recommended reading

Explaining Cybersecurity through Cars: Get Yours Inspected or Get It Off the Road

Eric Fleming Photography/Shutterstock.com

ARCHIVES

By CyberAvengers June 6, 2017

recent posts

The #CyberAvengers are a group of salty and experienced professionals who have decided to work together to help keep this nation and its data safe and secure. They are Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma and Christophe Veltsos.

We are pointing out the obvious, but the obvious needs to be pointed out these days: How you view the world impacts your decision-making. And equally as important is how you view yourself. Therefore, if you see the world as a relatively benign place and feel for the most part you are well prepared for whatever challenge you will face, it is quite likely you will do little to change your behavior.  

But if you view the world as a more hostile place and think of yourself and us as unprepared, chances are you will either wither away into a corner, frightening yourself into hysterical paranoia, or you will do something rational to prepare yourself for whatever challenge comes your way.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Let us start with this basic premise: The internet is inherently vulnerable. It was designed that way because the debate—about 40 plus years ago—focused on open access and free flow of information versus security. The former won, but we are paying the price today. So, if the information highway (the internet) is all banged up and falling apart, it does not matter how safe your car is because the road is still a mess.

Taking the Car for a Spin

Let’s go for a ride and see what is waiting out there for you. First question: Is everybody driving a 2017 model with no mileage? Nope. That means your car (network and information system) has some wear on it, as do other cars on the road.  

But even if you are one of the lucky ones driving a 2017 with no mileage, are you fully read up on how to use all the fancy features of your new car? Probably not. You may find some cool new safety features on this new car, like lane departure warnings (anti-virus), but the warnings do little good if you do not check your blind spot while changing lanes or if you find them to be a nuisance and shut them off (misconfigured firewalls).  

New conveniences, like automatic parallel parking (free Wi-Fi) and automatic breaking (artificial intelligence) are neat and helpful. The #CyberAvengers are even ardent supporters of some, but we do not suggest forgetting the basics of driving or driving into a wall to see how well these technologies work!

OK, we see some of you out there with your head down saying, but I don’t have a 2017 with no mileage…I have a 15-year-old with 200,000 miles on it and that’s all I can afford right now.” Don’t worry, that is nothing to be ashamed of, we get it (after all, the average age of a car on the road these days are almost 12 years old). We understand you have limited resources and you do the best you can. But even with limited resources, you cannot sacrifice necessary maintenance without letting your car turn into a death trap.  

So, if you are not regularly changing your oil (patching your system on a timely basis) or tires (creating segmented backups) you are knowingly allowing yourself to be more unsafe on roads already deemed unsafe. And please do not forget the tune ups (replacing legacy software and hardware) because a misfiring piston (using WEP instead of WPA2 encryption) can make your car leave you at the side of the road without warning. Just like in football, we cannot express how important the “basic blocking and tackling” associated with regular maintenance is for your car (and your network).

Basically, what we are trying to say is if you do not take care of your car, you are increasing your vulnerabilities in a time where threats are also increasing and consequences are much more costly (Risk = Threat * Vulnerability * Consequence). Worn brake pads (poor bandwidth) are bad enough. Worn brake pads with uninspected brake lines (unencrypted communications) could result in your death (massive data breach) and that of your passengers (your company).

Here is another issue you must deal with. Cars have become more complex. There was a time where if you owned a car, there was also a good chance you could do a lot of maintenance yourself (we call those days the Age of MS-DOS and XTree). Today, it’s not so easy. Why? Because today, you get an idiot light (error message) flash on your dash and you do not know if you need to restart your car (reboot) or you have an imminent overheat that will crack the engine block (your device is bricked). Ultimately you are going to have to take your car to somebody, like a dealership (vendor) or mechanic (IT professional), to get checked out (vulnerability assessment).  

Alright, here is where it gets tricky and it is hard to get past stereotypes when discussing this issue: Do you trust your dealership and mechanic? If you don’t, you are going to be worried about unnecessary repairs (capital expenditures) and high labor costs (consulting) that may not necessarily make your car run any better or safer.  

And if you have a dealership or mechanic a bit on the shady side, do you think they are going to tell you to fix that small problem right away or wait until it is a really big one? They may say, “Don’t woooorry! All you need to do is check your car once a year, you’ll be fine!” when in actuality you should be checking your tire pressure and oil levels every few weeks, especially if you are driving an older car.

And here is something not to forget: Even after all of your fixes, none of them will make you a better driver (education). They only reduce certain vulnerabilities (more on that in a moment). You still have to know how to avoid pesky daily hazards like aggressive drivers trying to crowd you out of your lane (DDoS attacks) and muddy fields in the dark that make your car stick (ransomware).

So now imagine you are driving an unsafe car, not serviced for a while, on dangerous roads, and let’s be honest, you are not exactly the best driver because you have bad habits (you like to click on links you shouldn’t). What exactly do you think is going to happen eventually?

BOOM!

Did you consider this scenario? If you did not, you have some work to do, and if we may: Welcome to cyberspace. This is how things go today. One moment everything is hunky dory and the next, you have an out of control train on fire, controlled by a hysterical and psychopathic conductor who is ready to take the train down the unfinished track that leads right off 500-foot cliff into a pit of bricked devices.  

A little car maintenance goes a long way. Kind of like patching would have saved a lot of grief for hospitals and emergency rooms last month. Remember, even a 2017 model car can only go so long before the oil needs to be changed.

Car Basics 101 Go a Long Way

This article is a necessary foundational piece for our next piece, where we focus on the value of timely and regular vulnerability assessments and why a systems-based (versus goals-based) approach to cybersecurity is a great idea. More importantly, this article is to show many of the basics are not being adhered to. But that is hard to see when you are not immersed in IT, which is why we illustrated the issue using cars, something most people understand.  

The #CyberAvengers want to make cybersecurity unintimidating. Isn’t it a liberating feeling to know when your mechanic is running a fast one on you? It is. And you do that because you build up your knowledge and are unafraid to say, why are you trying to get me replace my entire axle when all I need is a control arm?”  

As we promised you in "Take Back Control of Your Cybersecurity Now," the #CyberAvengers are here to help and one thing we certainly do not want is for you to be in an unsafe car. Ask us if you feel you may be in one.

JOIN THE DISCUSSION

Close [ x ] More from Nextgov