Earlier this week (24 Nov 2021) the UK Government announced the publication of a new law which sets out to protect consumers of certain technical devices from cyber attacks.
The ‘slogan’ underpinning all of this is ‘Secure by Design’. And in all honesty this has been a long time coming. Check out my previous post ‘Grand Designs’ to get the gist of it and how that should work.
However, unless you move in the cyber circles (whatever that is?) and are a bit geeky – this news would probably have passed you by on mainstream broadcasts and probably rightly so. Covid-19, deaths, murders, a new film about the Beatles and Westlife getting back together have all rightly taken the spotlight.
But what is the fundamental purpose of these new legal bindings? And what does it mean to me?
Those of you that I have had the pleasure to teach, will know that I love to use analogy to paint the picture. You only have to read some of my previous posts to see how this works.
A long time ago, some bloke invented a thing called a car (this is not a history lesson). At first, cars didn’t go very fast and being very few and far between there were few accidents and nobody got hurt. Then cars became popular and faster and everybody had one. Some had more than one. The increase in speed, traffic and general congestion resulted in more accidents and more people, sadly getting hurt.
So legislation was brought in to stipulate that cars had to have safety equipment fitted as standard. Lights, horns, seatbelts, airbags and braking systems. These had to meet the right standards to be approved for use – which gave the consumer confidence in the fact that they worked and provided adequate security should something go wrong.
Some manufacturers took safety seriously, some just did the basics to meet their legal requirement. That’s how things like this often work when dealing with standards. There never appears to be a standard for standards.
Routinely we need to get our cars serviced, fixed and checked and we do this to meet a standard (and a legal requirement) but also to make sure that they are safe to continue to drive.
In conjunction with the car – the roads that we drive on also need to meet certain safety standards. But these are old and difficult to maintain in some areas and still use materials and methods that are 20-30 years old. What have the Romans ever done for us?!
When considering the mix of car and road – the combinations are:
- Safe car + safe road = most safety (but not 100%)
- Safe car + unsafe road = not safe
- Unsafe car + safe road = not safe
- Unsafe car + unsafe road = very not safe (not a grammar lesson)
Those of you that like stats – will see that the largest percentage of probability is that you will end up either not safe or very not safe (is that proper English?!)
A long time ago, some bloke invented a thing called The Internet. At first, it wasn’t very big, was very slow and had very little traffic on it or much public interest in it. Then, almost overnight (in the history of the World) it got very big and everybody was on it. The Internet is a place to meet, work, play, shop, find a picture of a cat and generally do everything great in life.
The Internet is a highway for data, built on old standards which have had some tweaks over the years but a lot of it is still 20-30 year old standards. It has standards and regulatory bodies that look after it however.
The type of equipment we use to drive on the data highway is vast. Computers, phones, gaming consoles, smart-devices, Internet of Things (IoT), watches, fridges – you name it. Look around your house and see how many you use.
Up to recent times – the only safety standard you had at home (generally) was that if you plugged it in, it had been bench-tested so that it wouldn’t catch fire. Nobody at home appeared to care if it was fit to drive out on the Internet – makes no sense really does it? (It is different if you work in the security world for businesses and large enterprises – who generally employ certain standards or common criteria in their equipment procurement processes.)
It gets worse however, especially if like most, you can’t resist that cheap bargain off of Amazon or EBay – that promises to revolutionise your world with a smart device.
Plug it in and it doesn’t catch fire – all is good.
However – here is what this new bill is all about.
Do we realise that as soon as we plug it in and connect to the Internet it pokes out through the defences of our internal network – through the firewall – to shout out to anybody that wants to hear it? Generally this is to the web application or server that is supporting it (for time, messages, data etc).
These ‘holes’ in your firewall go out through a series of port rules and each port is allocated to an application being used by our devices (think of them like windows in your house – which allow things to come in and out).
Obviously the more windows you have open the more likely you are to get burgled and the more difficult it is to protect.
You can use secure locks and close windows when you are done with them and that’s what good applications and devices do. You can monitor and filter what comes in and out of your windows – and that’s what a firewall does. But if you automatically agree to a rule that keeps the window open or allows it to be opened from the outside when someone wearing the right hat knocks on it – then you may have a problem.
Unfortunately that is pretty much the situation we all fall for when we install some new devices into our homes which connect to the Internet. If you don’t change the defaults (and sometimes this is either tricky or impossible), you may find that the application is calling out and synchronising data invisibly and may also allow for administrative access from outside your network. In the past these have been known to use well known insecure ports that any hacker (good, bad or indifferent) would be able to access.
Some of these vulnerabilities have been responsible for some of the most widespread botnet, malware and ransomware attacks.
Check out this great article from the good people at Cloudflare for an example:
What is the Mirai Botnet? | Cloudflare
So this is all happening behind the scenes and we have no idea. All we are celebrating is the bargain we had with a smart WiFi camera system which we got for a snip from some bloke on EBay or that amazing Black Friday Deal!
So let’s go back to the combination:
- Safe equipment + Safe Internet connection = Most safety (but not 100%)
- Unsafe equipment + Safe Internet connection = Unsafe
- Safe equipment + Unsafe Internet connection = Unsafe
- Unsafe equipment – Unsafe Internet connection = Very unsafe
Still stacked against us.
We ALL know the golden rules:
- Change the default WiFi passwords for your WiFi router
- Make the passphrases long and complex
- Change the default admin account settings for your router
- If you know how – monitor your Firewall and check which ports/applications are being used
- If you know how – set up MAC filters to only allow known devices to connect to your WiFi
- Keep your equipment and applications updated and patched
- Remove anything that you no longer use
If you don’t know about all of this – find out! Check out the NCSC site which is such a great resource:
But for those of you who are ultra-clever or eagle-eyed will notice that in all of my ramblings and equations – I have forgotten the most vital element.
A car is only as safe and secure as the nut behind the wheel.
Drive dangerously, don’t service your car, don’t observe a code of common practice, go to dodgy parts of the city, drive on unknown roads and pick up strangers along the way – then good luck with your hi-tech airbags.
There is of course – never a 100% guarantee that you will be safe and secure even with the most advanced technological safety standards fitted – but it does help and give you confidence in the fact that you know it is there.
The combination of safe equipment, safe connections AND user awareness is the best combination on the planet!
So check out these new laws and standards. Think twice before you buy that cheap tech deal from Chinese Ebay (other Nation States are available). Put security at the top of the list of things that matter to you – because of course – it is not just your protection we are talking about.
Surf safe and prosper.
