By Sharon Florentine
Dec. 1, 2016
"Wouldn't it be nice if public Wi-Fi access providers were required to put up the internet allegory to the warnings on cigarette packs? Something like, 'Warning: This public access connection is not secure and information you send and receive while connected may possibly be viewed, collected and subsequently used by criminals to steal your assets, identity or private information,'" Millis says.
7. Internet of threats?
IoT vulnerabilities and attacks will rise and will increase the need for standardization for various security measures -- hackers at this year's Def Con found 47 new vulnerabilities affecting 23 devices from 21 manufacturers.
And, of course, in October 2016 the massive DDoS attack on major global websites including Twitter, Netflix, Reddit and the UK government's sites -- was reportedly powered by the Mirai botnet made up of insecure IoT devices.
"A lot of attention is focused on 'smart devices' as proof of IoT's growing influence. The reality is a connected device doesn't make it a smart device. The 'things' that are being connected often 'fire-and-forget' in their simplicity, or are built-in features and tools we may not even know are there -- like the routers used in the Mirai botnet. This leads to a mindset of ignoring these 'dumb' devices without paying attention to the fact that these devices, while inherently 'dumb', are connected to the biggest party-line ever made: the internet," says Bomgar's Matt Dircks.
This isn't just a problem for smaller consumer devices, or even for connected homes and cars. Dircks isn't even particularly focused on the possibility of another DDoS attack. What's more troubling is the potential for an attack on large, widespread infrastructure systems like the power grid, or even avionics or railway systems, he says.
"I'm not worried about things like, if my connected showerhead turns on hot or cold. I think there's a fairly significant chance we'll see a major hack on power grids or on transportation systems like rail in 2017. This is the 'dumb' IoT that's still out there -- the technology from the 1950s and 1960s that's powering these critical infrastructure systems that is almost totally unsecured," he says.
This is a perception problem; the general public doesn't tend to see these systems as being similar to the IoT devices they use with increasing frequency -- even mobile phones can fall into that category, says Millis.
"Like smart-phones before them, IoT devices are assumed to be new, separate, and not subject to the same limits, as older technology, but think about it. It's nonsense: Smartphones are the most plentiful internet device around. IoT is the next hyper-jump in scale. Some organizations are wisely ahead of the curve a little bit this time, trying to head off the same security issues that mobile devices are facing now. So far, activity here has all come down to prevention yet again, but we believe every device and/or connection can be compromised. Shortening dwell time and securing IoT depends on being able to tell when that inevitably happens, as quickly as possible and with the highest level of confidence," Millis says.