IoT a heaven for hackers

By Ilva Pieterse, ITWeb contributor
Johannesburg, 26 Apr 2016
IBM SA's security sales leader Kevin McKerr.
IBM SA's security sales leader Kevin McKerr.

Those still finding it hard to envision the extent of the impact the Internet of Things' (IoT) will have on the way people live and work should try this: imagine for a moment the reality of a life without internet connectivity or the existence of the World Wide Web. Do you feel anxious, stressed, fearful and insecure? In less than ten years' time, we're expected to already be irreversibly dependent on an IoT-enabled reality.

By 2020, 75 percent of businesses will be digital businesses or preparing to become one, says research firm Gartner.

It has also estimated 6.4 billion connected things to be in use worldwide this year, up 30 percent from last year. That means an average of 5.5 million new things are being connected every day. By 2020, Gartner expects this number to reach 20.8 billion, which is conservative compared to what some other organisations are predicting.

The Business Insider Report, for instance, has put the expected 2020 figure at 34 billion devices connected - IOT-enabled devices will account for 24 billion of the total, while traditional computing devices (smartphones, tablets, smartwatches, etc.) will comprise ten billion.

Cisco (and DHL) foresee over 50 billion things connected to the internet by 2029, which equates to seven times the human population.

But wait...

How will such a dramatic revolution in the way we work, live and play impact security?

"It will open Pandora's Box as far as cyber security is concerned," states Cisco SA's consulting systems engineer: security solutions Greg Griessel.

IoT will greatly increase the current threat landscape, says Griessel. "An increase in connected devices and variety of devices means an increased difficulty in securing them all. This, of course, leaves attackers with more to target."

IoT will open Pandora's Box as far as cyber security is concerned.

Greg Griessel, Cisco SA

An interesting attack tactic IoT facilitates is the use of a single launch point for further attacks. For instance, says Griessel, a connected fridge will likely not be secured very well. It doesn't seem to offer much to the cybercriminal in the way of rewards. However, a cybercriminal will use an unsecured fridge as an easy entry point into the home network, to ultimately gain access to a user's laptop or other mission-critical devices. "This is why, irrespective of the importance of the device itself, all connected things should be considered equally critical and secured accordingly," he says.

Fortinet's major account manager Paul Williams further expands on this concept. "In future, when all IP devices are connected, you could find attackers targeting a wide range of everyday objects, such as point of sale systems, branch office alarms and even healthcare equipment like pacemakers and heart monitors." In the home, he continues, smart TVs might be accessed to steal the user's identity and commit fraud, while children's monitors and wearables might be accessed in order to track their movements.

And if that isn't terrifying enough, ALCATEL ONETOUCH country manager for SA Ernst Wittmann reminds us that there have already been cases where smart cars have been hacked into and their brakes shut off.

Wearables is another area that requires attention, especially since they're becoming so popular. "Cybercriminals can easily hack into wearables and get hold of data such health information. They could also manipulate this information or gain control of a patient's wearable, resulting in fatal consequences," says Wittman.

Is SA ready?

IBM SA's security sales leader Kevin McKerr envisions new potential attacks to include obtaining private or confidential data, manipulating or controlling devices, or confusing or denying service to applications that use and supply data within IoT systems.

"The IoT attack surface is much larger than most people can even imagine. Add to that the outrageous growth in the amount of data we're collecting, and things start to look pretty scary, pretty quickly. The world is expanding well beyond the traditional controls that are in place in the enterprise," he warns.

"Because IoT is still in its early stages, the extent of the crimes that could be committed using IoT technologies is not yet known, but it's clear that hacking for profit or revenge will become a whole lot easier when everything is connected," says Williams.

The IoT attack surface is much larger than most people can even imagine.

Kevin McKerr, IBM

McKerr believes South Africa is no less prepared than the rest of the world for the coming of IoT. "Remember, this is happening globally. The number of connected devices and amount of data are increasing exponentially worldwide, and I believe the world is generally unprepared security-wise. Not only does the enterprise have to deal with a plethora of new considerations resulting from IoT technologies, it is something that has implications at country-level as well. Consider IP-connected water supplies and traffic lights, for instance - we need to realise that these new considerations fall far beyond what we are used to - like accidentally sharing the wrong picture on Facebook."

Cybersecurity concerns weigh onminds of executives

From Cisco 2016 Annual Security Report

Obviously, in-depth security can help enterprises avoid calamitous breaches and attacks. But can it help improve the chances of a company's success? According to an October 2015 Cisco study of finance and line-of-business executives regarding cybersecurity's role in business and digital strategy, enterprise executives understand that protecting their businesses from threats may dictate whether they succeed or fail. As organisations become more digitised, growth will depend on their ability to protect the digital platform.

