IoT: The Internet of Threats

We talked about our continuing failure to identify the exploitation of legitimacy or even the source or nature of our attackers in our last post. That was one of five attacker-defender disruptions necessary to change the current course of this never-ending cybersecurity war.

Our confusion about the identity and purpose of the enemy, combined with the absurd imbalance of information between attackers and defenders and a cybersecurity economy that pits a thirteen million dollar defender against a five dollar attacker, meshed with our inability to see beyond the next hill of threats, it is not surprising that we are losing.

In this the last post of 2016, we address the final disruption, our failure to detect and protect in IoT and mobile environments and moreover, our continuing compulsion to ignore security shortfalls and expanded risk in new technologies and focus almost exclusively on the perceived benefits.

This problem seems to be our very own shiny object syndrome.

As workforces become increasingly mobile and enterprise IT systems become more generally available through the use of smartphones, tablets and laptops, the enterprise becomes even more at risk of data loss and new points of ingress for attackers. These new risk bubbles are caused by employees losing devices, compromising cybersecurity through mis-use of devices or the continuing emergence of new exploits targeted at consumer device software.

Any attempt to retake control over BYOD programs once they have been institutionalized is met with severe resistance from the employee workforce as well as from executive leadership.

Why? Around 80% of employees in high-growth markets believe the constant connectivity associated with BYOD enables them to do their jobs better. And 80% of decision makers believe that adopting enterprise mobility will have a business advantage over those who don’t and 55% rank mobility as their top strategic priority.

However, these perceived benefits to the enterprise are coming with high risk, as 1 in 5 survey respondents who bring their own devices to work claim that their employer’s IT department has no idea about their mobile behavior, and 1 in 3 IT departments actively ignore BYOD behavior altogether. A majority of IT managers surveyed (87%) said that mobility was their top cybersecurity concern, ranked against and well above phishing, social engineering and cloud computing.

The same survey found that 90% of the IT leadership community feared loss or theft of devices as the number one threat followed closely by the introduction of malware into their networks at number two.

While there are a variety of enterprise mobility management (EMM) solutions to help enable safer BYOD programs, including virtual environments, data classification, virtual container approaches, device integrity scanning solutions, stronger encryption or authentication programs, these represent yet another point solution in a sea of cybersecurity technology choices that simply add to the complexity of the computing environment, don’t integrate well with ancillary security protocols and create additional false positives that no one has the skilled human resources to deal with.

Now that we have driven on our own volition outside the more easily controlled perimeter defenses around a contained IT infrastructure to connect to remote fixed and mobile devices, sensors and “things”, we have popped the top and let the genie out of the bottle. I doubt that she will be climbing back in any time soon.

We should all know by now that IoT adoption in the enterprise is growing rapidly. The data shows that we went from 8.7 billion connected devices in 2012 to 22.9 billion this year and are moving toward an estimated 50+ billion by 2020. There is good reason for that growth as IoT has the potential to radically change almost every business process—from manufacturing and design to marketing and sales … for the better. The impact shows up most clearly where traditionally isolated critical infrastructures like industrial control systems (ICS), and supervisory control and data acquisition (SCADA) computing environments are becoming connected to gain new capabilities, and redefining the IT infrastructure to include IoT.

These new connections of course introduce expanded risks and increased vulnerability, exposing weaknesses that were previously hidden by the obscurity of non-connectivity. As a result, energy, healthcare, retail, financial services, and manufacturing are all rethinking their security models, as they are no longer tasked to only protect people and their connections to systems, but also to secure things connecting to other things.

We have seen how difficult it has been to defend our networks during the last 5 years of growth.

We have gone from the first sharing and commerce Internet era in the early 2000’s through 2010 characterized by consumer explosions around products like Napster and BitTorrent, YouTube, Facebook and Twitter to the second sharing era driven by personal apps like SnapChat and Instagram now co-mingled with enterprise data through programs like BYOD to a future where everything will be connected with everything.

The transition from closed networks to enterprise IT networks connected to the public Internet is accelerating at a remarkable pace—and is raising alarms about security. With the billions of objects that are expected to be networked within the next few years, issues of identity and trust, data protection, access control, and device control should all be areas of grave concern.

Do you think the future of cybersecurity defense will be [a] harder or [b] easier? And, given that our current success rate diminishes steadily year over year (16% more successful breaches in 2016 than in 2015), do you think we will be [a] more successful in the future, or [b] less successful?

Our success rate in combating ransomware is a small example of how poorly we have been coping with the onslaught. Imagine the terrifying convergence of ransomware and the expanding IoT raising questions like how much you would be willing to pay to regain access to your TV programming, or your refrigerator, you baby monitor, your car, or your defibrillator?

In the world of healthcare alone, as more medical devices are coming online and are sharing patient data, the attack surfaces are expanding and putting sensitive healthcare data at risk of being breached. Future medical devices must be built to withstand attack, yet be easy to update and manage. Embedding device integrity into IoT systems is critical to be able to enforce and validate trust using whitelisting, change control, and memory protection to lock down systems and applications in multitenant environments.

Medical devices are expensive and difficult to re-engineer. New devices will drive already exorbitant hospital treatment and medical exam costs through the roof. Can the healthcare industry figure out a way to balance risk and cost and emerge on the other side with the proper answer for its patients?

Today, the fear of false positives and delays for patients means that over 75 percent of hospital network traffic goes unmonitored, putting connected devices with access to sensitive patient information at risk. Think about that number the next time you are being wheeled into surgery.

In addition, we will have to quickly evolve security into point-of-sale and retail networks, going well beyond the EMV readers and chip card defenses as more retail slides over to online where those readers and that technology is useless. Having endured targeted attacks, retailers now face new mobile payment systems from non-traditional devices and expanding wireless and wired connections that will try to leverage IoT devices of the future.

This alone is a hard problem.

And we need to figure out how to defend industrial control systems and critical infrastructure where energy, manufacturing, telecommunications, and financial services now qualify as active sector participants. Device identity, malware protection, data protection, and resiliency are required—all tailored to tomorrow’s machine-to machine environments and highly distributed IoT network operations.

If we continue to try doing all of this in isolated product silos we will end up where we are today, only less safe and increasingly less protected against future threats. So much is at stake now that I look forward to RSA 2017, not with the hope or expectation that we will see some shared vision Manhattan-like project forming to fight the forces of evil, but rather a glimmer of progress toward the recognition and acknowledgement that we are [1] in a war and that [2] we are losing.

Instead, I fear we will see the launch of another 35 venture-backed point solutions based on predictive analytics, advanced data science, adaptive machine learning, artificial intelligence and cognitive piped neural networks that will surely rock those bad guys back on their heels this time and ban them forever into the deep recesses of cyberspace.

A handful of investors and entrepreneurs will get rich, yet we won’t be one step closer to a secured business, organizational or homeland environment than we were at the same time last year.