Across the globe, lives and livelihoods are increasingly moving online, physical and digital worlds are beginning to overlap, and digital currencies with no realworld equivalent can buy real-world goods and services. Artificial intelligence is powering autonomous vehicle decision-making, finding new drug candidates daily and personalizing lessons to help students learn. At the same time, doctors are performing life-saving surgeries on the other side of the globe via the internet and robot proxies while networked sensors shake up industries from power generation to public transit.Every year, the list of industries being disrupted by sensors, smart machines and microprocessors expands.
For information-security professionals, successfully defending against the fire hose of now-nonstop online attacks is both the stuff of nightmares and the reason to get out of bed in the morning. Who’s winning — the attackers or the defenders? Given the daily drumbeat of successful intrusions that cripple companies’ operations and erase millions of dollars in stock value overnight, it’s hard to tell.
A new malware specimen will emerge on the internet about every four seconds.
Today, 6 million to 11 million new malware infections will be recorded on computers running just one type of antivirus software. 6 Around 700 phishing attacks will be launched in hopes of luring unsuspecting people into clicking a fraudulent link that will let a scammer steal their personal data or gain access to a business network. A new malware specimen will emerge on the Internet about every four seconds
An unknown number of hackers will spend about $150 to rent a botnet for a week to launch a distributed denial of service (DDoS) attack aimed at taking down an online service or a network by flooding it with traffic . Cumulatively around the world, these attacks regularly fire 500 gigabits per second of weaponized data at business and government servers to consume network bandwidth and shut the targets down.
It’s clear that these attacks — almost all financially motivated — aren’t only targeting groups like 2016’s Indian banks data breach or major organizations such as Sony, Equifax and Yahoo. Hackers are also looking to extort small and mid-sized businesses, health-care providers, municipal governments and other networks. In fact, there’s so much monetary incentive that the threat is mushrooming. One analysis puts the cost of cybercrime by 2021 at $6 trillion — yes, trillion — a value greater than the gains produced by the entire world trade in illegal drugs.
Don’t neglect the obvious
These threats are all too familiar to information-security expert Jason O’Keeffe, an HP Print Security Advisor. He knows the bad guys are getting plenty of help from inadvertent computer-user behavior and under-deployed cybersecurity defenses due to many organizations’ nonexistent or stretched-too-thin cybersecurity staff.
While assessing companies’ computer networks for vulnerabilities, O’Keeffe has seen all kinds of problems that make a hacker’s work easier, including glaring omissions by IT departments that should know better.
During one such assessment, O’Keeffe was asked to snoop around a massive manufacturer’s IT infrastructure. Among numerous problems, he found that the default factory-set passwords hadn’t been changed on 90 percent of the company’s 36,000 printers spread around the network, allowing anyone with the know-how to bypass all security on the devices. Further investigation by O’Keeffe found that many printers were incorrectly configured, which could have allowed an outsider to gain access to the printers and reconfigure them to steal data from the network — or hijack them into service as a botnet. “The VP slammed the table and said, ‘Jason, are you kidding me?’” O’Keeffe recalled. “He was fuming.”
For today’s hackers, the massive profit potential drives innovation and creativity. Among the greatest threats, says Albright, are botnets — the automated tools built out of thousands of hacked IoT devices. To create a botnet, scammers hijack the processors of unsecured machines, then use the compromised devices to mine bitcoin — or they can rent their botnet to others to launch ransom-seeking DDoS attacks.
Daniel Kalai, the founder of managed IT service companies that include home and small-business cybersecurity firm Shieldly, agrees with Albright and O’Keeffe that the focus needs to be on securing a network’s edges and endpoints.23 But he believes the pendulum has swung too far from thinking in terms of prevention to an over-weighted focus on recovery. He disagrees with the notion that a compromised network is inevitable in today’s digital landscape.
Think like da Vinci: More art is needed in the science of cybersecurity
The term Renaissance Man — for someone whose talents span disparate fields — was created with Leonardo da Vinci in mind. The painter of masterpieces such as The Last Supper and the Mona Lisa was as much an engineer as he was an artist. As a military engineer for almost two decades, da Vinci fortified Milan’s defense system while also inventing and improving its weapons. Throughout his life, he also created and refined bridge-building techniques and improved machine components such as worm gears and flywheels. He was an expert in hydraulics and even designed a spring-driven automobile.
