Cybersecurity in an IoT and mobile world: The key trends
As ever more mobile and IoT devices connect to the internet, the potential for damaging cyberattacks can only increase. How can organisations begin to get the upper hand over the burgeoning cast of 'bad actors'?
The tech world tends to proceed from one era to another in a roughly 10-15 year cycle. So we had the PC era from the 1980s to the mid-1990s, followed by the internet and world-wide web era, and then the post-2007 (iPhone) mobile era. Today's tech world is dominated by mobile, social networks, the cloud, analytics (including AI and ML) and, increasingly, the Internet of Things (IoT). Going forward, these technologies are likely to coalesce into an AR/VR-mediated 'ambient' era, after which we're probably looking at the incorporation of nanotechnology into human bodies and brains (the 'cyborg' era?).
As each new technology appears, manufacturers and service providers rush to bring products to market, often without due consideration for security. Inevitably, 'bad actors' -- including low-level hackers, organised criminals, 'hacktivists' and nation states -- exploit the resulting vulnerabilities, stealing or compromising data, denying access to services or causing other kinds of cyber-mayhem. In due course, the tech industry gets its security act together in areas such as threat intelligence, firewalling, endpoint protection, intrusion detection, incident response, network and application architecture, best practices and user education. Governments may also weigh in with laws and regulations, and the insurance industry picks up the pieces. Eventually, some sort of order is restored.
But cybersecurity remains, and will probably always remain, an arms race -- especially in the early stages of an innovation cycle.
So what's the state of play today, and what's in store down the line?
Warnings and incidents
Cybersecurity incidents regularly hit the headlines, the WannaCry ransomware outbreak in mid-May being a particularly high-profile example. It says a lot about the current state of cybersecurity that the escalation of ransomware had been widely predicted, that the crude but effective WannaCry attack could easily have been defended, and that the perpetrators -- despite the attentions of multiple security firms and government agencies -- remain undiscovered (at the time of writing).
Talking of predictions, at the start of the year ZDNet's sister site Tech Pro Research examined 345 cybersecurity predictions for 2017 from 49 organisations, assigning them among 39 emergent categories. Here's the ranking of topics that cybersecurity experts were worried about six months ago:
The chart shows that 'Ransomware evolution & escalation' took fourth place, behind 'IoT security (business & consumer)', 'Security automation & orchestration' and 'Malware & bad actor evolution', while 'Mobile security' came in eighth and the 'Industrial IoT & critical infrastructure' made a separate appearance in tenth place. There's little sense here that the 'good guys' are getting the upper hand, although the prominence of predictions around behavioural analytics, threat intelligence, machine learning and artificial intelligence as weapons in the cybersecurity armoury may point the way forward. (Having said that, such tools can just as easily be employed by the 'bad guys'.)
Phishing emails have also been suggested, but not confirmed
EternalBlue, an SMBv1 exploit, allows the malware to spread to vulnerable Windows PCs both on a local network and over the internet. The malware also exploits DoublePulsar, a backdoor implant tool, installing it if not already present
EternalBlue was developed by the NSA, then stolen and made public by the Shadow Brokers; it was patched for supported OSs on 14 March by MS17-010 and an emergency patch for out-of-support OSs (including Windows XP) was issued on 12 May. DoublePulsar is another stolen-and-released NSA exploit
WannaCry initially queried an unregistered domain, installation being aborted if the connection was successful
The domain query, possibly an anti-sandbox-analysis feature, was used as a 'kill switch' by security researcher @MalwareTech to slow the spread of the initial release of the malware
Command & control (C2)
The malware uses encrypted Tor channels for C2 communications
WannaCry encrypts 176 file types, demanding around US$300 in bitcoins within 3 days or $600 within 7 days, after which "you won't be able to recover your files forever"
Over 230,000 PCs were infected in more than 150 countries. As of 25 May 2017, 302 payments amounting to $126,742 had been transferred to 3 bitcoin wallets
Key points to note are that: the NSA had stockpiled known vulnerabilities for potential espionage use, but these had (inevitably) escaped into the wild; a patch for the EternalBlue SMBv1 exploit was available for currently-supported Windows systems, but many organisations had failed to apply it, rendering unpatched PCs (mostly running Windows 7) vulnerable to WannaCry (and other malware using the same exploit); many organisations were still using internet-connected PCs running Windows XP, and other out-of-support OSs, for which no patch was available (until Microsoft hurriedly rectified the situation); affected organisations without adequate backup and disaster recovery systems suffered serious disruption and associated costs; the (so far unknown) perpetrators have not amassed great bitcoin riches, casting some doubt over their expertise and motives.
