Connected Devices: Growing Attack Surfaces.

As an underscore to my post titled “Let’s Ban BYOD” (https://www.netswitch.net/lets-ban-byod/ ), the increase in machine-to-machine attacks that we are seeing this first quarter alone is giving rise to new and highly dangerous forms of malware, and changing the risk landscape accordingly.

We know that our friends at Gartner have predicted that there will be almost 7 billion connected devices in use in 2016, a 30 percent increase over 2015, and that by 2020 that number will jump to more than 20 billion.  This means that there will be between two and three connected devices for every person on the planet.

This also means that the attack surfaces are growing at an alarming rate. At least, it’s alarming to some of us.

We also know that most consumer connected devices simply don’t prioritize security, which is why we want corporate mobile devices to be controlled by IT and we want companies to move from the BYOD model to the C (choose) YOD model. If they don’t, we can expect the number of cyber-attacks to skyrocket.

In its 2016 Planning Guide for Security and Risk Management, Gartner says in a classical understatement: "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

When Gartner refers to mobile technologies, they are referring to smartphones which singularly present the largest risk category within IoT in the near term. When we are connected to the growing list of IoT devices (from wearables to smart cars), the risk categories expand and the threat grows exponentially.

Smartphones are particularly attractive to cybercriminals because of the sheer number in use and multiple vectors of attack, including malicious apps and web browsing. These reverse drive-by attacks conducted by malicious websites masquerading as benign URLs will fingerprint a smartphone and do an instant vulnerability assessment. Not for your benefit. Those vulns are passed along to the c and c and instantly your device is set-up for compromise. It happens every day, and all the time.

Apple is the only maker who performs commercial app code review, but even they can’t filter out a lot of these malicious applications that make it onto your mobile devices. The only sure-fire way to knock out this threat vector is through central control of a corporate issued mobile device by your IT guys. BYOD was a cool idea whose benefits fail to outweigh the risks. Time to punt and go to a “choose” rather than a “bring” model. And, leave your wearables at home. Please.

In this new machine-to-machine world, we will see entirely new worms and viruses able to propagate from device to device. These are known as the "headless worms" (malicious code) which will be targeting "headless devices" such as smartwatches and other wearables, smartphones and medical hardware with an enormous potential for harm resulting from a threat that can multiply across billions of connected devices.

With millions of infected machines controlled by networks offering up billions of attack surfaces, you can easily imagine a massive global outage where suddenly everyone’s smartphone simply dies.

We now see an increasing reliance on virtualization and cloud computing variants which will create a proliferation of attacks on private and hybrid clouds and all forms of cloud infrastructure, including virtual machines, based on malware specifically designed to exploit virtual computing systems. The unwitting role of mobile devices running quietly compromised apps will be to provide the pathway for hackers to easily gain access to these virtualized environments.

To make matters worse, hackers are getting really very good at evasion tactics. We evaluated a dozen or so “sandboxing” security products in 2014 and decided that smart criminals would be able to obfuscate and get around these defenses at some point in the future, so we passed. It turns out that we now have a class of malware known as a “two-faced ferret” that appears benign under initial surveillance, but immediately morphs into malicious code once it bypasses first phase inspection.

We now see frequent instances of “ghostware” that is malicious code designed to evade forensic detection and make it very difficult for law enforcement to track how much data has been stolen in sophisticated extortion attacks.

This is also making it much more difficult for regulators to assess fines and establish the basis for willful intent. It could prompt an adjustment on regulatory definition and determination that would put any cyber-theft liability directly on the shoulders of executives, officers, board members and shareholders.

So, what can we do to shore up, prepare, prevent and manage the threat?

First, let’s acknowledge that the threat is real. We still haven’t done that, and until we do, we will continue to witness a race where the bad guys out-sprint the good guys by a wide margin.

Boards need to accept the fact that we now have an actual new business dimension that needs the same policy and administrative attention as tax, insurance, audit, regulatory compliance, general and specific liability and corporate governance.

Even if we just took care of the basics, like taking control of our mobile devices, implementing fundamental security policies, compliance and best practices, managing administrative privileges, network segregation, configuration and patch management, anti-virus and intrusion prevention and detection software, employee training in phish and spoof detection and the identification of malicious web downloads and email attachments, we would be way ahead of where the vast majority of companies now find themselves.

Prioritizing fundamentals and getting them done is a whole lot better than doing nothing and costs very little to implement. We don’t need to strive for perfection, but if we can just assure that our most critical exposures are mitigated, we will at least reduce residual risk and be better prepared for today’s advanced threats and the more sophisticated and complex threats associated with machine-to-machine invasions coming down the tunnel.

It’s true that Rome wasn’t built in a day, but someone had to lay the first stones.