Balancing the Sharing of Information

CyberSecurity Journal

Subscribe to CyberSecurity Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get CyberSecurity Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Security Authors: Shelly Palmer, Slavik Markovich, Elizabeth White, Greg Ness, Liz McMillan

Related Topics: Mobile Enterprise Application Platforms, CyberSecurity Journal, Internet of Things Journal

Article

When Things Attack! | @ThingsExpo #IoT #M2M #API #Security

The hacking game has changed

As I started writing this blog, I happened to be watching an episode from the new season of Black Mirror on Netflix. Black Mirror is a Sci-Fi anthology series, ala the Twilight Zone, although with a much darker perspective on both humanity and technology. I found the episode, ‘Most Hated in the Nation' somewhat apropos to my topic. The episode follows a police detective investigating the apparent murder of a columnist. This individual has been deluged with social media hate diatribes that would seem familiar to many. As the investigation continues, more mysterious deaths occur, with the victims all being targets of similar social media anger. Meanwhile, in the background, there are various news stories and visual cuts to ADIs (Autonomic Drone Insects). These tiny bee-like drones are being deployed throughout the country to replace the dying bee population, allowing for the continued pollinizing of crops.

Spoiler alert! As you can probably guess, it turns out someone was able to hack into the ADIs to pervert their actual purpose. The drones were killing the individuals in a rather gruesome fashion and the killer was using the social media hate to target his victims. There was the obligatory arguments from the manufacturers that the ADIs could not be hacked.... pause for effect...except for the back doors the government forced them to put in so the drones could be used for surveillance. Then enter the standard disgruntled employee who leveraged the back doors to make a very public and violent social statement about spewing hate in social media without consequences. (As I mentioned, Black Mirror takes a very dark view on both humanity and technology in most of their episodes.) The killer hacked millions of small intelligent devices, and turned them into weapons.

The recent Internet outage, a new kind of attack
On Friday morning, October 21, the first of several DDoS (Distributed Denial of Service) attacks on the core DNS infrastructure of the Internet on the East coast occurred. This attack caused significant outages for major internet sites such as Twitter, Spotify, Reddit, and Amazon. I was working remotely for a client and felt the impact directly. The client provides consultants access to their internal environments via Amazon Workspace. On Friday morning, we could not get access to that environment while the attack was occurring, which, as you can imagine, made for a very frustrating day.

DDoS attacks are not a new phenomenon. However, there were several key things that made this one a little different:

  • Most DDoS target a specific website or company. This one targeted a key part of the internet infrastructure, DNS, provided by a particular vendor, Dyn. This resulted in it having much broader reach and impact.
  • Dyn described the attack as a "very sophisticated and complex attack." As Dyn took mitigation steps against the attack, it would change, and adapt, making their efforts to respond much more difficult. They would start blocking the attack from one area, and very shortly, new IP addresses from a completely different part of the world would start attacking.
  • The attack was coming from tens of millions of discreet IP addresses from around the world. In the past, these kind of attacks came from hijacked computers and laptops that had been infected with malware. This attack went further. Besides the same hijacked computers, this attack also used infected "Things" from the Internet of Things. Devices like DVR's, webcams, baby monitors, and home routers.

Mr. President, they are using our own devices against us
Okay, I admit, a little corny, but the point is a valid one (bonus points if you can identify the movie I am paraphrasing). The Internet of Things (IoT) is growing at astronomical rates. Gartner predicts that by the end of this year there will be over 6.4 billion "things" on the Internet, up 30% from last year. They estimate we are currently adding 5.5 million devices every day. A common topic of discussion and concern in the IoT space is security. As those that frequently read my articles know, this is a topic near and dear to my heart, quite literally. I have a pacemaker and insertable cardiac monitor in my chest (see my recent blog, ‘Musings on the Internet of Things - I am now a Thing'). Whenever the words IoT and Security show up in my newsfeed, I pay attention.

Most often when discussing security concerns related to the Internet of Things, the conversation tends to focus on two aspects:

  • The increased attack surface: All of these devices extend the attack surface of networks, providing more potential entrée points into a corporate network.
  • The potential lack of solid security implementation in these devices. Many devices still ship with standard default username/passwords, and sadly, many users never bother changing them (see my blog ‘Hacking and the Internet of Things' for some detailed descriptions of this).