Although the IoT was not explicitly targeted by the WannaCry attack, many connected devices -- particularly in healthcare organisations -- run ageing or embedded operating systems that may easily be overlooked in IT managers' patching and updating regimes. The fact that devices running embedded OSs rarely store valuable data, and that vital equipment such as MRI scanners might need to be taken offline for a period as patches or updates are applied, only increases the likelihood of an "if it ain't broke, don't fix it" attitude. But even if neither data nor critical functionality are compromised, the appearance of an "Ooops, your files have been encrypted" message on a public information display, for example, does nothing for an organisation's reputation:
The biggest IoT-related cybersecurity story of 2016 was the havoc created by the Mirai malware, which recruits vulnerable Linux-based IoT devices -- including broadband routers, printers, webcams, CCTV cameras and digital video recorders -- into 'botnets' that deliver DDoS attacks.
Mirai specifically targets systems running BusyBox, a set of software tools commonly used on Linux-based consumer IoT equipment. Infected devices scan for open Telnet ports and attempt to login using a list of factory-default credentials (including the notorious 'admin/admin' username/password combo). These credentials are sent to a report server that controls the loading of the malware on the new victim device, which can then participate in DDoS attacks under the control of the C2 (command and control) server -- and also help to further swell the botnet's ranks:
"If our analysis of Q1 tells us anything, it's that risks to the Internet and to targeted industry sectors remain and continue to evolve" said the report's senior editor Martin McKeay in a statement. "Use cases for botnets like Mirai have continued to advance and change, with attackers increasingly integrating Internet of Things vulnerabilities into the fabric of DDoS botnets and malware," he added.
Notwithstanding the high-profile, high-bandwidth Mirai attacks, Akamai's report noted that the median DDoS attack size fell from 3.9Gbps in January 2015 to 520Mbps by the end of March 2017 -- partly due to growth in the number of lower-bandwidth attacks:
Akamai also noted that if enterprises wish to defend themselves against 95 percent of current DDoS attacks, they will need to be able to cope with attacks of 5Gbps or more, and that "DDoS attacks generating more than 100Gbps of traffic are common enough to be a concern".
What the surveys say
The Ponemon Institute's 2017 Study on Mobile and IoT Application Security, sponsored by IBM and Arxan Technologies, canvassed 593 IT and IT security practitioners who use and/or create mobile apps and IoT devices. More than half (58%) of respondents were at or above supervisory level, with 54 percent reporting to the CIO and 18 percent to the CISO. Financial services (18%) was the largest sector, followed by health & pharmaceuticals (11%), public sector (10%) and services (10%). More than half (58%) of the organisations represented had a worldwide headcount of over 1,000 employees.
The survey revealed a worrying "laissez faire attitude toward the security of mobile and IoT applications", according to Mandeep Khera, Arxan's CMO. While data breaches via insecure mobile and IoT apps had affected 60 percent and 46 percent of respondents respectively, and over half (53% and 58%) were 'concerned' or 'very concerned' about being hacked via these apps, only 32 percent and 42 percent of organisations considered it urgent to secure their mobile and IoT apps respectively.
