Ben's Book of the Month: Review of "If It's Smart, It's Vulnerable"

Posted on by Ben Rothke

In the classic UPS commercial Consultants, two consultants suggest an innovative idea to their client. When the client says he wants to move forward, they sheepishly reply that they cannot actually do the work, as they are consultants. The humor is in the truth of the fact that too many technology consultants can offer high-level strategic advice, but often do not have a clue how to do things in the real world. 


In the domain of information security, however, Mikko Hyppönen is a person who has his hands not just on the pulse of information security but also has been deep in the information security trenches for decades, which he writes about in If It's Smart, It's Vulnerable (Wiley).


Hyppönen is the chief research officer at F-Secure, a Helsinki-based security and privacy firm. The book's title is based on an observation Hyppönen made some years ago. "If it's smart, it's vulnerable,” has since been called Hyppönen's Law.


From a strictly pedantic perspective, Hyppönen's law, like Moore's law, is, in fact, an observation, not a law. But I digress. 


Anyone who regularly reads RISKS Digest or Bruce Schneier's Crypto-Gram will tell you that in the rush to connect everything, from our home appliances to medical devices in our bodies, security and privacy are often either forgotten or bolted in after the fact. Trying to secure devices after deploying them is often a fruitless endeavor. 


Much of the book is about the problems of connectivity without security, but Hyppönen is no Luddite. He writes of the life-changing benefits that the Internet has brought to the world. However, with all those benefits, he cautions against diving into them blindly. 


The most extraordinary story in the book is where he details his trip to Lahore, Pakistan, to meet the brothers Amjad and Basit Alvi, creators of the Brain computer virus. Released in 1986, it was the first virus to attack IBM-based personal computers. It was easy for Hyppönen to track down the brothers, as the virus code had their names and contact information in it. 


As the first virus, Brain was not destructive. That changed in the following years with destructive viruses such as SlammerCode RedMelissa, and many more. The good news, though, is that we have pretty much won the war on worms and viruses. Though worms and viruses are largely a thing of the past, the threats have gotten worse. Online attacks, credential stealing, and more are very serious and malicious threats that do not seem to be going away anytime soon. 


Much of the book details the security issues of smart and IoT devices. Hyppönen writes that poorly built IoT devices are the asbestos of the Internet. And if your device is smart, it is vulnerable. 


As highly technical as he is, Hyppönen writes in a straightforward and jargon-free manner. While he is no Chicken Little, he does not minimize the many security and privacy risks we face now and will continue to face as more smart devices are deployed. 


It is very easy to be (and too many people are) pessimistic about Internet security. Hyppönen concludes with the notion that it is too late to be pessimistic. The Internet has transformed from a cheerful and fascinating technological novelty into an everyday mundanity. He loves the Internet and cannot wait to witness its next revolution. 


Hyppönen has seen a lot in his more than 30-year career in information security. There is much to learn from what he shares and has witnessed. He is a great writer, and if you are smart, you will read this book.

Ben Rothke

Senior Information Security Manager, Tapad

Mobile & IoT Security

mobile security unmanaged devices endpoint detection visibility & response email security exploit of vulnerability innovation Internet of Things mobile device security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs