Partner Perspectives  Connecting marketers to our tech communities.
5/16/2016
02:08 PM
Steve Grobman
Steve Grobman
Partner Perspectives
50%
50%

Internet Of Things: 50 Billion Connected Targets

We must work to minimize attackers' incentive and opportunity while maximizing their risk.

With the growth of the Internet of Things (IoT), we are rapidly approaching 50 billion connected devices (with varying degrees of security) that are becoming more and more valuable to attackers. We have already seen the beginnings of this shift, as cyberattacks against physical assets -- from cars to electric power stations -- move from science fiction to reality.

Cyberattackers, like anyone, are driven by incentives, and the greater the incentive, the more likely someone is to attack a particular target. We can express the probability of an attack against any particular target as the incentive times the opportunity, divided by the risk. 

Over the past few years, we have watched the variables in this equation change in value. Credit card data was an early opportunity, stolen and then quickly utilized before the numbers were cancelled. As companies increased their protection efforts, the incentive and opportunity decreased. Attackers explored other types of data theft, trying to find a new and valuable resource, with varying success.

This year, ransomware has been on the rise, delivering the promise of an even bigger payout. Instead of stealing credit card data and being burdened with figuring out how to monetize the asset, attackers have moved to a system where they can charge an immediate fee directly.  Through ransomware, cybercriminals encrypt data on a user’s device and simply make it unusable until the owner pays a ransom. The advent of Bitcoin and other crypto-currencies that support anonymous transactions further lowered the attackers’ risk.

Fueled by meaningful incentives and minimal risk, attackers looked for greater opportunities with larger payouts. We see ransomware actively moving from the consumer space -- charging a few hundred dollars to retrieve one’s photos or personal files -- to larger soft targets such as hospitals and universities. In recent news, we saw attackers charging these organizations (and being paid) thousands of dollars to get access back to critical business data. With this trend growing, large enterprises and IoT are just over the horizon as targets for ransomware attacks.

Incentive And Opportunity

The number and diversity of IoT devices rapidly becoming connected create an intriguing opportunity in the cyberactivity equation. We’ll soon have tens or hundreds of millions of potential targets, connected to physical assets such as water, energy, automobiles, and machinery, with many times the value of digital records. Incentive and opportunity both increase substantially. And the outcome of successful cyberattacks can literally be life-threatening.

Strategically, we need to approach IoT differently than we do the PC. In PC security, we work aggressively to prevent an attack, and fall back to quickly detecting an infiltration and remediating when necessary. With IoT, once an attacker perpetrates a successful exploit, it may be too late. Detecting an intrusion after your car has been driven off a cliff, electricity shut off, or factory machinery damaged is only so useful.

IoT requires a different approach than is used to defend traditional business systems. The current model, where the security industry is separated from the solutions industry (in the case of business, OSVs, ISVs etc.), does not scale to the diverse architectures that exist in the IoT landscape. Additionally, network opacity (most network traffic is becoming encrypted) restricts a network security approach to focus on only a small subset of threats. A new model is required where the security industry and IoT industry recast solutions architecture to enable both to contribute elements that they have expertise in.

We need to be forward-looking and purposeful with how we architect security in the burgeoning world of IoT. There are four steps we can take to affect the IoT cyberattack equation:

  1. Design with security in mind. All devices and solutions built around IoT have to be designed thinking about security from the outset. One example is using the concept of least privilege to minimize attackers’ opportunity: Devices, systems, and applications should have access to the bare minimum capabilities required to perform their function. Developers must understand the full lifecycle from shipping to decommissioning, follow coding best practices, and leverage the many hardware and software security capabilities available (hardware separation, ASLR etc.).
  2. Look at security from different levels of zoom. Valuable data is vulnerable and security breaches possible at all levels, from an individual sensor to a connected device to the overall system. System-level infiltrations may deliver the highest incentive to attackers, but breaches are possible at the sensor or device level. IoT security means understanding the full context of the system, as well as the individual components.
  3. Support the academic industry in producing more cybersecurity professionals. Ultimately, the security and IoT industries need to evolve and collaborate, from education to deployment. Cybersecurity should become a core discipline of engineering, alongside calculus, physics, and chemistry. Development lifecycles must include a security component, similar to the quality component. All of this must be researched, taught, and reinforced, from undergraduate programs to professional continuing education. 
  4. Think like the adversary to anticipate exploits and address them in advance. Finally, we need to continue to think like our adversaries, refining threat-agent profiles, identifying digital assets, and assessing weaknesses. Deployment processes must evaluate how to minimize the incentive and opportunity for attackers, while maximizing their risk.

We have adapted in the past as we learned about new threats, and we will have to again. But this adaptation is a big one for IoT because without it, a major evolution of our technology infrastructure is at serious risk of failure. 

Steve Grobman is the chief technology officer for Intel Security Group at Intel Corporation. In this role, Grobman sets the technical strategy and direction for the company's security business across hardware and software platforms, including McAfee and Intel's other security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.