The survey highlighted a couple of reasons for these discrepancies. First, security professionals (CSO/CISO) were not primarily responsible for the security of mobile and IoT apps -- only in 15 percent and 5 percent of cases respectively was this the case. Second, just 30 percent of respondents said their organisation allocated sufficient budget to protect mobile and IoT apps. Here are the factors that, the survey revealed, would influence organisations to increase their mobile and IoT app security budgets -- headed by 'a serious hacking incident':
The upshot is that mobile and IoT apps contain vulnerabilities, and the main reason, according to this survey's respondents, is the pressure on development teams to release apps quickly:
Such 'rush to release pressures' are a feature of organisations undergoing digital transformation, to which proponents of DevOps would respond that this CI/CD (Continuous Integration/Continuous Deployment) methodology can deliver both rapid software update cycles and security. Whichever way they choose to do it, organisations need to address this issue, or they're likely to experience that 'serious hacking incident' sooner rather than later.
Check Point's Cyber Security 2017 Survey canvassed 1,900 IT professionals in US-based companies with 1,000 or more employees, exploring their approaches to cloud security, threat management, mobile security and more.
Overall, only 35 percent of respondents were either 'very confident' (28%) or 'extremely confident' (7%) about their organisation's security posture, leaving half (50%) 'moderately confident' and 14 percent either 'slightly confident' (11%) or 'not at all confident' (3%). The report notes that "Many organizations remain vulnerable to security breaches because they feel security is too complicated, they don't have the resources to manage security, there are too many unknowns, or they simply don't understand the ramifications of utilizing preventative security measures."
The survey asked about the perception of mobile security ('What is your biggest pain point when it comes to mobile security?') and the reality (What actual negative impact did mobile threats have on your company in the last 12 months?'), and got a reasonably coherent picture from respondents. Limited resources topped the list, although the perception noticeably outstripped the reality:
Interestingly, only 14 percent of Check Point's respondents could confirm that mobile devices had been involved in breaches in their organisations in the past, although well over half (58%) were either not sure or couldn't disclose any breaches.
When it came to implementing a mobile threat defence solution, the number-one capability identified by respondents was 'Malware protection', followed by 'Logging, monitoring and reporting', and 'Ease of deployment':
Lieberman Software conducted a small-scale but targeted survey at this year's RSA Conference, polling some 160 attendees for its IoT Security Report. A third (33.1%) of respondents worked for enterprises with over 5,000 employees, while a quarter (24.8%) were from small businesses employing under 100 people.
The scale of the IoT security problem is clearly illustrated by three key survey findings: first, almost a quarter (23.9%) of respondents had 5,000 or more IoT devices connected to their organisation's network at any given time; second, a majority (63%) of respondents were not confident that their organisation could track and manage all of the IoT devices on their network; and third, less than half (49.3%) of respondents' organisations had a process in place to change the default passwords on IoT devices.
The widespread use of default passwords, you'll recall, is what allows the Mirai malware to recruit thousands of devices into DDoS-delivering botnets. No wonder, then, that 80 percent of Lieberman Software's respondents answered 'yes' when asked: "Do you worry about the potential for attacks that originate through your IoT devices?"
Interestingly, the survey found that of the 72 percent of IT professionals who had changed the default passwords on their IoT devices at home, nearly half (45%) worked in organisations that had not done so. More encouragingly, 61 percent said that the subject of built-in admin accounts on IoT devices had come up in security planning at their organisations.
The US-based survey covered three groups who can influence a company's share price and reputation: IT practitioners (448), CMOs (334) and consumers (549). It also looked at 113 publicly quoted companies that had experienced a data breach, tracking their share prices for 30 days prior to and 90 days after the breach.
