Peter Thermos, Founder and CTO
It is evident that the unceasing advancements of new technologies (e.g., IoT, 5G, Cloud Computing, Blockchains, AI) has enhanced human evolution and also introduced new business opportunities for organizations. These emerging technologies are vulnerable to inherit issues in design, code and application environment context. These new emerging threats can be exploited by malicious actors to carry out attacks that are not well understood by current cybersecurity defences, including gaining access to personal data, disrupting communications and operations, conducting fraudulent activities or even influencing the social or political climate. Consequently, the number of cyberattacks and breaches has become overwhelming in recent years. These breaches underline a common misconception that new technologies are assumed to be secure by design.
That is where organizations need to augment their strategic risk management approach in securing not only their existing infrastructure but also include due diligence for emerging technologies. Organizations need an effective risk management framework that can support their regulatory requirements and, leverage appropriate security standards to protect organizational assets, resources, services, and most importantly, customers. Developing such a framework, however, requires keen insight and experience with implementing new technologies securely, which often becomes labor and time- intensive. Palindrome Technologies, a cybersecurity research and consulting firm, is uniquely positioned in helping organizations overcome these limitations to integrate emerging technologies securely successfully.
“Our prime directive has been to anticipate threats and vulnerabilities inherent in emerging technologies and help organizations strengthen their security posture and operate with confidence”, indicates Peter Thermos, founder and CTO Palindrome. Palindrome has been working with some of the largest technology companies worldwide in securing emerging technologies ranging from country-wide M2M deployments, 5G networks, Smart Cities, Edge Computing, Identity Blockchain Networks, among others. Their success in securing emerging technologies focuses on a framework that has evolved over several years and tailored to overcome challenges in securing complex environments, including the global enterprise and carrier-grade networks. The framework encompasses all dimensions that comprise a target environment, ranging from low-level hardware security to the signaling and service layers.
Since its inception, the prime objective of the company has been to anticipate threats and vulnerabilities inherent in emerging technologies and assist organizations in strengthening their security posture. “We aid businesses in adopting next-generation technologies securely, including cloud computing, 5G, embedded SIM (eSIM), IoT, blockchain, data mobility, software-defined infrastructure, and autonomic computing,” highlights Thermos.
Proactive Assessment of Zero-Day Vulnerabilities
One significant challenge that CIOs struggle with is working with the right vulnerability management provider that has proven experience and strong track record with securing emerging technologies. Most product or solution providers that offer vulnerability management use monolithic approaches that represent a narrow view of a technology’s security posture. Typically, vendors that provide an automated vulnerability management tool focus on “scanning” a host and reporting known vulnerabilities.
Although this approach offers some insight into the potential vulnerabilities associated with a target, it does not take into consideration the environment context - functionality, associated with the target. Such narrow vision lacks a global view of the environment, ignoring critical areas such as provisioning, administration, management, network APIs, and signaling/control or media protocols that are being used to support the corresponding service or application.
A customer recently exclaimed that their company’s reputation is directly linked to the foundation of their product’s security and the reason for leveraging Palindrome’s expertise through its lifecycle!
“Moreover, even though organizations identify hundreds of vulnerabilities through assessments, they do not have the means to prioritize effectively for remediation thus allocating resources on remediation efforts that yield poor dividends,” states Thermos. Not all vulnerabilities are equal. In some instances, there may be vulnerabilities that require several pre-conditions to be exploited (e.g., network configuration, access level, software configuration) and can be remediated at a later time. In other instances, certain vulnerabilities may require escalation and thus require immediate attention. Therefore, it is necessary to incorporate additional heuristics such as industry standards, security requirements, policies, degree of exploitability and threat intelligence, to prioritize effectively and improve the remediation efforts and overall cost and resources.
In addition to vulnerability prioritization models, Palindrome implements a distinct security analysis methodology that is based on a multi-dimensional framework driven by both “deterministic” and “nondeterministic” models. These models leverage proprietary tools, industry standards (e.g., NIST, GSMA, ITU, PCI, CTIA, OWASP, 3GPP), and experience from evaluating both global enterprise and carrier-grade networks. The ‘deterministic’ model aims to establish a baseline of the ToE’s (Target of Evaluation’s) ability to enforce the designed security controls against known attacks and vulnerabilities. The nondeterministic model seeks to explore novel attack vectors and identify zero-day vulnerabilities associated with the ToE’s implementation. These models are modular in design and can be integrated with existing DevSecOps pipelines to enhance the ToE’s security posture continuously. Furthermore, “implementing a strong security assurance program is essential in maintaining an organization’s security posture that not only minimizes or eliminates the impact of existing threats but also aids in managing emerging threats,” states Thermos.
