The Vulnerability of Everything

Businesses are now facing cyber threats via vectors, which just a few short years ago would have seemed like something out of a Hollywood science fiction movie. When you plug into the world, it's easy to forget the world is also plugged into YOU.

Risk Management, in a business context, is defined as the forecasting and evaluation of financial risks, together with the identification of procedures to avoid, or minimize their impact. But how can 'management' be made to understand, manage, and mitigate today's cyber risks?

Unfortunately, outside of the IT department, most managers simply don't understand, (or don't want to understand), the very real-risks posed by cyber-threats. And IT managers often don't have the influence required to force through much needed changes, in both corporate thinking, and corporate spending, on cyber security.

Recently, 40% of the population in South Korea had their personal details stolen. How bad do things have to get, before people sit up and take notice?

By 2020, there will be more than 50 billion devices connected to the internet, and one million new devices are being connected every three hours. In the world of the Internet of Everything, we are faced with smart phones and tablet computers which can bypass an organization's firewall, if the office network is not setup securely.

In the office, more and more smart 'connected' devices are being installed, often without any planning, resulting in office printers, fax machines, telephones, video surveillance, web cams, and copiers, which can be leveraged to both spy inside the office network, as well as attack third-parties outside the office network.

Examples of such attacks, range from the almost comical discovery that a Samsung refrigerator, which was compromised, and had become part of a spam bot-net that had sent out more than three-quarters-of-a-million spam emails, before the breach was discovered. More sinister examples include IP Teleconference Phones being hacked to spy on organizations' board meetings, and far worse than that, hacked webcams (and even baby monitors) used to spy on people (and their children) in their homes.

One of the largest recent successful cyber-attacks, on the retail sector, is believed to have been made possible by a security breach of the victim's Heating and Ventilation systems. Researchers have since discovered over 55,000 such HVAC systems connected to the internet, and have noted that in most cases, these systems contain basic security flaws. Not to mention the fact that, "the security at such companies tended to be poor, and that vendors often used the same password across multiple customers."

Once hackers find your devices, many can be compromised just by logging in using ADMIN / 123456.

The SHODAN search engine for internet devices, has been called, "the scariest search engine on the Internet," by CNN. The engine itself advertises that it can help you find exposed online devices, including, "Webcams, Routers, Power Plants, iPhones, Wind Turbines, Refrigerators, and VoIP Phones." Forbes calls SHODAN, "terrifying." The system collects information on more than 500 million internet-connected devices and services each month.

Medical equipment such as surgical and anesthesia devices, pacemakers, insulin pumps, and lab analysis tools, can all be hacked.

The stark reality, is that major corporations and government departments, are moving at the speed of corporate red tape, while hackers and criminal organizations, are moving at the speed of the internet.

It doesn't take much to realize who has the upper hand right now. And one shouldn't forget the other unfortunate reality, which is the fact that the potential victim needs to successfully defend themselves from a never ending onslaught of attacks; while the hacker only needs to successfully get in once.

Yet despite all these facts, and despite the ever growing number of media headlines, highlighting successful attacks on companies and governments right across the globe, most senior managers are still all but ignoring cyber threats.

Sometimes it seems that the bigger the successful attacks are, often counting breaches of personal data accounts in the multi-millions, the more numb the entire world seems, to the shocking realities involved. And while you can usually change your password fairly easily, you can't as easily change your passport number, or your home address, or your mobile phone number. As the number of successful breaches grow, we are all becoming more vulnerable, as the criminals get a clearer and clearer picture, of our personally identifiable information.

Unfortunately, time and again, organizations are only looking seriously at their cyber security, after they become a victim of a cyber-attack. Sometimes, not even then. This is simply not acceptable anymore. Cyber-attacks can, and do, cause very tangible damage in the real world.

Michael Gazeley is managing director and co-founder of Network Box Corporation.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityExploits / vulnerabilities

More about CNNNetwork BoxSamsungVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Gazeley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts