February 23, 2017 | Written by: Heather Green
Categorized: Data | New Thinking
Share this post:
Security experts these days can often feel like they’re shouting into the wind. Amidst the rush by businesses and consumers to embrace new technologies, warnings about security vulnerabilities fall by the wayside. Who can be bothered with such trifles, when there is so much digital awesomeness all around us?
The Internet of Things hack last fall, last fall, where hacked cameras and DVRs were used to cause outages and network congestion at major sites including Twitter, Amazon, and Netflix, is just one recent example. Security experts had warned for years that the adoption of IoT creates new security challenges that need to be taken seriously.
And though this netbot exploit of everyday devices was both preventable and foretold, it shocked many people. Along the same lines was two researchers’ 2015 demonstration of how they could wirelessly hack into car telemetry.
So what are some of the other security vulnerabilities we’ve been ignoring lately? The sheer breadth of security issues shows just how much is encompassed in the reach of IoT. There are plenty of areas where security experts have flagged real security issues that have yet to get the level of attention they deserve, experts say. Top of mind, argues Tony Lock, director of engagement and analyst at IT consultant Freeform Dynamics Ltd., are our medical devices.
As more of these gadgets become smarter and connected to networks, threat levels are rising. It’s not simply that sensitive data can be compromised, it’s that the functioning of these devices can be interfered with, either maliciously or inadvertently.
“Personally this is one of the areas that worries me most,” says Lock. That’s because most medical practitioners and consumers who use devices don’t pay much attention to security procedures—just as people don’t worry about their DVRs.
Just this fall, Johnson & Johnson warned that one of its insulin pumps was vulnerable to a security vulnerability that could be used to overdose diabetic patients with insulin. Reuters reported that according to medical device experts, this was the first instance in which a manufacturer had issued this kind of warning.
The challenge, of course, is that security is a collective responsibility. Every device maker, every software developer, and most importantly every consumer needs to do their part. But in a network, security is only as strong as its weakest link. And when it comes to today’s vast networks of digital information, there are many, many weak links.
“More and more information can be tracked, not just by enterprises, but by the cybercrime industry—and it is an industry,” says Locke, who points out that the victims of these coordinated attacks are no longer just companies or large targets, but individuals. “The cost means you don’t have to attack multimillionaires. The ROI is such that you can attack nearly anyone.”
Perhaps the most frustrating realization is that even if every company and every consumer were to suddenly begin fulfilling their security responsibilities, the seeds of insecurity have already been sown.
Ray Rothrock, CEO of security company RedSeal Inc., warns that the type of network breaches disclosed by Yahoo, Target, and Sony are only the beginning. That’s because those breaches are all linked to big malware infections or network intrusions from 2012 and 2013, many of which have sat undiscovered, and which hackers are still exploiting.
“So there is this delay, and if the delay is just now happening and you’re the CEO, you have to ask yourself ‘Why?’” says Rothrock. “These CEOs are just overwhelmed by the conversion to a digital business.”
The bottom line is that companies and consumers need to get smart about security as they launch and adopt new technology. “Many of the vendors creating these devices haven’t thought about their potential for being abused,” says Lock. “Security has to be something that people creating these devices think about seriously.”
Adds Rothrock: “The conversation we’re having with CEOs is that you may already have a problem, but most important you do not know what you have. You don’t understand your infrastructure, there’s no malfeasance there. Five years ago, you didn’t need to know. Today you need to know.”