When Action Speaks Louder
With expertise and extensive experience in the security landscape, Palindrome is recognized as a leading company in helping organizations to embed security in emerging technologies proactively. Thermos shares the story of one such project where the client was deploying its flagship service that included a sensor to monitor the environmental attributes of a cell site. The device was connected to a cellular 4G network and provided Wi-Fi and Bluetooth access to field engineers for troubleshooting. As part of Palindrome’s security analysis approach, the company evaluated the device holistically, including its configuration, provisioning, and administrative controls as well as carried out an end-to-end signaling protocol analysis. This multidimensional approach minimized the attack surface, along with platform test coverage and provided the organization and, ultimately, their customers with a higher level of confidence.
Similar assurance projects in recent months included the evaluation of technologies and services that support smart cities, the power grid, and assisting telecommunication providers in securing 5G deployments. This effort requires working with multiple product vendors and evaluating end-to-end controls, from SIM cards to devices (e.g., subscriber devices, network extenders) to core network elements (i.e., gNB, MME, HSS) and provisioning systems. The security analysis includes, but is not limited to, hardware, software, management, network APIs and signaling protocols. “Primarily, Palindrome’s success and differentiation are driven by client requirements and their trust in our prowess,” comments Thermos.
Looking at the impact Palindrome has had on billions of ‘netizens’ over the years, many businesses today rely on the company to gain insights into new technologies and anticipate the possible transformation of their operations and infrastructure. The reliance of organizations on Palindrome as a trusted advisor has the company looking forward to expanding its team and opening branch offices in new locations. “The differentiating attributes in our strategy include our people’s obsession with helping secure organizations, our proven experience with evaluating emerging technologies (such as 5G, IoT, V2X, Smart Cities, SDN/NFV, among others), conducting applied research and collaborating with academic institutions along with active participation in key standards bodies (i.e., CTIA, IEEE, IETF, GSMA-3GPP),” highlights Thermos.
Assurance, Trust, and Confidence: The Three Pillars of Success
Palindrome’s approach to securing emerging technologies focuses on the process. To support their client’s tactical and strategic objectives, the company abides by the three core pillars that focus on ‘imparting assurance’, ‘instilling trust,’ and ‘inspiring confidence’ to protect brands and their infrastructure assets. “We recognize the fact that we are also consumers of the many technologies that we are helping secure. As such, we take personal accountability and dedication in helping secure these technologies as if our families and loved ones are using them. These ethics are embedded in our company’s fabric which also resonates in our client’s confidence to work with us!” Thermos exclaims.
Palindrome’s service portfolio comprises three core service lines: security research and analysis of emerging technologies, service provider security assurance (telecommunication carriers, energy, financial, and healthcare service providers) and, enterprise security advisory services which include risk governance, security audits, vulnerability and threat management assessments, due diligence assessments of third-party technology vendors, and security risk management for mergers and acquisitions (M&A). Additionally, in order to ensure the quality of the technical processes and procedures used in the security assurance testing framework, Palindrome maintains an ISO/IEC 17025 testing laboratory accreditation along with being recognized as a GSMA IoT Security Testing Lab and a CTIA Authorized Test Lab (CATL) for IoT Cybersecurity Certification. The company’s applied research focuses on secure system design for security, reliability, performance, and scalability of emerging technologies that will have a transformational societal impact in the coming decade. Palindrome also collaborates with academic research labs such as the Internet Real-Time (IRT) Lab at Columbia University and Centre for Security, Reliability, and Trust (SnT) at the University of Luxembourg along with critical industrial standards bodies (CTIA, IEEE, IETF, GSMA-3GPP). These collaborations drive open discussions and contributions and anticipate potential threats and vulnerabilities. “The coming 12 months hold an exciting path ahead as we strive to be recognized as the leading trusted advisor for securing emerging technologies worldwide,” concludes Thermos.