Another startling report on the state of cyber security was recently published by a group of very credible organizations, including PwC, CERT, Carnegie Mellon University, and the U.S. Secret Service. While there’s a ton of interesting data within, the macro picture showed a startling 79% of all organizations experiencing security breaches, with an average of 163 security “incidents” over the last 12 months. This is a 21% annual increase over the 2014 report.
If I were a naysayer, I could make an easy argument that these trends are only the tip of the proverbial iceberg, and that we need to dig in and prepare for even more dire circumstances for many years to come. It’s all about the projected growth in the Internet of Things (IoT), and here’s why…
The massive growth in cyber security incidents over the last five years is highly correlated with the global growth in sensitive data being exposed via Internet-connected interfaces, thus increasing attack surfaces for hackers to exploit. This is the dirty underside of all the benefits we’ve received from the Internet over the last two decades. Three factors are driving this growth that puts attackers within striking distance:
- Number of devices – desktop, laptop, tablet, smartphone
- Number of networks – anytime, anywhere, any device (cellular, Wi-Fi, Bluetooth, et al.)
- Number of services – online banking, online healthcare, online insurance, e-government, social media, etc.
A number of reports have documented the growth of Internet-connected devices per capita. They all point to the same trend, so as an example I’ll use a Cisco report, which forecasts a growth from one to two devices per capita in 2010 to nearly five times that number by 2020. The continuing expansion of connected devices is exciting, to be sure. You can imagine how cool, fun, and efficient the world could be when we reach the full potential of the IoT. The possibilities are endless when you consider the types of devices that will be transformed by Internet connectivity in the IoT era:
- Consumer – thermostats, security alarms, cars, televisions, baby monitors, children’s toys
- Commercial/industrial – healthcare telemetry, commercial trucks, commercial phones, lighting control systems, and all major elements of our energy, communications, and water infrastructure
So, what’s the problem?
The major problem that arises from this growth in devices, networks, and services is the burgeoning number of people developing and managing them for us as a society. With this growth in IoT already underway, we have moved well beyond the small niche of highly qualified information technology (IT) specialists that develop and manage traditional computing devices, and toward the widespread commoditization of computer and networking technologies into every consumer and commercial device made. The result will likely be disastrous – at least for a while. Here are a few reasons why:
- Secure code development. With IoT, we now have mainstream consumer and commercial vendors implementing computing and networking features as “side attractions,” but without the benefit of experience and expertise with these technologies. There’s no doubt that less experienced, less focused developers will make the mistakes that create the vulnerabilities that targeted attackers use as a back door. Bottom line, if we’re concerned today about the quality of code coming from developers at Microsoft, Google, Apple, and Adobe, all hell is going to break loose with the proliferation of code from the likes of Procter & Gamble, Mattel, and Johnson Controls.
- Unpatched operating systems. For a variety of reasons, most of these IoT devices will not benefit from the most recent OS patches that resolve known vulnerabilities. Not only is there a lack of infrastructure, resources, and understanding of the critical need for managing patches for the enormous volume of IoT devices, but there are structural problems that will prevent them from being updated. As an example, medical devices are highly regulated by the FDA and require resource- and time-intensive review processes for any change in feature or functionality. As a result, device manufacturers are extremely reluctant to submit devices (like telemetry-enabled hospital equipment) for review when a major OS upgrade occurs. Many healthcare IoT devices today are running Windows XP – a full year after the Microsoft EOL date!
- Inability to deploy and manage host-based security. One of the oldest, fundamental aspects of IT security is host-based threat prevention software, like anti-virus and intrusion detection systems. Given the volume, resource intensity, and lack of security knowledge in most IoT environments, there is little likelihood that host security software can or will be deployed – further exposing them to security exploits relative to traditional computing devices.
A great example of the dangers exposed by all the trends mentioned above came just last month, with Chrysler recalling 1.4 million Jeeps. That’s the implication of a vulnerability on just a single IoT device. Do you see where I’m going with this?
These IoT security trends indicate one thing, for sure. We can no longer assume that attacks (breaches of hosts and user accounts) can be comprehensively stopped using traditional threat prevention systems. Instead, we need to evolve to a new regime of security infrastructure that complements traditional threat prevention with breach detection technologies built to automatically find the attackers rapidly once they’ve penetrated your network.
No doubt, the Internet of Things is going to bring a lot of fun, exciting, new technology to market – but it’s going to come at an enormous cost. Batten down the hatches!