This attack takes the first item of concern, attack surface, and completely flips it on its head. Instead of worrying about the devices acting as an entrée point to access data, we now have to worry about the devices being an actual tool and weapon in the attacks themselves. While not going to the extreme level of the Black Mirror episode I mentioned at the beginning, the hackers have started weaponizing our Things on the Internet. They are using them against us. The hackers are able to accomplish this in large part due to the second item of concern I mentioned. The lack of security implementations on many devices is a continuing struggle in the world of the Internet of Things. Balancing consumer ease of use with security is like walking a tightrope over a tank full of hungry sharks. Striking that balance is never easy.

No, the Things are not going to destroy civilization as we know it
This is not meant to be a doomsday prophesy. I do not subscribe to the dark view of humanity and technology displayed in Black Mirror. The Internet of Things, like any disruptive technology, has the ability to turn our viewpoints and paradigms on their heads. Last week's attack is a prime example of that. Given the raw numbers, the Internet of Things genie is out of the bottle, and there is no putting it back in. No technology negates the need for good design and planning. Those designs and plans must always include security as a key area of focus.

As technologists, we need to look at security from a different perspective. We have to think about the potential hackers differently. In the old paradigm, it was simple: protect the data, protect the boundaries of the data centers. That is still valid and needs to be done. But in addition, we need to look through the lens of disruptive technologies and work with vendors to implement stronger security measures on their devices. Work with educating end users about their use of these devices, ensuring they do not compromise them in the name of ease of use. We also need to look at other new disruptive technologies that could help in this battle. For example, machine learning is starting to be looked at as a tool that might help identify and respond to a security breach, adapting to changing attack patterns.

Ultimately, security in the world of technology is always a delicate balancing act between access, usability, and protection. It is critical to understand the risks, work with the business to educate them on the balance/tradoffs, and take the appropriate measures to ensure the proper balance is maintained. Oh, and if you hear a bee buzzing near your head, ignore it, I am sure it's nothing.

Register for @CloudExpo/@ThingsExpo 'FREE' Before Friday! Here

@ThingsExpo - The World's Largest 'Internet of Things' Event, November 1-3, 2016, at the Santa Clara Convention Center!

Secrets of Sponsors and ExhibitorsHere
Secrets of Cloud Expo SpeakersHere

All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.

@CloudExpo / @ThingsExpo 2016 Silicon Valley
(November 1-3, 2016, Santa Clara Convention Center, CA)

@CloudExpo / @ThingsExpo 2017 New York
(June 6-8, 2017, Javits Center, Manhattan)

With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be.

Register for @CloudExpo/@ThingsExpo 'FREE' Before Friday! Here

Track 1: Enterprise Cloud & Digital Transformation
Track 2: Microservices | Cloud Hot Topics
Track 3: Internet of Things & Cloud
Track 4: APIs & Cloud Security
Track 5: Big Data Analytics
Track 6: DevOps, Continuous Delivery & Containers
Track 7: Enterprise IoT & IIoT
Track 8: IoT Developer
Track 9: Consumer IoT | IoT Hot Topics

Delegates to Cloud Expo | @ThingsExpo will be able to attend 9 simultaneous, information-packed education tracks.

There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content.

Join @CloudExpo | @ThingsExpo conference chair Roger Strukhoff (@IoT2040), June 7-9, 2016 in New York City, for three days of intense 'Internet of Things' discussion and focus, including Big Data's indispensable role in IoT, Smart Grids and Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) IoT's use in Vertical Markets.

About SYS-CON Media & Events
SYS-CON Media (www.sys-con.com) has since 1994 been connecting technology companies and customers through a comprehensive content stream - featuring over forty focused subject areas, from Cloud Computing to Web Security - interwoven with market-leading full-scale conferences produced by SYS-CON Events. The company's internationally recognized brands include among others Cloud Expo® (@CloudExpo), Big Data Expo® (@BigDataExpo), DevOps Summit (@DevOpsSummit), @ThingsExpo® (@ThingsExpo), Containers Expo (@ContainersExpo) and Microservices Expo (@MicroservicesE).

Cloud Expo®, Big Data Expo® and @ThingsExpo® are registered trademarks of Cloud Expo, Inc., a SYS-CON Events company.

More Stories By Ed Featherston

Ed Featherston is VP, Principal Architect at Cloud Technology Partners. He brings 35 years of technology experience in designing, building, and implementing large complex solutions. He has significant expertise in systems integration, Internet/intranet, and cloud technologies. He has delivered projects in various industries, including financial services, pharmacy, government and retail.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.