Don’t look now, but your life is more online and connected today than it was last year – and the trend is accelerating.
Late last year, we predicted that risks associated with the Internet of Things (IoT) and critical infrastructure would be two emerging cybercrime trends this year. (See our 2014 predictions blog.) These topics are the theme of this third week of the National Cyber Security Awareness Month, “Critical Infrastructure and the Internet of Things.”
IoT and Critical Infrastructure are two sides of the same coin
This year has seen a burst of innovation in the Internet of Things. Intel is getting into the wearable technology field, while the Consumer Electronics Show was filled with wearable devices such heart monitors, sensor-equipped golf gloves and networked pet collars. Other devices already on the market are gaining traction, from cars that email us when they need service to health monitors that publish our glucose levels. The possibilities are endless and so are the products that come to market quickly.
When it ships early next year, the Apple Watch will no doubt expand the wearable technology market beyond the earliest adopters to the broader Apple faithful.
Even if you’re not using these technologies, you are part of a connected world through the public infrastructure around you. Wireless cameras and embedded sensors permeate public facilities and transportation hubs. We all depend on power grids and water delivery systems (also known as critical infrastructure) that are controlled by networked devices. In the near future, drones may zoom around us on city streets.
The increasing connectivity of the world poses a growing cybersecurity threat that we are not securing well. For consumer technologies, personal privacy is often at risk. The public safety risks are higher for critical infrastructure.
All these devices are Internet enabled, but remember: they run software. They run the very same software that is being attacked on a daily bases for high risk applications such as online banking. The only difference is: they cannot be updated – and this has the potential to make these a lethal target.
Point of Sales Systems – The Canary in the Coal Mine
Lest you think I’m being alarmist, let’s consider one of the earliest entrants in the Internet of Things – Point of Sale (POS) systems. You see them everywhere – devices such as cash registers and credit card readers use POS to take payments at retail stores.
You would think that POS systems would be secure, for several reasons.
- They’ve been around for a while, so we’ve had time to figure out how to make them safe.
- They handle financial transactions, therefore we are extra motivated to keep theme secure.
- They are locked down and run in dedicated networks
Yet POS exploits were responsible for two of the largest data breaches in the past year – the Target and the Home Depot breaches.
If we cannot manage to protect those network-attached devices that we know are targeted by thieves, how much better will we be at protecting the various technologies we’re embedding in our personal lives? Or the devices controlling critical infrastructure? Even our highway signs have been hacked. (See http://www.threatmetrix.com/a-sign-of-the-times-hacking-signs-electronic-road-sign-hackers-reveal-a-downside-to-the-internet-of-things/)
A roadmap to a more secure connected world
We can address these risks, but only with concerted and collaborative efforts. My recommendations for connected devices are as follows:
- Think twice about what goes on public networks. Network segmentation and isolation are critical, particularly for critical infrastructure.
- Strengthen authentication to these devices and the systems that manage them. Logins continue to be the weakest point in most systems. We’re reaching a point at which it is irresponsible to protect critical systems with passwords alone. Use multiple authentication factors or context-based authentication to reduce risk of stolen identities and unauthorized access.
- Look for anomalies at all levels, including patterns that represent known threats or never-before-seen patterns that may indicate an emerging threat.
- Provide a mechanism to securely update these devices. In order to do so, many of the previous points need to be considered.
To put these strategies in place, we must exchange and share threat information at both the business and government level. The federal government is committed to sharing information with the private sector related to critical infrastructure. (See Executive Order 13636)
For businesses that handle personal or consumer-based products, sharing information must be balanced with protecting consumer privacy. As the data collected about us from devices continues to grow, privacy will be more important than ever before. That’s why we’ve built data anonymization and encryption into the ThreatMetrix® Global Trust Intelligence Network.
As new technologies continue to reshape our future at a rapid pace, we have to act quickly to make sure that the future we’re building is secure and private, not dystopian.
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.