In the digital ocean, predators outnumber protectors

Just because something is scary doesn't mean it's a figment of your paranoid imagination.

That is Joshua Corman's response to those who say there is too much unwarranted FUD (fear, uncertainty and doubt) regarding the lack of security in the Internet of Things (IoT), which is rapidly evolving into the Internet of Everything.

There is reason to be afraid, he said, because the dangers in the digital "ocean" are as real as swimming in a physical ocean of sharks, with blood in the water.

Corman, CTO of Sonatype and one of the featured speakers at the Security of Things (SECoT) Forum in Cambridge, Mass. on Wednesday, used that image for the title of his talk, "Swimming with Sharks -- Security in the Internet of Things."

As he and other speakers throughout the day noted, the attack surface of the IoT is growing exponentially. Most estimates are that there are at least 10 billion "things" now connected to the Internet, with that number expected to reach anywhere from 50 billion to more than 212 billion by the end of this decade, with 30 billion of them self-governing and "autonomous."

[Related: The Internet of Things: An exploding security minefield]

And so far, there is no "cavalry" coming to save the public from IoT threats. It is up to the security community, he said, to "be the voice of reason" and to call for public policy makers to improve "technical literacy." Corman's latest project, @iamthecavalry, is an effort to bring security awareness regarding the IoT to the grassroots.

That, he said, is because there is plenty of information about cool features and convenience from embedded smart devices (remote door locks, automatic insulin pumps, self-driving cars), but not so much about the risks.

"A bedrock principle is that everything we do is based on risk v. reward," he said, "but right now, our understanding of the risk is not based on complete information."

The reality of the IoT, he said, is that, "right now the sharks outnumber the good guys." Instead of Advanced Persistent Threats (APTs), he said it would be better to think of Advanced Persistent Adversaries. "They're a different kind of shark. It's a very serious problem -- not really a 'what' but a 'who' and 'how.' And we are losing. Our best and brightest are spending millions and billions on security controls, but there are still breaches on regular basis. "

One of the reasons for that is that "offense is easy, but defense is hard." That has been proved by Anonymous, he said, the loose hacktivist collective that Corman spent some time studying as a "species of predator." What he found was that the group, in spite of being populated by relatively unsophisticated people using rudimentary tools, "they made up for it with will power. They went on a 50-day rampage called the Summer of Lulz and pretty much took down anyone and everyone they wanted with great success. They held up a mirror to our neglect. They showed how badly we've operationalized basic web security."

Most important, he said, "they revealed that hacking power existed and was available to anyone. And this has big implications for the IoT," especially given the growth of our dependence on it.

"If you ask: 'Are we getting better or worse at security?' given that our dependence on the IoT is growing faster than our ability to secure it, I don't see the evidence that we are getting better."

There is plenty of troubling evidence of the lack of security he said, noting the recent demonstration by hackers that they could breach the control systems of modern cars, including the airbags, seat belts, brakes and even the steering wheels. He said a friend of his who is diabetic was able to hack his own insulin pump, and demonstrate that an attacker could deliver him a lethal overdose.

The response, when he informed his doctors and the manufacturer of the pump, he said, was simply, "We comply with FDA standards."

Internet-connected door locks that can be opened or closed remotely, "are supposed to keep bad guys out, but they can all be undermined to let bad guys in," he said.

And at the regional level are Industrial Control Systems (ICS) for utilities like water, sewer and the electrical grid that have hard-coded passwords, making them far too easy to hack.

Without public pressure, he said, things are unlikely to change unless there are some high-profile, catastrophic failures of systems. "If it's about public safety and public good, then the public needs to be part of the discussion. And we need to be ambassadors for digital literacy.

"No one is coming to save us," he said, "so it is worth trying. "We are adrift, and blood is in the water."

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersforumapplicationsInternet of Thingslegalsoftwaredata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place