Cloud security will worsen with 'Internet of Everything'
If the iCloud data leak this week wasn't enough to scare you silly, a future where even a toaster could cause physical harm might.
As the "Internet of Everything" takes shape and becomes increasingly pervasive, more information about individuals are being collected and analyzed, offering cybercriminals more to work with when they've identified their victims. This was the scenario painted by delegates at the CloudSec Congress 2014 conference Wednesday in Singapore, who urged the security industry and government agencies to catch up to this new era of connectivity before it's too late.
They referred to the Internet of Everything as an extension of the Internet of Things (IoT), where smart devices, personal clouds, wearable technology, big data, and networking are all inter-connected to each other via the internet.
As more and more IoT devices connect to the cloud, more information can be gleaned by hacking the cloud to find out more about an individual, said Raimund Genes, CTO of Trend Micro, which hosted the conference. For instance, when the "smart thermostat", "smart heating" appliance, and "smart lights" in a house aren't turned on, hackers can deduce that no one is home and enter the premise.
During his keynote address, Genes noted that consumers want to automate as much as possible and while this means an improved lifestyle, it also paves the way for cybercriminals to target homes.
The industry is starting to witness a rise of cloud-mounted attacks where hackers no longer need to run bots or zombies or wait for malware to hijack machines, said another speaker Bob Flores, who is former CTO of the Central Intelligence Agency (CIA) in the U.S. and currently runs his own IT security consulting firm, Applicology.
During his speech, titled "Is your toaster an insider threat" in reference to a 1998 research by the Terrorism Research Center, Flores highlighted five driving factors that are changing the threat landscape today: age of compute; age of participation; age of data; age of mobility; and age of surveillance.
He noted that society was computing at much greater volume than before, and participating at high levels through social media platforms. Individuals are more connected via mobile devices, and a lot more data is also being collected and analyzed today than ever to support marketing and customer service efforts, as well as being movements monitored and analyzed real-time for surveillance purposes.
He noted that businesses now want to aggregate data to elevate their sales or marketing efforts, and this creates pressure to make more data public and usable. More of what consumers do will be legally discoverable, whether from requests by companies, a concerned family member or the government. Because such data will be tagged to an individual, anything that individual does will be known and his "trail" always updated and "hot".
"But there is no age of security," Flores said, adding that security remains an afterthought in most business models and is typically bolted on after the fact.
"Your toaster [could] know a lot about you. It could get upset if you used the waffle machine instead. In short, it can be exploited."
~ Bob Flores, CIA's former CTO
Stressing that the security risks associated with IoT were real, he pointed to a group of researchers who demonstrated how they were able to hack into two cars and remotely lock the brakes and windows, and shut down the engine.
Genes noted that the risk of a security breach is further heightened with the different operating systems and firmware that run on the multiple IoT devices. "Good luck patching your router as well as the light bulb," he said. "The device vendor might simply copy-and-paste...[and] not care about your privacy, [especially] in this IoT era where time to market is key."
He added that consumers would have no choice, but to trust the vendor to fulfil its role in good faith as well as know how best to protect their data. However, this may not always be the case, the CTO said, pointing to the fresh round of security breaches that emerged just this week, including Home Depot and Apple iCloud.
"In a world of increasing automation, more things are being known about you. Your toaster [could] know a lot about you. In short order, it may form opinions. Perhaps open a Yelp account about you," Flores quipped, as he personified a toaster that could turn against its human owner. "Your toaster could get upset if you used the waffle machine instead. In short, it can be exploited."
To mitigate the increasing risks, he recommended that companies adopt a centralized IT management strategy with strong data governance controls.
Genes urged for governments to step up and establish minimum standards for IT security, like they do in the automotive and aviation industries, where new car models and airplanes must pass safety tests before they're allowed on the road and in the air.
"I believe IoT is moving so fast that the government needs to wake up, because if you rely on the manufacturers to work on security [without governance], we will wake up and it will be too late," he said. "Where are the regulations to ensure the Internet of Everything does not become the Internet of Evil?"