The cybersecurity world could take a few lessons from the master. Current and evolving cybersecurity threats demand a blend of art and science — specifically with respect to design.
Some enterprise-scale organizations have the resources to extend protection out to the periphery of their networks. But many mid-sized businesses and enterprises haven’t locked down all of their smartphones, scanners, printers and IoT devices.30 HP’s Albright says her talks with customers often reveal an unexpected lack of concern for securing the endpoints of complex networks.
But first, IT departments must make sure they cover the basics: 1) develop and adhere to strict security protocols, including requiring that factory-set passwords and maintenance access codes be changed immediately on all devices; 2) maintain timely security-patch and update schedules for all networked devices; and 3) set automatic or urgent updating of operating systems and applications, firewalls and antivirus definitions. Companies must also be diligent about keeping their employee rolls up to date and quickly purge access by individuals who no longer work there.
Security researcher Griffin notes that cybersecurity professionals are engaged in an asymmetric war in which they have to be successful every day, but the enemy only needs be successful once. He offers seven best practices that will boost cybersecurity in the long run:
- Put in place easy-to-do processes that aren’t overly complex or seem like magic.
- Provide simple, consistent advice to users.
- Use 2-factor authentication whenever possible since there are so many problems with passwords and business-password policies. Don’t buy on price alone.
- Turn good security policies into good security products into good security-procurement decisions.
- Don’t settle for “security theater” and ticking off boxes when setting your company’s security policies.
- Make sure the security features you’re paying for are actually making your organization secure.
- Produce more meaningful reports by getting analytical tools that show not just how many attacks and viruses your security system stopped in a month but also how many of those were new and unique.
- IoT device manufacturers should build security into their products from the start and make sure they’re “secure by default.
The importance of employee education
The modern dissolution of office walls exacerbates a problem that has always been central to security lapses — human behavior. Employees skip cumbersome security protocols in the interest of productivity and are often unaware that some of their online behavior is dangerous. That’s why small, inadvertent acts of poor online hygiene are more often than not the source of crashed networks, exfiltrated intellectual property or sensitive customer data and endpoints getting kidnapped by botnets. “There’s always someone who will click on a malicious link in an email,” says Albright.
One well-known anti-malware company reports that only 3 percent of the malware they see targets technical flaws. That means 97 percent of these hackers are using social engineering to get unsuspecting victims to click on a link in a phishing email or reveal sensitive data such as passwords and bank account numbers.
Key points for non-IT employee training include:
- Don’t use the same password across different personal and work sites.
- Don’t leave sensitive materials on printers.
- Lock your computer and devices when you step away from them. Use device screens that prevent others from seeing information on your computer.
- Don’t, don’t, don’t click on links without thinking about it.
Through the looking glass: Machine learning and artificial intelligence
While the best current cyber-defense practices include layered technology, biometric logins and network monitoring, combined with good online-hygiene education for employees, keeping our digital neighborhoods safe is starting to get some help from AI via machine learning.
Another HP advance can protect those vulnerable network-connected endpoint printers. Developed at HP Labs and available now, HP Connection Inspector is an intelligent, embedded security feature that learns what a printer’s normal network behavior looks like and then watches for suspect changes. When it detects unusual outbound data, it notifies administrators, shuts down the suspect communications and then forces a self-healing reboot to remove the malware and stop the attack.
Bringing IoT devices under the defense umbrella
Embedding processors and internet access into thermostats, motion sensors, lighting and other systems enables an office building to find significant energy savings on its own based on occupancy, time of day and even the weather. A wind turbine reports back to managers that gears inside its nacelle are vibrating too much and need attention34. A commercial jet engine and flight computer work together to make minute changes that decrease fuel burn and shave time off a route.
IoT manufacturers will need to learn what the rest of the technology industry has learned over decades of insufficient focus on security: IoT devices need to be built with security at their core.