in Costin Raiu’s shoes, Director of the Global Research & Analysis Team at Kaspersky Lab.
It’s the year 2020. Costin looks back to 2018 to answer an interview for DefCamp #11. Here’s how he summarised things for #ThreatThursday*.
*Could this hashtag be a thing? Drop us a @ and let us know.

2018 has been a tumultuous year for IT security.
From big hacks, such as the compromise of over 50 million Facebook accounts, to leaks, supply chain attacks and nation state sponsored hacking, we’ve had a bit of everything.
Several of these stories proved there are still many open challenges when it comes to securing businesses and IT infrastructure, including attacks against network equipment, defending against high end mobile malware attacks and securing data in the cloud.

One thing that we’ll all remember from 2018 will surely be the emotional rollercoaster that was made of data breaches. We looked to Costin for some viable solutions he’s seen capable curbing them and we found answers!

Complexity and size are two of the things which are constantly observed in significant data breaches.
For instance, the incident in which the access tokens of 50 million Facebook users were stolen can be traced back to a complex feature implemented by the social media giant. The more complex software becomes, so are the bugs and the possibility of exploiting them.
Things such as zero-knowledge encryption, isolation, and hardware security are probably the most promising technologies to curb the recent string of breaches.

Layers upon layers of tech, spread across the world, have made it incredibly challenging to build scalable information security models able to adapt to all situations with equal flexibility.
That’s why Costin emphasizes a key problem that’s going to trouble infosec professionals for a while going forward:

We believe that securing cloud data at scale is a very complex issue which will not be tackled during the next 10 years.

It’s essential that we, as a community, make a concerted effort to find solution to this and other causes of data breaches. Especially since some of the most sensitive items leaked through data breaches are medical records.
Here are the short-term and long-term consequences of exposing sensitive medical data, according to Costin’s expert perspective:

On the short term, attackers might try to ransom hospitals or patients. In some cases, this can be coupled with destructive attacks, in which the data is deleted, making it very hard to recover from backups or paper.
Long term, these databases can provide information that can be used for identity theft and other nefarious activities.

We hope that working together as a community will catch on more and more. A recent example of its effectiveness has to do with certain widespread vulnerabilities and their containment.
Costin shared that:

Although Meltdown and Spectre are two significant issues, we are yet to observe any significant abuse of these vulnerabilities in the wild.
We believe that the answer from operating system vendors, as well as hardware developers, has been key for safeguarding against these.

But not all threats receive the same attention and diligence. Less notorious ones cause problems on the daily, like issues as common as insufficient logging and monitoring.
To tackle this challenge is to also consider the impact on data privacy and the regulations that seek to enforce better controls over it.
Costin has a clear view on this:

While the two concepts might appear to be conflicting issues, we believe security can be seriously improved through relevant monitoring and logging. This breaks down to what kind of information is logged and how is it processed, anonymized and for how long the data is stored.
While it might appear challenging, this is something companies can definitively thrive at.

Since Costin deals with so much variety in his research and analysis, we had to find out if he believes securing IoT is a feasible challenge. His nuanced answer led us to believe in a better, more secure future for IoT.

Security the current generation of existing IoT hardware is probably not feasible, as too many vulnerabilities exist for which the vendors do not offer patches anymore or that would require a significant product redesign.
Nevertheless, we believe the next generation of IoT devices can be designed in a more secure manner – for instance, by eliminating the same default password (eg. “admin:admin”).
For example, recently, a new law was passed in California which requires all new devices to be sold with unique passwords. The law should be implemented by 2020.

It sounds exciting to have the opportunity to work on issues such as these, doesn’t it?
Because we know some of you are coming to DefCamp for the first time, we asked Costin to share his advice for infosec beginners.
Here’s what Costin believes that focusing on will serve you well in the long run:

Knowledge of a programming language such as Python is for sure one of the essential skills in the industry.
Recently, we observed a heightened interest for Yara, the so-called “pattern matching swiss knife for malware researchers”.
Finally, very few people nowadays are familiar with assembly language and reverse engineering skills are rare – it is unlikely such knowledge will ever become obsolete.

Speaking of things that get better with time: we’d like to say a big “Thank You!” to the awesome and supportive DefCamp community!
We can’t wait to see you all on November 8 and 9, in Bucharest, for another awesome experience!
This interview was made by Andra Zaharia. You can get in touch with her on LinkedIn or say hi on Twitter.
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..