The Ever Expanding Threat Landscape

Every day, we spend more on cybersecurity than we did the day before while cyber-attacks occur at a greater frequency than ever and we consciously push to expand our threat landscape with no end in sight.

When we get breached, we fire our CISOs and hire new ones who do the exact same things the old ones did while expecting different results. If this wasn’t such a frightening reality, it might be comical.

According to new projections by IDC, global spending on security hardware, software and services will top $103 billion in 2019, up 9.4 percent from 2018 and will grow at a compound annual growth rate of 9.2 percent from 2018 to 2022. A 9.2% CAGR is not very exciting if you are an investor in this market, but if you are an observer of the frantic race to market for startup cybersecurity vendors, it is breathtaking.

And if you are one of the 3,000 odd cybersecurity vendors stuck in the long tail behind the market leaders, you should be delighted to learn that Absolute Market Insights pegs the CAGR for the same period even higher, at more than 13.5%.

It is clear to even the casual observer that it is becoming increasingly difficult to keep pace with the rising malware attacks and cybercrimes on banking and financial institutions, healthcare organizations, manufacturing companies and government agencies across the world. Revolutionary technologies such as artificial intelligence, machine learning and big data analytics have offered new capabilities in narrow contexts, but these very same technologies are also increasingly causing several industries to become even more vulnerable to exploitation and cyber-attacks than they were in the past.

In the last decade, we have seen an increased reliance on digitized information across all industries. Combined with the ability to share vast amounts of data this new digital world has made organizations of all stripes and sizes prey to a broad array of differing forms of cyber-attack. These attacks largely result in loss of competitive advantage and impose steep financial damage to organizations who have been breached. The current estimates say that that over the next five years, cybercrime could potentially cost companies US$ 5.2 trillion every year which when combined with data from the last 5 years results in an amazing CAGR of 32%.

The increasing connectivity has led to an increase in complexity of networks and system interfaces, which in turn has dramatically increased the challenge of network defense. For example, greater requirements for logging activity creates a need for improved storage and monitoring. Organizations then must consider how to respond to incidents, which may require a variety of tools and skill sets to conduct analysis. Top-tier banks spend hundreds of millions of dollars every year to secure and safeguard their systems. Smaller financial institutions, however, may suffer from a form of “cyber poverty,” where they lack the resources to maintain the same level of confidence in their security. This gap between leaders and the broader community expands each year, raising the potential that a successful attack on weaker members could have systemic risk implications for all.

This confluence of digitization, increased sophistication of cyber-criminals, and advances in technology which can be more easily and quickly leveraged by bad actors has resulted in an upward surge in demand for cyber security solutions which will continue to act as a major driver for the cyber security market.

But, while we seek new and improved technologies to combat this growing enemy and continue to invite these new advances into the combat theatre, we should be doubling down on our own ability to control the growth of these innovative and hyperconnected digital business models.

By 2020, Gartner tells us that there will be roughly 200 billion connected devices, almost none of which will be secure. Think about that. The risk is very real with the Internet of Things (IoT) and it is growing like a weed.

An IoT device is an everyday object with computing devices embedded in them that have a means to send and receive data over the internet. They also exist as sensors and switches in every industrial control system and supervisory control and data acquisition system on the planet. The ones that run all of our factories, power grids, energy pipelines, water supplies, air and sea transportations and military communications systems.

In the near future, the major cybersecurity threat vectors will be focused on easier, more difficult to detect and more potentially devastating direct attacks on unsecured and unprotected IoT devices sprinkled throughout our organizations. The devastating characteristics will be evidenced by broad plant shutdowns in the private sector and live threats to our critical infrastructure.

There are a million reasons why this threat is so potent. IoT devices have insecure Web interfaces, enabling vulnerability exploits from weak default credentials, cross-site scripting (XSS) and SQL-injection attacks, credentials that can be exposed in network traffic and poor or missing session management. IoT devices are notorious for insufficient authentication and authorization protocols. There are no complexity requirements for passwords and no multi-factor authentication required. Password recovery is in plain text and there is no role-based access control.

IoT data exchange is usually unencrypted. SSL/TLS is rarely implemented or configured properly. Unencrypted and unanonimyzed data over an insecure network connection is a sandwich-board invitation to cyber-criminals. Poor authentication controls and unencrypted data combined with IoT insecure cloud interfaces lead to magnified vulnerabilities. Insecure mobile interfaces, insufficient security configurability, and insecure firmware add to the complexity and difficulty of attempting to secure the IoT infrastructure.

