Aditya Balapure, Team Lead, Information Security at Grubhub.
In the course of the Security of Things World USA, we.CONECT spoke with speaker Aditya Balapure, Team Lead, Information Security at Grubhub. He shared his expertise on the issue of lack of security in IoT devices as well as the pillars of a successful security strategy.
Grubhub is the nation’s leading online and mobile food ordering company. The company’s online and mobile ordering platforms allow diners to order from more than 80,000 takeout restaurants in over 1,600 U.S. cities and London. The Grubhub portfolio of brands includes Grubhub, Seamless, Eat24, AllMenus and MenuPages and has offices in Chicago, New York and London.
Aditya Balapure: In today’s world, most technology devices created are fully connected in order to enhance user experience and unleash the power of the world wide web. However, with that, security can be challenging to achieve. Most device manufacturers focus on engagement, user experience, and product features, security oftentimes comes at an additional cost. As an industry we are moving closer to enablement of technology and automation, and IoT plays a key role in that space whether it comes to automotive, home, office etc.
Lack of security with IoT devices could potentially be a big problem as people develop a growing concern towards how companies handle data privacy and security overall. The last few years have been really important from a consumer standpoint where more and more privacy issues and data breaches have come to light, impacting public image of companies and their financial numbers. In 2018 alone, a number of issues came across home automation solutions where devices allowed unauthorized data sharing, ultimately revealing private conversations and granular location data. As you can imagine, this is a huge issue among consumers. More cryptocurrency malware and exploits are also being targeted towards IoT devices since user detection on these is difficult and can be armed to attack in distributed denial of service scenario or for profit. This is just the beginning and as user dependency on these IoT devices increases, so will the risk and various attack vectors.
Aditya Balapure: The three pillars of a successful security strategy have always been People, Process, and Technology, whether it be the super computers or IoT devices. It’s imperative that device manufacturing and development companies start with the basics and integrate security as a value proposition in their product development. While it does come at an additional cost, if you take into consideration the overall impact that comes with the lack of security – financial, regulatory hearings, fines, you name it – it’s worth it. In the end, it’s a much easier financial win for the team to do things the right way from the start rather than to reactively handle should something go wrong.
Additionally, education and awareness on password best practices and patching is very important. Best way to get this done: by simply embedding these best practices from the device setup stages. Based on metrics, it’s been found that a few of the most common ways IoT devices are hacked is due to weak passwords and unpatched firmware – essentially what is taught in the basic security 101 class. Companies need to improve the process, making it compulsory to set strong passwords on initial device setup and make sure default credentials are no longer enabled. Additionally, there needs to be a proper channel of update/patching the firmware, a good timeframe for that could be when user interaction is least (since the device usually has activity data).
Universal device identity, encryption in transit, and possible identity revocation during exposure could be incredibly valuable to the overall security. Improving privacy policies and making it more transparent and understandable for a normal user, clearly identifying data sharing and collection, can be an impactful step. Along with better technology, companies need to think of defence in-depth strategies to enhance and improve the overall maturity of their product.
Aditya Balapure: I personally feel it’s all about the mindset – companies need to start thinking about security not as a special feature or an additional cost, but an ingrained part of product development. Teams should be staffed with security specialists, and product managers need to work with them from the requirements-gathering, design, development phases for end-to-end product development and testing.
Aditya Balapure: Most importantly, developing a security-mindset within companies should start with their employees by building a security culture and overall awareness among each team. This includes employee trainings, sharing of publicly available of data on incidents, and overall impact of those incidents for users is all helpful for an organization to help employees understand the importance of security in the overall product lifecycle.
Aditya Balapure: Standards will always play a major role in setting a baseline of what is considered an acceptable best practice in order to manage security on IoT devices. An important point to keep in mind is how these best practices are consumed. Oftentimes, difficult to understand and complex standards are hard to maintain and do not clearly help users understand how much needs to be done – and why. I also often see that standards are way too broad without any implementation guidelines or examples to actually support those, which makes implementation and enforcement even harder.
Aditya Balapure: As mentioned before, security must be considered as an integral part of product development from the beginning, hence everyone involved in that process is ultimately responsible. From a leadership standpoint, yes the business owns the risk, but it eventually trickles down to everyone doing their part to create a secure end-product for the customer.
Aditya Balapure: It was exciting to have the opportunity to speak this year at Security of Things World in San Diego! Those who attended the would have ideally taken away thoughts and learnings on new modern authentication attack techniques prevalent on web infrastructure. How have hackers been utilizing data breaches for fun and profit, how attack techniques have changed from the more traditional ones to a multi-layered approach, and how IoT devices play a role in targeting web authentication?
Aditya Balapure: I was looking forward to connecting with other industry experts on their thoughts and opinions on current IoT security standards and the disconnect from an implementation standpoint. As an industry we seem to be progressing very fast in pushing newer products that both enrich the user experience and connect the world, but we need to figure out what strategies we can build to market security as a product offering in this hyper growth. I’m curious to understand what steps are being taken by regulatory bodies and government organizations to track security lapses across device manufactures to prevent risk to sensitive user data.