The finding that's likely to sharpen the C-suite's focus on cybersecurity concerns share price movements following a security breach: on average, the share price dropped by 5 percent within days of a breach disclosure, and took about 45 days to recover to the pre-disclosure level. However, when the survey sample was divided on the basis of companies' 'security posture', as measured by the Ponemon Institute's Security Effectiveness Score (SES), very different outcomes were observed:
High-SES companies experienced a share price decline of no more than 3 percent following breach disclosure, recovered to the pre-breach level after a week and showed a 3 percent gain after 90 days. Low-SES companies, by contrast, suffered a share price decline to a 4 percent lower level than high-SES firms, on average, and had still not recovered to the pre-breach level after 90 days.
Customer churn is another consequence of a poor security posture: 31 percent of consumers said they discontinued their relationship with a company that suffered a data breach, while 65 percent said they lost trust in an organisation after one or more breaches.
What the experts say
The cybersecurity arms race is clearly still in full flow, and we shouldn't expect the frequency and scale of attacks and breaches to decline anytime soon. So what can be done to turn the tide? Here are the views of some of the experts we've talked to in recent weeks and months.
"Internet of Things is the 'thing' right now -- it used to be cloud, then it was mobile. In four or five years from now, it'll be something else. What people are realising is, threat intelligence over time will become the foundation on which we provide security to whatever those new things are. There's always going to be the game of catch-up, but the industry is trying to move towards the model of resilience -- 'resilience' is the big term we'll hear over the next ten years: how do we build systems, and how do we build in security so that our networks are resilient, so they can recover auto-magically from all these different things that are going on."
Kamal Anand, vice-president of cloud business unit at A10 Networks:
"I'm not sure this [IoT security] can get solved in, say, 12 months. I think we'll make some progress with technology solutions that help protect assets, but just adopting these technologies at large enterprises and service providers takes time, so I think it'll be an ongoing problem for the next few years in terms of protecting assets and learning from new attacks that come along, using visibility and analytics tools."
"This is a layered problem, so even if devices are compromised, you want to make them secure at the network edge; then if something gets through you need to start protecting at the mobile core, the infrastructure and finally applications -- it's a multi-layered approach. The interesting thing is, technology is becoming available where you can profile a typical network or traffic pattern, and if it deviates you get an alert and can start to figure out what's going on. I think you'll see a lot more cognitive or AI-like machine-learning capabilities starting to creep in around different areas of the network in the next few years."
"When you look at the impact of an intelligence solution like Flashpoint, we're really going to have a balance of proactive and reactive. When you think about reactive, the goal, fundamentally, is how can you dramatically shorten the window between impact and detection? So whether it's helping a company understand that RDP access to its systems is being sold on the underground, or that a malicious insider is selling access to sensitive source code, or sensitive databases -- the goal with reactive reporting is to dramatically shorten that window. And then, of course, as frequently as possible you want to be left-of-incident, whether it's providing a heads-up to the exploitation of particular vulnerabilities such as those seen in WannaCry or Mirai. I think the reality is, the landscape is so incredibly complex, dynamic and multi-variable that no solution on earth is ever going to deliver 100 percent proactive coverage, but the goal is to be left-of-incident as much as possible, and then minimise that window between impact and detection as aggressively as possible on the other end of the spectrum."
Organisations spend large amounts of money on cybersecurity software and services, but attacks keep on coming. And as ever more mobile and IoT devices connect to the internet, creating more entry points to increasingly diffuse networks, the potential for damage can only increase.
Obviously all organisations should cover the cybersecurity basics -- patching systems for known vulnerabilities, backing up vital data, running a full suite of up-to-date security tools, educating users about things like phishing attacks, and formulating a disaster recovery plan.
But the internet is fragile and people are fallible, so 100 percent protection probably won't ever be possible. This means that resilience must be built in, allowing networks to absorb and recover from attacks that will inevitably penetrate traditional cyber-defences. Better cyber threat and business risk intelligence, and AI/ML-augmented network and data monitoring tools, may be the way forward here.
In the meantime, organisations will need to remain vigilant. The 'bad guys' will always be with us, and nothing is certain except death and taxes...and more cyberattacks.