Security threats on the IoT get real

By only 2019, the digital-everything economy and fast-growing adoption of networked technologies such as the Internet of Things (IoT) will combine to see us living in a hyper-connected world.

According to the Information Security Forum’s (ISF) Threat Horizon 2019 report, this situation will lead to organisations being subject to cybersecurity threats beyond anything they have experienced before. These threats include ransomware attacks that hijack the IoT, pre-meditated internet outages that will bring trade to its knees and the subversion of blockchains, which will shatter trust in the technology.

So are such doom-laden predictions simply the product of an information security industry trying to generate fear, uncertainty and doubt in order to drum up more trade for itself? Or is there something more to these disturbing forecasts?

Dave Clemente, senior risk manager for Deloitte’s senior cyber risk research team, who has written the report in the past, describes it as “informed speculation”. He says:

It’s about putting together the best of what you know, and I think you could plausibly say that 70% has a good chance of happening.

The most likely predictions to come to pass, Clemente believes, are large-scale disruptions to the internet and ransomware attacks on the IoT, which are already starting to take place. One of the first documented cases of an Android-based smart TV being infected by the malware came to light over the Christmas period, for instance, but many more are expected to follow in both the consumer and enterprise space. Clemente explains:

The IoT is introducing a lot of new entry points onto the corporate network such as webcams and smart CCTV cameras, and if they’re low cost, low margin devices they’re not going to have been made with security in mind. As a result, they offer a lot of possibilities for getting onto the network that weren’t there previously.

Growing sophistication

Peter Wood, chief executive of information security consultancy First Base Technologies, agrees that the sheer proliferation of connected devices is a challenge - and one that is only likely to increase. He says:

The IoT is being adopted like shadow IT and is being delivered into organisations without them realising it. For example, meeting rooms these days often have a display listing the bookings, and electronic whiteboards are network-connected too. It’s the same with smart heating, ventilation and air conditioning systems, and even servers generally have a back door so you can manage them remotely.

The issue is that people don’t remember to harden them by changing default passwords and the like. They just forget about them and that’s when the problems start.

To make matters worse, cyber- and organised crime groups are becoming increasingly sophisticated both in terms of their internal organisational structures, which are becoming more formalised and less ad hoc, and how they make their money.

For example, in May last year, a Ukrainian man, Vadym Iermolovych, admitted he was a member of a ring, which from 2010 to July 2015 had hacked into PR Newswire, Business Wire and Marketwired to get advance notice of company earnings statements. The group made about $30 million by selling insider information to a network of traders who bought or sold stocks based on the news before it was officially released. The money was then shared out between them using a number of foreign shell companies. As Deloitte’s Clemente points out:

They were thinking two or three steps further down the road than just the hack. It’s a longer-term plan and penetrates further down the supply chain - and it’s that level of sophistication that organisations are increasingly going to have to start thinking about.

But it is not just cyber-criminal gangs that are posing a growing threat these days. Nation states also appear to be undertaking new forms of nefarious activity too.

Beyond the traditional industrial espionage and intellectual property theft that has been undertaken by different players around the globe for years, North Korea seems to have thrown a new ball into the ring. It has now been accused of involvement in the cyber-theft of $81 million from the central bank of Bangladesh in February 2016, implying a shift in strategy to adopt a much more direct money-making approach.

My take

A heady mix of the world becoming ever more connected due to technology such as the IoT, combined with the increasing sophistication of cyber-criminals and the involvement of nation states, is posing cyber-challenges to organisations as never before. Find out what the ISF recommends you do to tackle these issues in part two of this article on Friday