Emerging technologies and IT security

Emerging technologies are hyped as innovation accelerators. But the digital transformation may be system-critical for businesses without built-in security.

Testo: Michael Fuchs, pubblicato il 27.08.2020

As digitalisation advances, IT is playing a key role in most value creation chains. We are seeing both the virtual and the physical world (IT and OT) becoming increasingly networked, even in the smallest companies. But this growing complexity and hyper-networking (of business and personal spheres, too) is significantly expanding the range of potential targets; a simple loophole or lapse in attention is enough to infect a system. Attackers are professionalising their methods at breathtaking speed and are also making use of new technologies such as artificial intelligence. With cross-border prosecution almost impossible, we are facing a global and ever-expanding criminal cyberware market.

IoT: is hyper-networked communication really smart?

The 2019 Gartner Report recorded growth of 21.5% (i.e. around 4.8 billion installed devices in total) between 2018 and 2019. While exponential growth is already expected in 2020, the coronavirus crisis may slow this rate a little.

Smart cities, connected health, smart homes, connected cars, smart utilities – everything has an IP address and is becoming increasingly networked. This creates a vast flow of data between sectors, and between business and personal spheres. Overall we are dealing with a huge target and, at the same time, with the fact that virtual attacks have increasing potential for damage.

But, unfortunately, neither suppliers nor manufacturers are interested in security, because security costs money. With no minimum standards or norms of the kind seen in electrical appliances, this market failure is leading to an ‘internet of insecure things’. And sadly this ‘legacy’ that we are installing today will cause us trouble for a long time to come.

Top IoT threats for 2020

According to the current 2020 Threat Report from Palo Alto, the three biggest threats are exploits, weak passwords and IoT worms.

In most cases, exploits simply use IoT devices as springboards for what are known as ‘lateral movements’ to attack other systems in the network. In this context, we are seeing a large number of network, IP, port and vulnerability scans on these devices. Weak passwords are in second place. Using sensible password managers hasn’t really solved anything within the IoT environment so far. IoT worms scan the networks for vulnerabilities such as the EternalBlue exploit, which uses a programming error in the Windows Server Message Block (SMB) implementation. Once they find a vulnerable system, the worms spread further or load other malicious code onto the target system.

So we can define the need for protection in the IoT field as high to very high, since damage caused by IoT vulnerabilities ‘escapes’ from the virtual world and manifests itself in the physical world. What ‘patch’ will repair my company car that’s been crashed by a hacker attack? How do I prove the attack took place? What type of insurance covers such damage at acceptable premiums?

Artificial intelligence – we still need to do our homework

Applications for self-learning algorithms – machine or deep learning methods – are increasing. Common examples include knowledge-based systems, pattern analysis and recognition, pattern prediction and robotics. AI now affects many segments of our society – from the creation and use of browser profiles and shopping behaviour, to medical diagnostics and the Tesla Autopilot. While AI (or, to be more specific, ‘intelligent data correlation’) remains interesting and important, its usefulness has been and continues to be overrated.

It is true that machine learning methods can substantially simplify diagnostics in the medical field, for instance – but it is still the radiologist who makes the definitive diagnosis. Machine learning methods also produce solid results in the field of fraud detection in online banking transactions, but they cannot act alone against fraud. Why? The reason is as banal as it is simple: criminals are upgrading too and are using AI methods to make their attacks as ‘intelligent’ as possible. The sobering conclusion is that even AI cannot do our homework for us. We still need extensive ‘manual expertise’ in addition to up-to-date security frameworks and fully integrated information security management systems (ISMS).

Proven security frameworks and multi-sector CERTs

SMEs have good security frameworks at their disposal, such as the ‘Cybersecurity quick check for SMEs’ – an initiative by partners including ICTswitzerland, the Swiss Confederation, the Swiss Academy of Engineering Sciences and the Information Security Society Switzerland. On the other hand, it is vital that companies that hold critical data run a complete ISMS.

Another important approach, according to Prof. Dr. Hannes Lubich, is to involve an external, product-neutral CERT service provider:

 

A CERT performs a key role in the overall service chain of information security, with high commitment, availability, confidentiality and integrity requirements. In other words, it provides expertise for prompt handling of acute security incidents in its respective stakeholder groups. So the main goal of this activity is to limit the extent of damage.

Prof. Dr. Hannes Lubich

SWITCH is focussing on expanding its existing CERT services (operational threat intelligence and threat detection/prevention, incident response, community building for technical specialists, etc.) in other sectors of critical infrastructures and in the specialist fields of IT security operation outlined above. This includes areas such as threat intelligence automation for rapid attack detection and prevention, mobile device security, and IoT and ICS security.

In summary, a combination of endpoint protection and response, AI methods within SIEM solutions and well-trained experts will become increasingly important in the future. But the foundation of all efforts in the fight against cyberattacks is and remains a clean hardware and software inventory with associated business risk assessment.

Sull’autore
Michael   Fuchs

Michael Fuchs

Michael Fuchs studied Computer Science at Zurich University of Applied Sciences and obtained an MAS in Information Security at Lucerne University of Applied Sciences and Arts. Since 2014 he has worked as a Senior Security Consultant in the SWITCH-CERT team and is a specialist in business segment development.

E-mail

#Security

This article was first published at inside-it.ch and inside-channels.ch (in German only) as part of SWITCH's #Security column. The column appears six times a year. Security experts from SWITCH independently express their opinions on topics relating to politics, technology and awareness of IT security.

Tags
Security
Altri contributi