For the last few years, digital transformation within the tech sector has seemed akin to the opening of Pandora’s box: seemingly overnight firms have begun to be bombarded with AI driven solutions, the possibilities of commercial drones, edge computing, cloud storage, and of course the ubiquitous IoT software that can be found everywhere from a living room to a street lamp. Many forward-thinking firms are using new technologies to leverage greater efficiency, service and profitability. But are these firms exposing themselves to new threats in their desire to remain on the cutting edge?
A fact of life is that with new developments, come new avenues of attack. Whether it be the lacklustre security features on the office ‘smart-fridge’, or the wide-ranging access of workplace apps like Skype or Slack, each new innovation carries with it the risk of exploitation. So how do businesses go about mitigating these threats?
“Better the Devil You Know?”
When introducing new technologies, the first cyber security consideration must be: what can these solutions access? Networks, servers, applications, files? Firms must carefully evaluate the risk that new applications may have to their network before beginning to implement them, as not doing so could open up a range of new avenues of attack. While it has taken time (and there’s still a way to go), most organizations are beginning to understand some of the problems with cloud-based storage and file sharing applications, for example OneDrive and Dropbox. Just because the file is coming from a reputable location doesn’t mean the file is ‘safe’. Weaponised documents shared through a link in an email or social media are commonplace, even though there is technology to mitigate the risk. Once inside, malware can morph itself, downloading new payloads using steganography to receive its instructions. But, its not just about malicious actors who can abuse new technology.
As the recent La Liga app scandal has proven, many mobile applications are capable of running a number of functions on a network in the background whilst not always making it immediately apparent they are doing so – it is possible therefore, that a phone infected with some form of malware may be able to infect the network through an overlooked access permission, likely through a work-based application. Therefore, organizations must ensure that applications that have access to their network have been vetted to ensure that they pose no threat from any of their requests for access. This does create an issue as people will regularly download new apps and install them, without the knowledge of the IT department, and in doing so will grant access to *whatever* is required… camera, microphone, contacts! Of course, once access is granted, understanding what the app is doing with that access becomes an issue. Taking all the business contacts and uploading them to the cloud! Who would have thought that an app would be used to track down unlicensed bars playing football matches by surreptitiously listening in on the surroundings? What if it was there, listening in at the next Board Meeting, sending the audio to the highest bidder?
“The Devil’s in the Details”
Even when firms have assessed the threat of an application or devices’ intended use, they must continue to monitor for new threats which can appear, for example through a bug or as an unexpected side-effect. IoT devices are particularly challenging in this regard, as these small devices (often with only a single simple task) are easily overlooked but are frequently attached to the corporate network to upload / download seemingly innocuous information. However, if compromised they can then be repurposed to collect and send critical information. All information has a value to someone, such that even aggregating seemingly innocent data can create valuable intelligence should it fall into the wrong hands. Recent information breaches have exposed vulnerabilities in even the most obscure pieces of IoT tech. One oft-cited breach involved the exposition of the exact perimeters of a top-secret US military base, after a Strava fitness device showed the exact location and perimeter of a US military base. In this case the base was well, known, but what if it had been an overnight base in a conflict zone?
In another case, a casino in North America was the target of a significant data breach after hackers found an overlooked IoT fish tank thermometer connected to the network, allowing 10gb of hacked data to be siphoned to a node in Finland. These breaches teach us that even if a device is inconsequential, or seen as secure in its function, it can still pose a threat to the network as a whole.
Cyber-attacks can occur in the most unlikely of ways and that is one of the problems. If you can’t understand the environment, how can you manage and protect it?
“A Brave New World?”
It is difficult to imagine the myriad backdoors and loopholes that may appear as we begin to integrate entirely new tech solutions into our business processes. For example, it is hard for any business to predict the multiple dangers that AI could present to security of data. It’s been reported that AI adoption has grown exponentially in the last few years and now over 37% of businesses have embraced some function of AI. Organizations are adopting an AI-augmented workplace to help in driving efficiency of decision making. As we collect more and more data, we need help to be able to see the wood from the trees and AI can provide that help. However, while AI is frequently used for good, it is also being used by cyber-criminals as well. A firm may anticipate an attack on a data storage server and have solutions in place to address this, but they may well have overlooked the possibility that their own AI solutions could be manipulated and used to access and transfer that data using its own permissions.
Furthermore, the staggering developments in ‘deep-fake’ video and audio may provide a significant threat in the future as hackers could theoretically send a seemingly authentic video directive from the CEO, fooling employees into sharing critical data or paying a bill. Even without the deep-fake, fraudsters are already stealing large quantities of money. As firms begin to consider the business value of the emerging techs of the future, they must also give careful consideration to the potential risks that they may face from them.
“No Stone Unturned”
While it might seem obvious to create oversight regulatory bodies who can determine the risk associated with new applications and technologies for business, the practical side says this isn’t going to work. The speed of change is too great for a committee to keep up. But this doesn’t mean organizations should give up, it means they need to be more vigilant. While many have audit abilities for applications on laptops, there is now a need to look at moving this onto mobile devices – what apps have been installed, are there any known issues? This could be seen as ‘shutting the barn door, after the horse has bolted’. Or should organizations lock down mobile devices they provide so employees cannot install unauthorised apps? Does BYOD create too many additional challenges when it comes to information security? Organizations should certainly look at protecting themselves from IoT and USB devices with segregated (virtual) networks and USB control software.
It is essential, that firms consider the new risks arising from new technologies and be cautious of potential avenues for attack that may open up as a result. This is not to say that firms should eschew emerging technology, but rather that they should take a considered approach. Speak to your IT partners and solution providers about the potential dangers of new tech and use their feedback as part of the decision-making process on what steps to take next. It’s important to be aware of the threats that may manifest from new tech, but it’s equally important to stay optimistic about the value that these new solutions may bring. After all, ‘hope’ was in Pandora’s box too.
Guy has over 20 years’ experience in information security and IT management. Before joining Clearswift in 2012, Guy was a Global Security Architect for HP. He has recently authored a paper on security for the Elsevier Information Security Technical Report and co-authored the European Network and Information Security Agency (ENISA) report on cloud security. Previously, Guy was Chief Scientist for Symantec and CTO of the Application and Service Management Division at Veritas. Guy is a frequently invited speaker at conferences, including RSA, EuroCloud and InfoSec. He is a spokesperson for The Open Group’s Jericho Forum and an expert for the European Network and Information Security Agency (ENISA). Guy is a board advisor for several small technology businesses and has published books on utility computing, backup and data loss prevention. He holds a number of US patents and is a Chartered Engineer with the IET.