Internet-of-Things

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

2018 was a trying year for the cybersecurity industry, with breaches increasing and showing no signs of slowing as we enter the New Year. This is in part, a consequence of easily accessible malware and deployment kits, and the threats aren't going to disappear with the New Year champagne bubbles, and 2019 will bring its own threats with the propagation of new technology — 5G and IoT — and their security vulnerabilities. However, there's also progress on the horizon, thanks to more stringent government regulation and increasing legal action.

|

The Barrier of Entry for Cyber Criminals Gets Lower

Not even the largest companies, with presumably the greatest resources available, have been able to protect themselves from massive attacks in 2018. In the past few months alone, it has been reported that 500,000 Google+ accounts could have been left exposed thanks to a bug, leading to the ill-fated site promptly being shut down; Facebook confessed that up to 29 million users were affected by its data breach; and Amazon came under sharp criticism for exposing an undisclosed number of customer details shortly before Black Friday. And that's just in the U.S. On the international stage, the world was shocked in October as Hong Kong airline Cathay Pacific disclosed that a massive 9.4 million passenger records were lost earlier in the year.

This increase in cyber attacks and the diversification of targets is a consequence of the low barrier to entry for cybercriminals. It is getting cheaper and easier to launch mass attacks, and this barrier is being reduced even further as criminals sell ready-made solutions for attacks. Today, the cyber crime market is so sophisticated that some malware developers even provide “technical support” and universal Trojans appearing on the shadow market can be used for everything from espionage and data theft to remote device management. And still, the demand for malware development and distribution significantly exceeds the supply.

While many of these attacks will be repelled, 2018 has taught us that many do succeed and even the largest organizations are failing to stop every attack. Meanwhile, as it becomes increasingly easy to access and deploy malware, mass attacks will continue to prevail over targeted attacks in 2019.

|

New Technologies Bring New Threat Vectors

The last decade has seen a huge wave of innovation and a massive number of devices come to market. However, as is always the case, innovation leads and security follows. Devices continue to be launched with errors and vulnerabilities, and this represents a significant threat.

The Internet of Things (IoT) is the epitome of this problem. Any device that has wireless connectivity can be hacked. mPOS (Mobile Point of Sale) terminals to vacuum cleaners. As we see ever more smart devices on the market in 2019, no doubt with default passwords or non-closed vulnerabilities, these are very likely to become a sore spot for their owners.

IoT devices are a favorite weapon for attackers who use them to penetrate local networks and conduct other attacks. As consumers slowly learn how to protect their PCs and mobile devices, they will also need to learn how to stay safe as more of their traditional appliances go online. The security industry, too, will have to adjust to this new reality.

On a related note, as it is the network that many of these devices will eventually exist on, the gradual introduction of 5G is likely to bring challenges in 2019. For example, Verizon and Samsung have already announced that they will offer 5G smartphones in the U.S.

This is a key issue because the telecom industry has always had a turbulent relationship with security. For example, although operators are well aware of potential issues, 78% of telecom networks are vulnerable to attacks. SMS interception, for example, is still possible in nine cases out of 10.

This is also a complicated issue to solve because, in order to increase the protection level, current standards and operating procedures of signaling networks have to be reviewed. 5G mobile networks are currently under development, but no significant progress in security has been achieved so far. Even once agreed, it may take years for a new security technology to become actively used on the network, which means that the first wave of 5G-enabled devices will be inherently vulnerable.

|

Government Legislation Leads Cyber Security Gains

However, it is not all bad news. 2018 saw more stringent regulatory requirements from governments the world over, and in 2019 we're likely to see this groundwork start to pay off as companies strengthen protection to comply with these mandates.

It shouldn't be overlooked that the end of 2018 also saw a number of security-related sanctions: Anthem reached a settlement of $16 million with the U.S. government for its 2015 data breach, Facebook was fined $645,000 by the UK's regulator over the Cambridge Analytica scandal, and Yahoo agreed to a $50 million settlement for those affected by the 2013 data breach. With governments and consumers finally having legal recourse to hold companies to account, it will become increasingly hard for organizations to turn a blind eye to security vulnerabilities. It's a slow process, but already we are seeing the basic standards of security rise, which will make executing an attack that much harder for cyber criminals.

Governments are also becoming increasingly aware of the opportunities offered by cyber space, with more and more creating their own Cyber Security Centers and Cyber Forces. The world has begun to recognize the necessity of such systems.

The security challenges of this year will not be solved overnight — and technological development goes hand in hand with new security challenges — but there is hope for positive developments as well. This, of course, is dependent on cybersecurity remaining a priority for governments, and there is work to be done in passing more stringent legislation, not least in the U.S. telecoms, for example, must be a focus for governments. If not, the dawn of 5G and the propagation of IoT devices could open a Pandora's box of new security challenges.

 

Leigh-Anne Galloway serves as Cyber Security Resilience Lead at Positive Technologies, where she advises organizations on how best to secure their applications and infrastructure against modern threats. Before joining Positive Technologies, Leigh-Anne worked with companies such as SilverTail Systems (acquired by EMC) and vArmour where she helped shape the direction of each detection platform. Across her career, she has had the opportunity to work with a diversity of organizations, implementing monitoring tools to detect and prevent fraud and security incidents from occurring.