Fear and hacking in the cyber age (Or how security is about to get a lot more challenging)
John Stackhouse
Senior Vice-President, Office of the CEO, Royal Bank of Canada. Host of Disruptors, an RBC podcast
Sony Pictures, Yahoo, Hillary Clinton: A barrage of cyber-attacks in recent years has raised new concerns about the safety of individual and corporate data.
Brace yourself for more.
As the digital revolution moves to Internet-connected appliances, vehicles and machinery, it threatens to unleash a new wave of cyberattacks. The hackers are getting more sophisticated, too.
Those were among the warnings raised at the latest #RBCDisruptors, our monthly session on the biggest trends on the digital landscape.
The session featured Nir Zuk, co-founder of Palo Alto Networks, and Alex Dyner, head of special projects at CloudFlare.
Palo Alto Networks builds enterprise-grade firewalls and network security systems, which can help prevent and lessen the damage from intrusions and data breaches. CloudFlare’s cloud-based technology keeps its customers’ websites online and secure by mirroring their data over a worldwide network of servers, so if one goes down another can easily take its place.
Here are the highlights of the conversation:
1. Beware the hacker in your fridge
It’s no longer just the supercomputer in your pocket; connected devices are the new cyber-threat. From security cameras to lightbulbs, research firm Gartner says there are now 6.4 billion devices connected to the Internet?—?more than double the number in 2012. And every one could be vulnerable to a cyberattack.
Among the challenges, this new generation of connected “things”?—?refrigerators, pipelines, airplanes, machinery — is not designed by cyber-centric companies like Microsoft or Apple. Instead, the Internet of Things is mostly being built by traditional manufacturers.
“The companies and the people making those products are not in the business of security,” Dyner said.
Zuk said the new wave of connected-home devices are prime targets for cyberattacks?—?and a new age of ransom.
“If your refrigerator locks, would you pay $10 to unlock it?” he said. “You probably have more than $10 of stuff in it right now, so of course you’ll pay and open it. They do that across a million refrigerators, they make $10 million.”
Think of it this way: Even if an IoT manufacturer releases security updates, when was the last time anyone thought to update the firmware on a security camera?
2. They’re after your data, dude
We pay for free online services such as Gmail and Facebook with our personal information, which companies use to generate financial gain, be it through micro-targeted advertising or online recommendations.
Data is the new currency, and it’s what hackers want.
“The more data you have, the more potentially the attacker can get out of the attack,” Zuk said. “That means they will spend more money on the attack, which means that you need to increase the cost of that attack the more data you have.”
Zuk said the attacks his company focuses on?—?phishing scams that steal passwords, malware that encrypts user data and blackmails them to unlock it?—?are mostly done for financial gain.
Dyner said his company deals with different kinds of attacks, and motivations can be much broader. He pointed to a cyberattack on a series of Turkish escort websites that came from servers in a more conservative part of the country.
“Money is often a driver,” he said. “But people are willing to make statements and often do that as well.”
3. Hacking is big business
CloudFlare uses its decentralized, cloud-based architecture to provide cybersecurity as a service, a business model being adopted by many in the industry. Yet hackers are evolving, too, and have begun to pursue a similar model in which they sell their services to third parties in return for a chunk of the proceeds.
Zuk pointed to the example of CryptoLocker. The name refers to a collection of malware that locks down a users’ hard drive with nearly unbreakable encryption and asks them to pay a fee ranging up to tens of thousands of dollars to unlock it, usually in Bitcoin or another untraceable digital currency.
“There’s a small group that’s building all the infrastructure,” he said. “If you’re a criminal, you buy the services from them. You choose which targets to attack, and you pay them a cut.”
Those who build the infrastructure even have a telephone support centre, he added, with full-time workers who will walk criminals?—?and victims?—?through the process of getting the ransom.
4. The war’s just beginning
While cyberattacks aren’t going away, both Zuk and Dyner said there was much people could do to prevent breaches and limit potential damage.
First thing to do is to not blame the victims, Dyner said, because any system that involves human beings is inherently fallible.
He said CloudFlare regularly sends its phishing emails to its own employees to test its defences, and always gets hits.
“It’s not that they’re stupid, it’s that they’re busy,” he said of his employees who get caught in a phishing trap.
The second thing, he said, is for businesses and organizations to stop thinking of IT and cybersecurity as a cost centre.
The most successful companies, he said, “think of technology as a core competency.”
Trouble is, few companies can find anywhere near enough people to fill the cyber-security jobs created in recent years.
Zuk said it’s not uncommon for employers to have a 40% vacancy rate in cybersecurity positions.
5. Making security easy
A big challenge for security: making it easy. Building a complicated and unfriendly system that encourages users to take shortcuts?—?writing a password down on a Post-It, say, or using the same details for every system?—?can weaken security, no matter how well the rest of the system is designed.
Dyner said it was important not to let security get in the way. He pointed to two-factor authentication, which pairs a password with another form of verification such as a code delivered by text message, as a relatively easy and painless solution.
“It’s not that big of a deal to make people take out their phones, and it goes a long way towards making the system more secure,” he said. “You can do things in a way that allows people to be effective at their core tasks throughout the day.”
Another option is to piggyback on existing tools such as Dropbox or Facebook Messenger that have incredibly strong built-in encryption. That can go a long way to satisfying customers and digitally-savvy employees.
“Customers will not come to you,” Zuk said. “And you won’t be able to hire people if you put too many restrictions around what they do or what they can’t do.”