People connections are fairly straight forward, we see them fairly well. But within each of the circles that represents a person there are 2-3 IoT connections (Today). One or two of those connections is by choice. One is by someone else and probably isn’t by choice. Its call BlueJacking, or seizing control of a device via Bluetooth connections. The thing is the number of connections is manageable today (headset, car phone, speaker phone, other devices) but it won’t be tomorrow.
Its going to get harder to harder to manage the CPS/IoT device connections with one-off security. Security focused on the user knowing what should, and what should not be connected to their device. Perhaps the change is as simple as anytime a device connects to your tablet or phone (or laptop) there is a forced yes I started this connection dialog box. Until that box is cleared the device remains in quarantine. While actively there, not actively connected to your device.
Who connects. What are the connecting. What will they do with that connection. Is there a risk for me. Did I setup the connection. When did I? All sorts of potential security components that could be used in setting up new connected devices (or connected bits). Easy security that wouldn’t require people relearn how things work. Complexity is the emend of security. Pushing good security down to users is a good thing. It allows the user to interact with the system in an intelligent way.
CPS/IoT security will require more human intervention than less in the short run. Why? The more compact the device the less inherent security it can have. I’ve talked about the need for CPS/IoT removable security to keep those devices up to date. I think however the reality of what’s next is we need short run local security on your device. It will reduce Blue jacking.
It won’t remove the risk of someone else seizing your device but it may allow a time limit to that seizure. Good phone hygiene perhaps. How often do you power off your phone?
That becomes the magic question. How often should you power off your device? I remember in the dawn of computing we had to have people power off often, so we could run the Novell Login Scrip’s on their machines. We moved to the world of group policies (which only apply when you log in). The next interaction has to be, when network resources are launched and GP is new, they GP has to be applied before you can use the resource. People often don’t power off their devices enough.
Good security comes from good decisions. It comes from powering off that device from time to time. At least once a week. Then given that we prompt for every connection to that device we will increase security. Tomorrow, there will be far too many connections to be remembered if we are not careful. If you block a connection you need later, you can always read it.
Time to go back to the past. Reboot your computer. Power off your devices at least once a week. At the very least you will have a little time away from technology to reflect and listen to the world around you.