How Many IoT (Internet of Things) Gadgets do you have?
A tidal wave of Internet-connected devices is poised to hit the consumer market in the next year as every technology product imaginable – from toasters to tennis racquets – will be WiFi enabled.
But while this may be greeted with enthusiasm by many consumers, security experts are warning that the noticeable lack of security controls on many Internet of Things (IoT) gadgets will lead to further loss of personal data and widespread network disruption.
The signs are already beginning to appear, as evidenced by the news last week that focused on two major security-related events.
Krebs has been one of the vigilant reporters about personal credit card file thefts including breaches such as the massive Target stores hack in 2013.
A well-executed distributed denial of service (DDoS) attack wiped out Krebs’ website until he was able to move to Project Shield, a free site offered by Google with the aim of protecting journalists from censorship.
Hackers launched a DDoS assault using more than 150,000 connected IoT devices, which included seemingly innocuous products like security cameras and DVRs.
Making matters worse, the source code for the malware attacks has been posted in an online hacker forum, virtually guaranteeing that it will be duplicated elsewhere in the weeks and months ahead. The source of the attack is still unknown.
These events serve to amplify the frustration that security professionals are experiencing these days when it comes to securing personal data and the Internet.
Much of that concern was highlighted during the two-day Structure Security conference held recently in San Francisco and attended by computer professionals from around the world.
“It’s a mess out there,” said Art Coviello, former head of the security giant RSA, who spoke at the start of the two-day conference. “And it’s only going to get worse with the Internet of Things.”
Yahoo hack of 500 million accounts
One of the speakers at Structure Security was Bob Lord, the chief of security for Yahoo.
His company has been making headlines recently based on the news that hackers stole personal data from over 500 million Yahoo accounts in 2014.
Because his company is facing multiple class action suits and a federal investigation as a result of the massive breach, Lord was understandably reluctant to talk about the theft of personal accounts in any great detail.
However, the security chief did clarify that reports this past summer of a hacker who was selling Yahoo files over the Internet was not related to the 500 million accounts whose theft was recently disclosed.
According to Lord, it was Yahoo’s own investigation of this summer’s reports that led them to discover the larger breach.
The vulnerability of the accounts for Yahoo users, which included personal email addresses, passwords, and birthdates, has been the subject of some debate over the past two weeks as account holders are seeking to determine if their private security questions were also accessed.
Yahoo has said that the “vast majority” of the accounts were protected using an encryption function known as “bcrypt.” This hash would be hard for hackers to break.
However, Yahoo has not disclosed the percentage of accounts without bcrypt-protection, which has raised alarms since even ten or twenty percent of 500 million would still be a sizable number.
The company has advised all Yahoo account holders to change their passwords immediately.
The combination of the Yahoo breach with the recent DDoS attacks serves to make security professionals gloomy about more thefts and hacks to come.
An executive from Distil Networks, an automated attack detection firm, said that sophisticated botnets (networks of malicious computers) could soon trigger a major spike in online theft as they begin running the stolen Yahoo accounts against various websites seeking bank files and other personal information.
Structure Security Conference
A recent report by Distil also showed that malicious networks now account for almost 20% of Internet traffic.
Even more worrisome, botnets are becoming better at imitating human behavior, making them harder to detect and eliminate.
As RSA security expert Niloofar Howe said to conference attendees in San Francisco, “When you have a 100 percent failure rate, something is not working.
There’s a need for innovation in the cybersecurity space”
The conference included speakers from a number of companies who are working to bring innovative new tools to the security landscape.
And a key element of their strategy depends on automation and machine learning.
One company that is building an intriguing new technology around an automated security platform is Cylance.
Their product employs a sizable database that uses a predictive engine to analyze threats, such as malware, password theft, and denial of service attacks.
“Machine learning has the ability to solve all three insanely well,” said Cylance CEO Stuart McClure.
While they are not a household name, Cylance played a significant role in a major breach that affected the personal data files for millions of current and former U.S. federal workers.
When the Office of Personnel Management (OPM) discovered the theft of over 21 million records, Cylance was brought in to remove the malware that had facilitated the attack and implement their technology to protect the agency’s computers for the future.
Advanced security tools
The use of automated security tools to combat breaches and malicious attacks is leading to the growth of new companies who are developing advanced technology in the space.
One such firm is Sift Science, a startup that is building a machine learning system which studies normal online consumer behavior.
The idea is to apply computerized learning that will correctly spot whether a transaction with an online business is authentic or a likely attempt at fraud.
Sift’s technology is currently in use for over 6,000 websites. Their customers include many recognizable names such as Airbnb, Zillow, Yelp, and Match.com.
Another company that is taking a different approach to the security dilemma is Blackstone, the powerful multinational investment banking firm.
Their chief security officer – Jay Leek – is attempting to automate as many tasks as he can so that he can free his staff to focus on the threats which could be the most damaging.
“I have the ability to take a security operations analyst and make him or her three times more productive,” Leek told Structure attendees.
One of the main motivators in the move towards automation is a fairly basic numbers problem: the security industry today simply cannot hire enough qualified people to deal with the threats they are facing.
Another factor is the cost. RSA’s Coviello described one corporate client who employed 1600 people in their security department alone.
“How many businesses can afford that kind of investment?” he mused.
In any potential breach investigation, there are always a number of routine steps that are followed as security analysts attempt to assess the scope and source of an attack.
One example of a routine issue is the account lockout, where someone enters their password incorrectly.
As Leek described, more often than not, these lockouts are caused by “fat fingered” entry, rather than a malicious hacker trying to gain unauthorized access to company files.
This is exactly the type of “tier one” task that Blackstone’s security executive wants to automate.
Another factor that is keeping Leek up at night involves his own workforce.
While the threat of outside hacking is always present, he believes that chief security officers should be focusing on internal risks as well.
Organizational workforces today are largely comprised of young, tech-savvy employees who learned to use and program computers at an early age.
As Leek put it, “I’m not so much concerned about my IT staff, as I am a bright 22 year-old in the finance department.”
The use of automation is beginning to impact tools that consumers can use for their own protection from identity theft.
Last July, a startup company called Civic launched a new service that automatically provides a push notification via text or email whenever a Social Security number is being used for a transaction in a subscriber’s name.
Civic’s new system relies on a proprietary network of businesses that collect personal data.
This might include your bank, financial service firm, healthcare organization, or other businesses that could seek a Social Security number.
In order to grow rapidly, the backers of Civic are offering their new service free to consumers, while charging a fee to companies who join the network.
The expectation is that as more companies sign-up, the fee to join will go down.
Their incentive for joining is to avoid paying the cost for credit-monitoring services and other fraud-related charges when identities are stolen from unsuspecting customers.
The hope is that the security industry can implement enough of these new technologies in the months ahead to limit the damage from malicious attacks in an increasingly insecure world.
As Coviello reminded the conference attendees in San Francisco, “We are arguably less secure in our infrastructure than we were ten years ago.”
If that cannot be changed soon, the next year may be a difficult one indeed.