Emerging technologies are hyped as innovation accelerators. But the digital transformation may be system-critical for businesses without built-in security.
As digitalisation advances, IT is playing a key role in most value creation chains. We are seeing both the virtual and the physical world (IT and OT) becoming increasingly networked, even in the smallest companies. But this growing complexity and hyper-networking (of business and personal spheres, too) is significantly expanding the range of potential targets; a simple loophole or lapse in attention is enough to infect a system. Attackers are professionalising their methods at breathtaking speed and are also making use of new technologies such as artificial intelligence. With cross-border prosecution almost impossible, we are facing a global and ever-expanding criminal cyberware market.
The 2019 Gartner Report recorded growth of 21.5% (i.e. around 4.8 billion installed devices in total) between 2018 and 2019. While exponential growth is already expected in 2020, the coronavirus crisis may slow this rate a little.
Smart cities, connected health, smart homes, connected cars, smart utilities – everything has an IP address and is becoming increasingly networked. This creates a vast flow of data between sectors, and between business and personal spheres. Overall we are dealing with a huge target and, at the same time, with the fact that virtual attacks have increasing potential for damage.
But, unfortunately, neither suppliers nor manufacturers are interested in security, because security costs money. With no minimum standards or norms of the kind seen in electrical appliances, this market failure is leading to an ‘internet of insecure things’. And sadly this ‘legacy’ that we are installing today will cause us trouble for a long time to come.
According to the current 2020 Threat Report from Palo Alto, the three biggest threats are exploits, weak passwords and IoT worms.
In most cases, exploits simply use IoT devices as springboards for what are known as ‘lateral movements’ to attack other systems in the network. In this context, we are seeing a large number of network, IP, port and vulnerability scans on these devices. Weak passwords are in second place. Using sensible password managers hasn’t really solved anything within the IoT environment so far. IoT worms scan the networks for vulnerabilities such as the EternalBlue exploit, which uses a programming error in the Windows Server Message Block (SMB) implementation. Once they find a vulnerable system, the worms spread further or load other malicious code onto the target system.
So we can define the need for protection in the IoT field as high to very high, since damage caused by IoT vulnerabilities ‘escapes’ from the virtual world and manifests itself in the physical world. What ‘patch’ will repair my company car that’s been crashed by a hacker attack? How do I prove the attack took place? What type of insurance covers such damage at acceptable premiums?
Applications for self-learning algorithms – machine or deep learning methods – are increasing. Common examples include knowledge-based systems, pattern analysis and recognition, pattern prediction and robotics. AI now affects many segments of our society – from the creation and use of browser profiles and shopping behaviour, to medical diagnostics and the Tesla Autopilot. While AI (or, to be more specific, ‘intelligent data correlation’) remains interesting and important, its usefulness has been and continues to be overrated.
It is true that machine learning methods can substantially simplify diagnostics in the medical field, for instance – but it is still the radiologist who makes the definitive diagnosis. Machine learning methods also produce solid results in the field of fraud detection in online banking transactions, but they cannot act alone against fraud. Why? The reason is as banal as it is simple: criminals are upgrading too and are using AI methods to make their attacks as ‘intelligent’ as possible. The sobering conclusion is that even AI cannot do our homework for us. We still need extensive ‘manual expertise’ in addition to up-to-date security frameworks and fully integrated information security management systems (ISMS).
SMEs have good security frameworks at their disposal, such as the ‘Cybersecurity quick check for SMEs’ – an initiative by partners including ICTswitzerland, the Swiss Confederation, the Swiss Academy of Engineering Sciences and the Information Security Society Switzerland. On the other hand, it is vital that companies that hold critical data run a complete ISMS.
Another important approach, according to Prof. Dr. Hannes Lubich, is to involve an external, product-neutral CERT service provider:
A CERT performs a key role in the overall service chain of information security, with high commitment, availability, confidentiality and integrity requirements. In other words, it provides expertise for prompt handling of acute security incidents in its respective stakeholder groups. So the main goal of this activity is to limit the extent of damage.Prof. Dr. Hannes Lubich
SWITCH is focussing on expanding its existing CERT services (operational threat intelligence and threat detection/prevention, incident response, community building for technical specialists, etc.) in other sectors of critical infrastructures and in the specialist fields of IT security operation outlined above. This includes areas such as threat intelligence automation for rapid attack detection and prevention, mobile device security, and IoT and ICS security.
In summary, a combination of endpoint protection and response, AI methods within SIEM solutions and well-trained experts will become increasingly important in the future. But the foundation of all efforts in the fight against cyberattacks is and remains a clean hardware and software inventory with associated business risk assessment.