One of the hottest emerging technology topics surrounds the Internet of Things (IoT), or as some have characterized it, the Internet of Everything. A McKinsey Global Institute report estimates that by 2025, the global financial impact of the IoT could reach between $3.9 trillion to $11.1 trillion a year.
Every industry will potentially benefit from this technology that relies on small sensors communicating among themselves and providing data that will drive exceptionally huge big data.
Smart sensors integrated into buildings could monitor and collectively control environmental conditions. Miniature medical sensors could keep healthcare workers informed and alerted about patients in hospitals or as they go about their normal activities. Manufacturing processes could self-control production providing instantaneous correction as sensors collaborate throughout the production of a product. Our self-driving cars will communicate with other vehicles and the roadway, navigating safe and quick transit to a desired location while providing city-wide information about traffic patterns to city planners.
IoT has the potential to dramatically change how things are done while significantly enhancing the quality of life for everyone. Our small experiments with home automation and building control are nothing compared to the automation we will see integrated into daily life and work.
The concept behind the IoT seems relatively simple. Multitudes of miniscule sensors will collect specific information, share information with neighboring devices, and communicate data to a repository where control can be coordinated or information massaged, giving never-before-seen insights. While this description is the basis for the IoT, it is not clear how devices will communicate and coordinate. It is not clear how innovative thinking could evolve new uses and business models around IoT that will result in significant levels of market disruption.
The most promising intra-device communication and data record among devices could well be blockchain. Blockchain is essentially a secure, distributed, peer-to-peer implementation of a ledger system that is most often associated with bitcoin monetary transactions.
The truth is that the blockchain ledger can contain any information, including heath records, identity, and non-financial transactions. A really interesting use is developing smart contracts using blockchain as the organizing infrastructure. Smart contracts could bind individuals, or for IoT, sensors that share information, and when a certain condition is met that is a metric included in the e-contract, a pre-programmed response is initiated. This could be a payment in the case of business-to-business relationships.
Between devices, smart e-contracts could be associated with carbon credits, power creation and consumption, or any number of other device-to-device activities. At an even higher level of organization, IoT sensors could be implemented within a Distributed Autonomous Organization (DAO) to achieve some end result but governed completely within the smart contract that established the DAO.
The genius of the IoT is not that there are multitudes of small sensors creating terabytes of data, but that there is a system of devices sharing information in an intelligent and controlled manner that achieve a result within a self-governing structure. The thing that binds these sensors, providing both governing and the ability to act intelligently, will come from the blockchain.
Ron Hale, Ph.D., CISM, Chief Knowledge Officer, ISACA
These days, cyberattacks are heavily automated by machines. If organizations try to defend against these attacks manually, the fight becomes man versus machine, with highly unfavorable odds for the organization. To successfully protect against automated attacks, it is essential to fight fire with fire – or in this case, machine against machine – by incorporating automation into cybersecurity efforts. Automation levels the playing field, reduces the volume of threats, and allows for faster prevention of new and previously unknown threats.
Many security vendors look at automation as a way to become more efficient and a means to save in manpower or headcount. However, automation is a tool that can, and should, be used to better predict behaviors and execute protections faster. If implemented appropriately and with the right tools, automation can prevent successful cyberattacks. The following are four ways automation should be used:
1. Correlating Data
Many security vendors collect substantial amounts of threat data. However, data provides little value unless sense is made of it – with actionable next steps. First, organizations need to collect threat data across all attack vectors and security technologies within their own infrastructure, as well as global threat intelligence. They need to identify groups of threats that behave the same way within that large amount of data and predict the attacker’s next step; combined with dynamic threat analysis, this is the only way to accurately detect sophisticated and never-before-seen threats. When it comes to sequencing, the more data the better. Groups identified from small amounts of data might be considered a mistake or an anomaly. The amount of data needs to be large enough, and analysis must have enough compute process to scale. This can’t be done manually, and organizations that attempt to do so learn that it takes a significant amount of time and resources, and it is impossible to scale to meet today’s threat volume. With machine learning and automation, data sequencing can become faster and produce more effective and accurate threat analysis results.
2. Generating Protections Faster Than Attacks Can Spread Once a threat is identified, protections need to be created and distributed faster than an attack can spread in the organization’s networks, endpoints or cloud. Because of the time penalty that the analysis adds, the best place to stop the newly discovered attack is not at the location where it was discovered but, most likely, at the attack’s predicted next step. Manually creating a full set of protections for the different security technologies and enforcement points capable of countering future behaviors is a lengthy process that not only moves slowly but also is extremely difficult when correlating different security vendors in your environment and not having the right control and resources. Automation can expedite the process of creating protections without straining resources, all while keeping pace with the attack.
