Why Hardware-Based Design Security is Essential for Every Application By Gregory Guez, Executive Director, Embedded Security, Maxim Integrated Table of Contents Abstract...........................................................................................................................1 Introduction....................................................................................................................2 Even the Financial Industry Isn’t Foolproof..................................................................................4 Smarter Devices Are Even Less Secure........................................................................................5 Why Hardware-Based Security Is More Effective........................................................................7 Summary.........................................................................................................................9 Learn More..........................................................................................................................................10 Sources....................................................................................................................................10 Abstract Design security is often an afterthought. But, with the regularity of security breaches impacting an array of industries, it’s now more of an imperative to build security into designs early on. This paper addresses why security can’t be neglected even in the most seemingly innocuous products, and examines why hardware-based security technologies can better protect against vulnerabilities than software-based approaches. www.maximintegrated.com 1 of 10 Introduction Cybercrime is costly, but many companies still aren’t considering design security until it’s too late. In the fall of 2016 a massive internet With increasing regularity, we hear outage brought down the likes of stories about everyday products being Amazon, Twitter, Netflix, and PayPal. attacked—products that we assume Even baby The culprit? CCTV video cameras would be safe. Think baby monitors, monitors and DVRs hacked by a botnet based toys, security cameras (ironically), and have been on the Mirai malware strain. Earlier even medical devices. In some cases, the hacked this year, WikiLeaks made headlines attacks were conducted by “white hat” (or when it revealed that it had internal ethical) hackers, simply to determine if it CIA documents showing that it had is possible. In other cases, the breaches uncovered a way to access Apple stem from more nefarious sources. and Android smartphones, Samsung Hacking was even a major storyline in the SmartTVs, and internet-enabled cars. most recent U.S. presidential election. 314,246 303,809 289,813 288,012 262,813 269,422 2010 2011 2012 2013 2014 2015 MORE THAN 3.4 MILLION INTERNET CRIME COMPLAINTS LOGGED BY IC3 SINCE ITS INCEPTION SOURCE: FBI Figure 1. The FBI’s 2015 Internet Crime Report captures public complaints submitted to the bureau’s Internet Crime Complaint Center over Internet-facilitated crimes. 2 of 10 www.maximintegrated.com A Juniper Research report estimates that suspected Internet-facilitated criminal data breaches of traditional computing activity. According to the bureau’s 2015 devices could grow the cost of cybercrime Internet Crime Report, IC3 has logged to $2.1 trillion by 2019. The report notes more than 3.4 million complaints since that most of these breaches come from it was formed in May 2000, averaging existing IT and network infrastructure.1 nearly 300,000 complaints per year Add to this the growing number of over the last five years. Figure 1 tracks Cybercrime smart, connected devices—particularly complaints received since 2010. The costs could same FBI report also notes the cost products that deal in sensitive, personal grow to data—and the propensity for havoc and associated with Internet-facilitated $2.1 trillion harm grows that much larger and more crimes. Figure 2 provides a breakdown dangerous. Forrester predicts that 2017 from 2015 (the most recent such report by 2019 will see a large-scale internet of things available at the time this white paper (IoT) security breach. was published). The analyst firm believes that the most vulnerable areas are those that have In the face of all of these threats and risks, quickly adopted IoT technologies: why is security such an afterthought in so many industries? The simple truth is • Fleet management in transportation that, for many companies, security takes • Security and surveillance a back seat because of the perceived applications in government cost and time it adds to the product • Inventory and warehouse development cycle. However, neglecting management applications in retail design security comes with even greater • Industrial asset management in costs in terms of lost revenue, brand primary manufacturing reputation damage, and even personal What’s more, Forrester also notes harm. What’s more, software-based that hackers will continue to exploit security approaches do not provide the IoT devices to carry out distributed strongest protection, as many are led denial of service (DDoS) attacks.2 The to believe. Hardware-based security FBI’s Internet Crime Complaint Center delivers a much more rock-solid (IC3) tracks public complaints about methodology. www.maximintegrated.com 3 of 10 Cybercrimes Tracked By the FBI Source: FBI $1,070,711,522 Losses Reported $288,012 Complaints Received 300,000 internet- $127,145 Complaints Reporting a Loss facilitated crime $8,421 Average Dollar Loss for complaints Complaints Reporting a Loss tracked by the FBI Figure 2. Internet-facilitated crimes tracked by the each year FBI’s Internet Crime Complaint Center. Even the Financial Industry do not adopt these standards can face significant fines when breaches occur. Isn’t Foolproof Despite these regulations, a 2016 The heavily regulated financial industry Financial Industry Cybersecurity Report is subject to various standards, including from SecurityScorecard3 analyzed more ISO 27000 series, which recommends than 7000 financial institutions on its best practices for information security platform and identified some alarming management within the context of an findings: overall information security management system; Standard Information Gathering • 75% of the top 20 U.S. commercial Questionnaire (SIG), managed by the banks were infected by malware Shared Assessments Program, a third- • Almost one out of five financial party risk assessment organization; institutions use an email service and the Payment Card Industry provider with severe security Data Security Standard (PCI DSS), vulnerabilities a proprietary information security • 95% of the top U.S. commercial standard designed to reduce credit banks received a network security card fraud. Financial institutions that grade of C or below 4 of 10 www.maximintegrated.com One noteworthy point is that PCI DSS to follow, so then it becomes incumbent relies on software-based security. upon designers themselves to consider For point-of-sales (POS) financial security. transactions, hardware-based security Smarter Devices Are Even is a much more robust approach. The Payment Card Industry (PCI) Security Less Secure Heavily Standards Council maintains, evolves, There are a variety of other industries regulated and promotes security standards where security should be a key design for the industry worldwide. The consideration. financial council, founded by major payment industry still products companies, is behind the PIN • Industrial is transitioning from vulnerable previously isolated systems to Transaction Security (PTS) standard, to attack PCI-PTS, which provides for robust, fully networked systems that could hardware-based security controls for expose equipment to remote attack payment systems. These guidelines can • Healthcare comes with privacy, data help develop an approach to protect integrity, and patient safety issues against tampering and other physical should medical records or equipment and data breaches. and devices fall under attack • Online banking is at risk because it’s Even though the industry has hard to guarantee identity visually some deficiencies in this area, the • Retailers with mobile sales channels cybersecurity report still ranks financial must ensure safe transactions and services as well as the information communications services, technology, and construction • Communications requires end-to- industries as top performers based end security to protect against a on cybersecurity ratings. Bottom variety of attacks that could intercept performers include the transportation, data or bring down systems energy, non-profit, and food sectors.4 • With connected cars, the automotive Indeed, it’s disturbing that the financial industry needs to guard against industry—although highly regulated threats such as remote hacking and inherently sensitive about its data— (Remember when white-hat hackers is still so vulnerable to attack. Even remotely disabled a Jeep on a St. more worrisome is the fact that most Louis highway in 2015?) industries do not have such standards www.maximintegrated.com 5 of 10 • Infrastructure such as the smart and communications capabilities are grid or other utilities need to be anticipated to number 20.8 billion by safeguarded against attacks that 2020, according to Gartner5. Often could disrupt cities or harm people valuable data travels from these devices to the cloud and back—and can be Obviously, in an industry like finance, intercepted at multiple points along the there are clear