As the survey shows, cybersecurity is a growing concern for executives: 48 percent said they were very concerned, while 39 percent said they were moderately concerned about cybersecurity breaches. This concern is on the rise; 41 percent said they were much more concerned about security breaches than they were three years ago, and 42 percent said they were a little more concerned than before.

Business leaders are also anticipating that investors and regulators will ask tougher questions about security processes, just as they ask questions about other business functions. Ninety-two percent of the respondents agreed that regulators and investors will expect companies to provide more information on cybersecurity risk exposure in the future.

Enterprises also appear to have a keen sense of the cybersecurity challenges they face. The inability of cybersecurity policies to keep pace with business change was the most common challenge cited, followed by the lack of metrics to determine security effectiveness (27 percent).

About a third of executives are also worried about their ability to safeguard critical data. When asked to name the types of information that are most difficult to protect, 32 percent selected `confidential financial information'.

Respondents named `customer information' (31 percent) and `confidential business information' (30 percent) as the next two most difficult types of data to protect.

Security threats only set to increase for IoT

Source: Kaspersky

Internal information security incidents are still among the highest, a fact that does not bode well for IoT. As many as 63 percent of companies in South Africa were affected by internal information security incidents last year, says Kaspersky Lab in a joint study with B2B International.

"As a company's IT infrastructure expands, so does the threat landscape. New components add new vulnerabilities. The situation is aggravated by the fact that not all employees - especially those with no specialist IT knowledge - can keep pace with a changing IT environment," says Denis Legezo, security researcher, Global Research and Analysis Team at Kaspersky Lab.

The survey found that 21 percent of the companies around the globe affected by internal threats lost valuable data that subsequently had an effect on their business. In addition to data leaks, internal threats include the loss and theft of employees' mobile devices. Nineteen percent of respondents confirmed that they lost a mobile device containing corporate data at least once a year.

"It's no secret that a security solution alone is not enough to protect a company's data. And the results of this study confirm that," says Legezo. "What's required is an integrated multi-level approach powered by security intelligence. It should include employee education, the use of specialised solutions and the introduction of security policies, such as restricting access rights."


According to Kaspersky Lab's predictions for this year, we will see a significant evolution in cyber espionage tradecraft. "First, there will be a dramatic change in how advanced persistent threats (APTs) are structured and operated. It is expected to see a decreased emphasis on 'persistence', with a greater focus on memory-resident or fileless malware, reducing the traces left on an infected system and thereby avoiding detection," Legezo says.

Experts also see that there is less urge to demonstrate superior cyber skills, so return on investment will rule much of the nation-state attacker's decision-making. "Therefore, there will be an increase in the repurposing of off-the-shelf malware rather than investment in bootkits, rootkits and custom malware that gets burned by research teams," he says.

In a more long-term perspective, there is an expectation that more newcomers will enter the APT space. Cyber-mercenaries will grow in number as more parties seek to gain from online attacks. These are expected to offer attack expertise to anyone willing to pay, and also to sell to interested third parties digital access to high-profile victims, in what could be called an 'Access-as-a-Service' offering.

Consumer threats will also evolve. According to experts, ransomware will be gaining more ground on banking Trojans and is expected to extend into new areas such as OS X devices, often owned by wealthier and therefore more lucrative targets in addition to mobile and the IoT.

"Cybercriminals are constantly looking for new ways to make their victims pay. Therefore, alternative payment systems such as ApplePay and AndroidPay, as well as stock exchanges, are expected to become growing targets for financial cyber-attacks," warns Legezo.

As for South Africa, Kaspersky Lab sees a decrease in internet pricing from internet service providers and more affordable mobile data plans being available. "Therefore, we are likely to get an increase in online users, together with an increase in the number of attacks targeting their financial and personal data on mobiles and PCs. Ransomware has seen a rise this year in South Africa, and, unfortunately, the trend will not change. Also, there are more and more companies choosing to keep their data in the cloud due to the reduced costs and the increased internet speed, so the opportunity for malware writers to steal company data has become a much bigger risk than a few years ago," he adds.

In order to be able to minimise the future risks connected with cyber-attacks of the future, businesses should create and deploy a complete security strategy. It is important to educate staff about cybersecurity, implement multi-layered Endpoint protection with extra proactive layers and protect all elements of infrastructure, patch vulnerabilities, mind everything that is mobile and implement encryption for communication and sensitive data.

"We recommend that the issue of comprehensive security should not be neglected, as reliable multi-level protection can prevent a company from incurring additional costs not only from external, but also internal security incidents. In particular, technology that protects against phishing attacks, encryption, protection of mobile devices, virtual infrastructures and financial transactions all provide reliable targeted security for the individual nodes of a corporate IT infrastructure. And the implementation of various security policies, together with specialist services such as incident investigations, independent evaluations of a company's IT infrastructure and staff training will minimise the risk of threats," Legezo concludes.

This article was first published in the April 2016 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.