3. Implementing Protections Faster Than Attacks Can Progress
Once protections are created, they need to be implemented to prevent the attack from progressing further through its lifecycle. Protections should be enforced not only in the location the threat was identified but also across all technologies within the organization in order to provide consistent protection against the attack’s current and future behaviors. Utilizing automation in the distribution of protections is the only way to move faster than an automated and well-coordinated attack, and stop it.
With automated, big data attack-sequencing and protections — generation and distribution — you are more accurately able to predict the next step of an unknown attack and move fast enough to prevent it.
4. Detecting Infections Already in Your Network The moment a threat enters the network, a timer starts counting down until it becomes a breach. To stop an attack before data leaves the network, you have to move faster than the attack itself. In order to identify an infected host or suspicious behaviors, you are required to be able to analyze data from your environment, backward and forward in time, looking for a combination of behaviors that indicate a host on your environment has been infected. Similar to analyzing unknown threats attempting to enter the network, manually correlating and analyzing data across your network, endpoints and clouds is difficult to scale. Automation allows for faster analysis and, should a host on your network be compromised, faster detection and intervention.
Attackers use automation to move faster and constantly deploy new threats. The only way to keep up and defend against these threats is to employ automation as part of your cybersecurity efforts. Integrating automation provides significantly stronger security and has the added benefit of using your manpower more effectively. A next-generation security platform automatically and rapidly analyzes data and turns unknown threats into known threats, creates an attack DNA, and automatically creates and enforces a full set of protections throughout the organization to stop an attack from successfully progressing through its lifecycle.
2016 was a challenging year for organisations particularly as cyber adversaries achieved high-profile success, mainly with ransomware. Organisations in Asia-Pacific are no exception. The year also taught a valuable lesson that no industry vertical is safe; if there is a hole in your security, a determined adversary will find it.
2017 should be an opportunity for organisations to instigate a regular program of security risk assessments to stay ahead in cybersecurity. New technologies and ever-increasing levels of connectivity are transforming businesses and unlocking business development opportunities across the region.
Being aware of security concerns doesn’t mean avoiding new technology altogether. It’s about being sensible and trying to stay ahead of cybercriminals by understanding current and potential threats and what can be done to mitigate the risk.
What are my predictions for Asia-Pacific in 2017?
1. Industrial control systems may turn against you
Industrial control systems (ICS) are an integral part of any business, especially in Asia-Pacific. These include building management systems, heating ventilation and air conditioning (HVAC), and security doors, just to name a few.
Most businesses outsource their building management requirements so they don’t necessarily know whether the third-party provider has adequate security in place. It’s not impossible for a malicious actor to execute an attack that could cause significant damage.
For example, an attacker could turn the heating up in a company’s server room or data centre to 50°C and then disable all the building access points so no one can get in to physically remove hardware to a safer location. The hardware would eventually overheat, causing significant disruption to a business, its customers and its partners.
What you need to consider:
When you think about it, nearly all businesses could be at risk of an attack like this. Business leaders have to consider security beyond the basic steps of protection. Organisations need to gain an overarching view of their potential weak spots through third parties as well as their own network. Additionally, they need to put a plan in place that would help counter any potential attacks.
Have you checked what non-IT equipment your business depends on and what security they have enabled? Are they connected to the internet, managed by a third party?
When outsourcing to a third party, what level of security assurance do they have in place? Are they able to provide information to you on how they secure themselves and, ultimately, how they secure and manage your network and systems?
2. The Internet of Things (IoT) devices will be a target for cybercrime
Market research firm Gartner predicts that the number of connected ‘things’ will rise from 6.5 billion in 2015 to almost 21 billion by 2020. This will result in better customer experiences, with connected devices providing information on everything from when the brakes on a bus need to be replaced to whether all the machines on a mine site are running within acceptable parameters.
However, connected devices will also be a target for cybercrime, even more so because people place enormous trust in third-party vendors being safe. These endpoint devices provide thousands of potential entry points to an organisation’s network. They need to be secured. In 2016, we saw the first real challenges appear where compromised devices were connected together in a botnet to launch attacks against banks and key parts of the internet infrastructure.
