In mid-November, the total count of vulnerabilities reported in 2018 surpassed the total for 2017, setting a new record for vulnerabilities with six weeks left in the calendar year.
At this pace, we are on track to see the count of Common Vulnerabilities & Exposures (CVEs), the authoritative index of confirmed IT system vulnerabilities, reach 16,000 or more vulnerabilities for this year, according to tracking site CVE Details.
If you develop embedded systems or devices incorporating them, how do you keep pace with analyzing 300 new CVEs being reported every week?
How do you narrow the focus on those that really matter for the systems and subcomponents in your products?
How do you assess the severity and risk of a CVE with respect to your end customer’s security requirements and regulatory compliance needs?
Maybe it's time to join the CIA.
No, not that CIA. I mean the security concept known as the CIA Triad that refers to Confidentiality, Integrity and Availability. The triad is a framework that guides how enterprises deploying embedded systems view information security and the systems related to it.
Security from the Customer’s POV
Enterprise IT managers view security from an information protection standpoint above all. After all, attackers are typically going after information like consumer data, banking information, user identity information, and similar data.
That type of data handled by corporate systems poses a major risk if it is compromised. Regulatory oversight and legal ramifications of data breaches, especially with respect to compromised consumer data, have spawned fines and lawsuits that reach into the millions of dollars.
Of course, these information security concerns translate into system-level requirements as well, and maintaining the operational integrity of systems is always a concern.
But even those technical requirements are becoming the focus of regulation in the environment of rising vulnerability counts. California recently enacted a law specifying not only information security requirements but system-level controls required for makers of IoT devices, such as a prohibition on default passwords in shipped products.
To comply with such rules and reduce the risk of your products causing a data breach, it’s helpful to view security through the lens of the CIA Triad.
CIA Requirements Framework
The CIA Triad is a framework or general guide that security practitioners use to assess information security requirements in their environment, and by extension, the security features and functions of underlying systems.
The CIA Triad encompasses:
- Confidentiality – How will sensitive or regulated information be kept private?
- Integrity – How will information be kept free from manipulation by unauthorized people?
- Availability – How will information be made available to authorized users when it is needed?
Sometimes, security practitioners give the “A” in the triad as Authentication, Authorization or Access, all of which have important implications for underlying functions around user credentialing, access control, and so on. But Availability also covers requirements like preventing Denial of Service attacks, blocking Ransomware attacks, and so on.
These high-level security requirements filter down to system level requirements. They guide how an enterprise may deploy systems and security functions to protect them, but they also can indicate how systems themselves should be designed.
- Confidentiality – Does your system support encryption of data at rest, data in processing and data in motion? How are encryption keys managed and stored?
- Integrity – Does your system support data integrity functions, such as message authentication, checksum, stored data validation, and intrusion detection? Do user authentication and credential features prevent unauthorized access and manipulation of data?
- Availability – Is your system in deployment protected by the appropriate network controls, firewalling, traffic filtering, and other features to mitigate Denial of Service attacks? Does your system have the resilience, redundancy, and physical capacity to ensure information is available to authorized users when they need it?
Timesys has worked with embedded system device makers for years to adopt the best practices for implementing security in their products.
Approaches to securing embedded system products by design have generated a lot of attention in recent years, especially as breaches of IoT systems have become increasingly common.
But it is just as important to consider maintaining your embedded device’s security posture in deployment and into the future. While much of that will involve deployment architectures that are beyond your control, there are key product maintenance aspects that must be considered.
How are you monitoring CVEs and other vulnerabilities? How are you tracking patches for components and subcomponents of your products, including open source? How are you notifying customers, providing vulnerability mitigation, and pushing patches to products?
As you consider these questions, a customer-centric CIA Triad can organize your effort to bring more secure products to market and reduce risk for your customers despite the record flood of vulnerabilities.
Adam Boone is VP of Marketing at Timesys. Over two decades, Adam has launched more than 50 solutions in networking, cybersecurity, enterprise applications, telecom and other technology areas. He completed his MBA in Business Strategy at Arizona State University and the Marketing Strategy Program at Penn’s Wharton School.