Intel exec: IoT devices a breeding ground for hacks
In a cyber-world that's changing so quickly it's impossible to keep up, the only option for security leaders is to try to set the agenda themselves.
Matthew Rosenquist, Intel‘s cyber security strategist, painted a pretty bleak picture of the cyber-security landscape during an education session at ISC West, held this week in Las Vegas, Nev.
The numbers can be staggering, and for the most part are only approaching the size of the real threat. The annual impact of cyber crime is an estimated US$450 billion — but it is likely a lot higher, says Rosenquist. Likewise, the ballpark figure of a 200 per cent increase in cyber-crime in the last five years is probably only scratching the surface.
The degree to which the threats are multiplying is due to a number of major factors. For example, the number of Internet-connected devices has skyrocketed. There is more data (and more valuable data), more devices, greater adoption of the Cloud, and the projected number of IoT-enabled devices will be in the hundreds of billions over the next few years. Everything from fitness devices people wear 24/7 to pills they can swallow that monitor their health status are Internet enabled.
“Do you really need an Internet-connected rice cooker? It’s available if you want it. We are seeing a huge jump in this and it’s not going away,” says Rosenquist.
Unfortunately, no amount of preparation is going to make devices 100 per cent secure. Millions of man hours are devoted to the creation major releases of operating systems, but they can be cracked by hackers in a fraction of that time. Rosenquist estimated that any of the cameras that are available on the ISC West trade show floor could be compromised in a day or two regardless of how many promises manufacturers make about the resilience of their security.
“At the end of the day, we’re here to seek an optimal balance,” says Rosenquist, since there is virtually no way to guarantee the security of a network. “Even if you could do it just for a day, it wouldn’t stay that way.”
The number of opportunities for cyber criminals is increasingly exponentially due to a number of factors. For one, they are willing to freely share information (as well as code) in order to achieve common objectives. Attacks are also successful and highly lucrative. “Ransomware is going to be the bane of our existence this year,” says Rosenquist, describing a practice where criminals will invade a system, encrypt valuable information, then extort money in exchange for the key to open it. Larger scale attacks, against financial institutions, for example, can involve millions of dollars, and potentially more. “We predicted this year we’re going to see a billion dollar heist,” he says.
To make matters worse, code that was created to help keep attackers out can be appropriated, retooled and used against the people it was supposed to protect.
The odds may seem insurmountable, says Rosenquist, but that doesn’t mean organizations are without options. The immediacy and seriousness of the cyber-security problem has put it squarely in the sights of the C-suite, he says — partly because top level executives are now being called upon to take a direct role in protecting data. Failure to do so has resulted in some high-profile ejections from very senior positions at major companies. Strong leadership can make a vital difference in the degree to which an organization makes itself more resilient to possible attack, he says.
Law enforcement is also reacting differently to cyber threats today and there is a greater degree of international co-operation, which is resulting in much greater probabilities of accused hackers being brought to justice. Likewise, there are more stringent regulations coming into play that demand a minimum level of cyber-readiness and accountability from organizations that are charged with protecting sensitive data. And, of course, users can choose who they do business with — companies that demonstrate that data protection is important to them will benefit accordingly.