In addition, the recent WannaCry malware propagation laterally within businesses using the Server Message Block (SMB) protocol has shown that enterprise network segmentation alone is insufficient for protection against these advanced swarms. The Mirai and Satori malware attacks have proven that enterprises need to start monitoring their smart devices, wearables, TVs, printers, business collaboration systems, HVAC systems, lighting systems, and security systems in addition to other infrastructure devices. We have seen for example, the widespread exploits of PolyCom video-conferencing systems due to open-source components carrying known vulnerabilities.

Legacy security solutions are unable to protect the enterprises due to a whole variety of limitations, including the lack of real-time security behavioral monitoring for IoT devices. And to compound the problem, even if we were able to actually get the appropriate controls in place to combat the vulnerabilities, as long as the manufacturers (and buyers) of the devices insist on building (and buying) them without any or with minimal security controls, no amount of effort by IT personnel will make a difference.

But as long as we’re in the fight, we may as well fight. We can start by establishing an incident response team to remediate exploited vulnerabilities and disclose data breaches immediately as they are detected. If we can’t do that internally, we should outsource it. We should insist that all devices we incorporate into our systems are continually updated and patched so we can minimize the potential for threat actors to exploit the outlying weaknesses for data theft. We have to invest in reliable data protection and storage solutions to protect customer privacy along with sensitive enterprise assets.

These steps are especially critical now that we must speed to align with data privacy laws, many of which will impose steep fines for noncompliance beginning this year and strengthening in 2020. Because many of these regulations afford customers the right to demand the erasure of their personal information, this capability must now be built into all IoT devices that collect customer data. We must also establish clear policies that define how data is collected, consumed and retained in the IT environment.

To ensure the ongoing integrity of IoT deployments, our security teams must conduct regular gap analyses including both flow- and packet-based anomaly detection to monitor the data generated by connected devices. And since humans remain the source cause of over 96% of data breaches, awareness training and continuing education throughout all levels of the enterprise is critical.

Until manufacturers rise to the challenge, either because they understand that market forces will eventually pull them there or because legislative bodies will begin to insist on it, the unsecured exposure of IoT data and the illegal takeover of the devices themselves will continue to cause substantial damage to even the best technologically prepared cybersecurity defenses.

And whether the threat landscape is littered with IoT devices or not, we know that with increased connectivity comes greater interdependence. To mitigate the increased risk of greater connectivity, institutions will also need to embrace collaboration. Technological innovations may provide some level of improved collaboration; areas such as machine-readable intelligence are promising, but there is also a need for leadership in building trust through engagement, both across teams within organizations and between organizations themselves. The financial industry has made great strides in engagement already, and many communities have emerged to share intelligence and security best practices. Such initiatives should be encouraged and expanded across all industry sectors.

As technology advances, complexity will continue to increase. This will make the job of network defense even harder in the future. Organizations must make a point of simplifying security. At a management level, this practice should entail greater transparency around what security is and is not in place, as well as the risks around specific gaps. At a technical level, these efforts should mean that technology is secure by default, taking the burden off individuals to configure or maintain it.

An insistence on fundamentals, continuous cybersecurity hygiene, rigidly following strict policy and process rules, reactive preparedness and well-thought-out controls over IoT devices, third party relationships, supply chain vulnerabilities along with committed cybersecurity awareness training will go a long way to mitigate much of the IoT threat landscape.

In the meantime, keeping a lookout for bright shiny objects that can identify, detect and prevent IoT threats and corrupt hardware components on the network can’t hurt either.

?As regular readers here know, I am particularly fond of Sepio Systems and WootCloud in that regard. Device-centric finger-printing with behavioral analytics is a new approach to cyber security defense that delivers the advanced technology necessary to meet, identify and defeat these IoT and hardware born threats, and a unique ability to detect rogue and corrupt hardware devices that are hidden from the network. These are the only two systems that I know of that are leveraging these technologies to drive detection of hidden threats.

Check them out. And, while Sepio was a former client of ours at UberConnectForce and I know the management team at both companies, I receive no compensation from either for 'promoting' their products. I just have an affection for smart, lean startups trying to bring disruptive innovative technologies to market, My goal is to make our world a little safer and these products do that.