Anything that you connect into your computer or network is a potential risk. The types of devices range from CCTV cameras to tiny sensors attached to complex machinery, and they may not always be top of mind for security professionals. But if they are connected to the internet or managed by a third party, then they could put the business at risk.
Committed cybercriminals will use every trick in the book and be creative in trying to access the information they want, and look at what ways they can gain entry.
What you need to consider:
It is important to understand that the IoT is not a possibility or a project of the future – it is a current reality. Make a point to ask suppliers involved in security assurance how they can assure the security of the devices they provide. As we have seen many times, there may be no security, or the devices could be using some default username or password. These should be changed from the moment they are on your network.
Any devices using factory settings for security are simply asking to be compromised. IT managers must change those standard administrator passwords to avoid being targeted.
These devices should also be regularly checked to see if they adhere to the company’s security policy.
3. We may see a ransomware vortex with a nasty surprise
Ransomware involves attackers locking up a business’s data and demanding a ransom for its release. If you thought 2016 was bad for ransomware – where attackers access data and ransom it back to the victim – then 2017 will be worse. We can expect to see a higher attack volume, using more sophisticated technologies. If the discovery of Locky ransomware was anything to go by, financial malware will continue on an upward trajectory in 2017.
The kicker will be that, because enterprises and individuals have previously paid, more than likely the prices will increase. There have been cases where the ransom was paid, the data was unlocked, and then the victim was hit again. Paying to unlock one or more machines in your organisation doesn’t provide immunity from a threat that could be spreading in your environment. Our advice has always been: don’t pay.
What you need to consider:
If you have fewer than 72 hours to respond, do you have a comprehensive backup strategy and response ready to counter these attacks?
When was the last time you tested and verified the backup?
Have you applied basic file blocking to prevent threats from entering your organisation? Certain file types can be a risk to your organisation. Ask yourself, “Should we allow all files or should we manage the risk by not allowing malicious files types that may cause an issue?”
4. We will have serious data trust issues
People will continue to be too trusting or fooled into thinking something is safe when it really isn’t. For example, confidential data can be exposed, or made available, that looks like it comes from an organisation, when it was actually planted by a malicious party. Either way, there’s a business reputational risk and a monetary price to pay.
For years, information security professionals have been focused on a model known as the CIA triad, which looks at Confidentiality, Integrity and Availability and is designed to guide policies for information security within an organisation. Many organisations have long looked at confidentiality as a means to protect their data from theft or availability as a means to ensure they can access their data or systems, but how much time has been spent focusing on the integrity of the data or systems?
Imagine a data project, years in the making, where the data an organisation has been collecting and analysing is corrupted. For example, a resource company that has invested heavily in research and development is prospecting for the next drill site where they collect petabytes of data, but an attacker manipulates the information, rendering it worthless. If the integrity of the data is manipulated, where a few bits of information are changed, the company might drill in the wrong spot, wasting time and money and potentially creating an environmental disaster. This could cause companies to make incorrect decisions with significant ramifications. The same could be said about cases where systems have been wiped after an attack, removing all traces that it happened.
Another frightening example is personalised medicine, where the genetic makeup of a person is known and so well-understood that, rather than doing trial and error on which medication works, doctors can tailor exactly the right mix and dosage. If an attacker changed the data on a program such as this, it not only has an impact on the effectiveness of the drug but also could have a lasting negative impact on patient, or even threaten their life, so the stakes are incredibly high.
So What Can Be Done?
Firstly, any business should welcome these changes as they are a way to further digitise services and enhance our way of life. But with any move to further digitising services that we offer or are offered to us, we need to ensure that the data is protected. Verification should be at the centre of all platforms, at every stage of development, and at the core of every provider-customer relationship. Its integrity must be protected from being modified by unauthorised parties. Data must only be made available to authorised parties to access the information when needed.
What you need to consider:
Businesses need to look at two key things: where their sensitive data resides and what data is critical to the business to operate. Somewhat surprisingly, many organisations struggle to answer this question. This can lead to misappropriation of resources in the form of security controls being used broadly across the entire organisation, rather than being targeted to where they’re needed most. This then results in increased cost to acquire and use security measures.
Who amongst our employees has access to our sensitive data? Simply knowing who has access to documents or big data stores stops short of understanding to what they have access.
A key way to reduce risk to sensitive information is to also understand how the data is protected. Is there protection in place, and does it meet the right level to mitigate risk for something that could be mission-critical to a business?
What are your cybersecurity predictions for 2017? Share your thoughts in the comments.
