CableLabs: Network Security Both Promising, Challenging

By Monta Monaco Hernon - The future of network security looks "promising," while at the same time it will remain "challenging," said Steve ...

CableLabs: Network Security Both Promsing, Challenging
CableLabs: Network Security Both Promsing, Challenging

The future of network security looks "promising," while at the same time it will remain "challenging," said Steve Goeringer, principal security architect at CableLabs.

Sound contradictory? It is a little bit, but really it is an acknowledgement that security always has been and will continue to be a cat and mouse game, of sorts. Network value will continue to grow and new use cases developed. At the same time, there will continue to be attempts to subvert the network for malicious purposes.

"Network operators will continue to perform business in an adversarial environment," Goeringer said.

The promising part comes from the fact that security technology is improving while decreasing in cost and the personal motivation and business case for stronger network security are increasing. For starters, advancements have been made in personal identification and software and hardware validation particularly in the financial and medical industries, which have gotten more creative with tools like thumbprint biometrics and wrist bands.

"A really good example is the magic bands Disney uses for payment at its parks. They are very easy to use and are a pretty high security mechanism. They make things easy. I look at these solutions and wonder in what ways they can be adopted for identity management in the future," Goeringer said.

From the broadband perspective, Goeringer says the industry has done a good job of putting certificates into set-top boxes and cable modems so that it knows "to a relatively high degree" that the connected device is the expected device.

"DOCSIS is a really secure broadband infrastructure. It has sophisticated tools that governments should be envious of," Goeringer added.

There also is an increasing ability to tie the concept of a trusted infrastructure with strong identity mechanisms into access point. Knowing a connected device is connected through a particular access point provides a strong knowledge as to where the device is. This provides a second check on top of the security certificates.

"It is becoming increasingly important to identify the box and the device and the person using it," said Mike Glenn, director of global cybersecurity initiatives at CableLabs.

One of the largest problems from a content distribution perspective is users sharing their account credentials. If the customer isn't who he or she is supposed to be, money is lost. Biometrics could come into play here as well.

But not only is the technology improving; the other component to Goeringer's theory is personal motivation. In the past, breaches might mean a credit card number is stolen and used, for example, but the consumer is not held responsible so there is no personal stake. This is changing, however, especially with the advent of the Internet of Things (IoT).

"The cable industry has a vetted industry. They have to deal with the problems of malicious activity generated from IoT devices on the network," Glenn said. Current predictions are 20 billion devices connected by 2020.

"If a substantial portion is sending spam, that will be problematic," Glenn said. Spam or denial of service attacks use up bandwidth, which harms the customer experience.

Highly connected smart homes also mean more personal attacks, using video to see in a specific home or changing the thermostat as an excuse to gain physical access. "Because of the consequences, people are concerned with making sure things are done right and well - that the experience we design is what it was intended to be," Goeringer said.

One idea in the works is to organize the home into trust domains like in a business environment. The home could recognize the relative security of devices and create domains so the less secure ones can't be used for an attack.

"What we are trying to get across is that security can be a business driver to improve the customer experience for the end user," Glenn said.

More in CPE