It doesn’t seem that a week goes by without some new device or application being discovered vulnerable – from IoT devices to big enterprise applications, proclaimed Andrew Hay, CISO at DataGravity, during a recent presentation at the MISC security conference.
In his talk, MISC 2016: Bootstrapping A Security Research Project, Hay said that anyone can perform security research – and it’s often not the technical details of the research itself that is the challenge for would-be researchers. It’s deciding on what to research and how to get going on that work, and knowing when it’s complete.
Security research isn’t only fun, it provides a way to potentially discover new things, or even help put misconceptions to rest, help improve the security of a software application or device, and raise security awareness. But, as Hay made clear during his talk, there’s more to consider and lot more work to be done than running a fuzzer against an app, and that there are important choices to be made before diving in.
Hay laid out everything anyone who would be interested in trying their hand at security research would need to know before they get started. Hay would know, recently he and his partner saw the release of the high tech Hello Barbie Doll as a catalyst for research and published Hello Barbie App, Hello Security Issues Security Risks Discovered with Mattel Hello Barbie Demonstrates Internet of Things Security Concerns research just before Christmas.
“I knew kids were going to be playing with this, and I wondered what type of information was going to be stored in the cloud infrastructure,” said Hay. “How intrusive was this toy going to be on child's privacy or a parent’s privacy?” said Hay.
That’s the key to picking a research subject: knowing what questions you want answered, and could you gain access to the data you’d need to try to answer that question, and if you could find the answer how would you use the answer? “With the Hello Barbie Doll, for example, I wanted to know what type of information could be stored in cloud infrastructure that may be detrimental to the privacy of a child or a parent. I don't have kids, so it wasn’t a big concern for me, but I did think this would be interesting from a research perspective,” said Hay.
Hay cited six types of questions security researchers can use to approach their subject:
Descriptive: A question that seeks to summarize a characteristic of a set of data.
Exploratory: A question in which you analyze the data to see if there are patterns, trends, or relationships between variables.
Inferential: restatement of proposed hypothesis as a question and would be an and would be answered by analyzing a different set of data.
Predictive: You are less interested in what causes an outcome, just what predicts whether an outcome will occur.
Causal: asks about whether changing one factor will change another factor, on average, in a population.
Mechanistic: the fundamental processes involved in or responsible for an action, reaction or other natural phenomenon.
Where to get research ideas? Hay listed five areas in tech: circuitry (how the schematics and hardware code make it work), hardware, the platform (the combined operating system and compute platform of the device and its hosting provider), software (the UI/UX and backend software required to make the device operable) and the network communications involved between the device and its control/management software. Hay listed them from his perspective of most difficult to easiest.
“This is very subjective, and other’s mileage may vary,” says Hay, who came from a strong networking background, so studying packet capture and network flows and what’s happening from a packet level is easy for him, and the type of research he’s drawn to. Others may appreciate straight application security, still others may favor wireless and RF.
Because of the diversity of skills needed for many research efforts, it often makes sense to form teams, he advised. One person may know hardware, another networking, and another application security, for instance. “For me, the network level is easy. You can look and see what is going on. Is it encrypted or not, how often does the device talk. Is it phoning home somewhere evil? However, with software there is a lot of intricacies that you can pick through and get really good information. This would be the operating system or even the hosting provider if we're talking about software or platform-as-a-service,” said Hay.
There are practicalities one must consider when choosing an area of research, too. If one wants to research hardware, they’re going to need space for the tools, such as an oscilloscope and digital multimeter, you'd probably need room for a dedicated work area. If there’s no space, or ready access to such space, that kind of lab may not be practical. “It’s not going to work in my two-bedroom apartment so I'm going to stay away from hardware for a while, but there is a lot of really cool stuff that you can do when you have the right equipment,” Hay said.
One of the most important things to understand when conducting research is knowing when one is done. Whether it’s researching in an IoT device, an enterprise app, a consumer app, security software, or whatever, Hay sees four reasons to stop researching: There’s a hard time restraint, or there’s the diminished relevancy to going forward, such as maybe someone will go to market with you with their research that completely blows yours out of the water; or you have successfully answered the question posed in your research, or you actually failed to answer the question or to prove your hypothesis.
While many think that failing to answer the question or prove the original hypothesis isn’t a “failure,” it’s actually a success. “Disproving a hypothesis is successful, scientifically that’s valid. It may not be the ideal outcome but it’s still successful,” said Hay. Which brings up: what is successful research? “Was some measure of knowledge created? Can you do something, or make new decisions as a result of the research? Have you created a report, presentation and application script to either fix, refute or prove your hypothesis,” asked Hay.
If so, your research is a success.
Of course you are going to need to tell the world of your research and reveal your data. That’s something every researcher must be prepared for. “This is really a pipeline model for what should do once you have the data, “You measure it, you analyze it, you create code to reproduce it, you create your presentation code. You take the information that you get, and you can summarize it in a paper, article or in a blog post. Blogs are a very quick way to get the message out,” said Hay.
Finally, be prepared to defend your data. Your findings are going to be challenged, and possibly vigorously so, said Hay. “You have to be able to take that. You have to have very thick skin if you want to defend your data or challenge someone else's research. There will be people that will come at you and say that you are wrong,” said Hay.