Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
5/16/2016
02:08 PM
Steve Grobman
Steve Grobman
Partner Perspectives
50%
50%

Internet Of Things: 50 Billion Connected Targets

We must work to minimize attackers' incentive and opportunity while maximizing their risk.

With the growth of the Internet of Things (IoT), we are rapidly approaching 50 billion connected devices (with varying degrees of security) that are becoming more and more valuable to attackers. We have already seen the beginnings of this shift, as cyberattacks against physical assets -- from cars to electric power stations -- move from science fiction to reality.

Cyberattackers, like anyone, are driven by incentives, and the greater the incentive, the more likely someone is to attack a particular target. We can express the probability of an attack against any particular target as the incentive times the opportunity, divided by the risk. 

Over the past few years, we have watched the variables in this equation change in value. Credit card data was an early opportunity, stolen and then quickly utilized before the numbers were cancelled. As companies increased their protection efforts, the incentive and opportunity decreased. Attackers explored other types of data theft, trying to find a new and valuable resource, with varying success.

This year, ransomware has been on the rise, delivering the promise of an even bigger payout. Instead of stealing credit card data and being burdened with figuring out how to monetize the asset, attackers have moved to a system where they can charge an immediate fee directly.  Through ransomware, cybercriminals encrypt data on a user’s device and simply make it unusable until the owner pays a ransom. The advent of Bitcoin and other crypto-currencies that support anonymous transactions further lowered the attackers’ risk.

Fueled by meaningful incentives and minimal risk, attackers looked for greater opportunities with larger payouts. We see ransomware actively moving from the consumer space -- charging a few hundred dollars to retrieve one’s photos or personal files -- to larger soft targets such as hospitals and universities. In recent news, we saw attackers charging these organizations (and being paid) thousands of dollars to get access back to critical business data. With this trend growing, large enterprises and IoT are just over the horizon as targets for ransomware attacks.

Incentive And Opportunity

The number and diversity of IoT devices rapidly becoming connected create an intriguing opportunity in the cyberactivity equation. We’ll soon have tens or hundreds of millions of potential targets, connected to physical assets such as water, energy, automobiles, and machinery, with many times the value of digital records. Incentive and opportunity both increase substantially. And the outcome of successful cyberattacks can literally be life-threatening.

Strategically, we need to approach IoT differently than we do the PC. In PC security, we work aggressively to prevent an attack, and fall back to quickly detecting an infiltration and remediating when necessary. With IoT, once an attacker perpetrates a successful exploit, it may be too late. Detecting an intrusion after your car has been driven off a cliff, electricity shut off, or factory machinery damaged is only so useful.

IoT requires a different approach than is used to defend traditional business systems. The current model, where the security industry is separated from the solutions industry (in the case of business, OSVs, ISVs etc.), does not scale to the diverse architectures that exist in the IoT landscape. Additionally, network opacity (most network traffic is becoming encrypted) restricts a network security approach to focus on only a small subset of threats. A new model is required where the security industry and IoT industry recast solutions architecture to enable both to contribute elements that they have expertise in.

We need to be forward-looking and purposeful with how we architect security in the burgeoning world of IoT. There are four steps we can take to affect the IoT cyberattack equation:

  1. Design with security in mind. All devices and solutions built around IoT have to be designed thinking about security from the outset. One example is using the concept of least privilege to minimize attackers’ opportunity: Devices, systems, and applications should have access to the bare minimum capabilities required to perform their function. Developers must understand the full lifecycle from shipping to decommissioning, follow coding best practices, and leverage the many hardware and software security capabilities available (hardware separation, ASLR etc.).
  2. Look at security from different levels of zoom. Valuable data is vulnerable and security breaches possible at all levels, from an individual sensor to a connected device to the overall system. System-level infiltrations may deliver the highest incentive to attackers, but breaches are possible at the sensor or device level. IoT security means understanding the full context of the system, as well as the individual components.
  3. Support the academic industry in producing more cybersecurity professionals. Ultimately, the security and IoT industries need to evolve and collaborate, from education to deployment. Cybersecurity should become a core discipline of engineering, alongside calculus, physics, and chemistry. Development lifecycles must include a security component, similar to the quality component. All of this must be researched, taught, and reinforced, from undergraduate programs to professional continuing education. 
  4. Think like the adversary to anticipate exploits and address them in advance. Finally, we need to continue to think like our adversaries, refining threat-agent profiles, identifying digital assets, and assessing weaknesses. Deployment processes must evaluate how to minimize the incentive and opportunity for attackers, while maximizing their risk.

We have adapted in the past as we learned about new threats, and we will have to again. But this adaptation is a big one for IoT because without it, a major evolution of our technology infrastructure is at serious risk of failure. 

Steve Grobman is the chief technology officer for Intel Security Group at Intel Corporation. In this role, Grobman sets the technical strategy and direction for the company's security business across hardware and software platforms, including McAfee and Intel's other security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .