Download - New Age Cybersecurity
Published earlier by The Mobility Hub of UBM Techweb INTERNET OF THINGS OPENS A PANDORA’S BOX OF CYBER-ATTACKS BY KISHORE JETHANANDANI M2M devices had an isolated existence in industrial plants, utilities,
hospitals, transportation and smart buildings and security from cyber-
attacks was not a concern. As Application Programming Interfaces
expose M2M devices to the larger world of the Internet, their ubiquity is
haunting the IT world with the prospect of pervasive and catastrophic
cyber-attacks that will affect sensitive industrial controls and medical
devices. Worse, a security breach could cause physical harm.
Protection of the Internet of Things is fraught with unique challenges
especially because the software is embedded in the hardware device
and is wrapped up with the core of the intellectual property. It is often
not possible to patch and update embedded software remotely and
continuously to keep it safe without dissembling the hardware at the
risk of downtime and damage to the interconnected software. Some
protocols like Modbus are not designed to secure against intrusions.
Hardware manufacturers are wary of revealing the vulnerabilities of the
software lest the information spill to malware developers or the source
code find its way to competitors.
The paradigm that guided security management of the Internet of
devices, using downloadable software, is rife with flaws that are hard to
repair with known methods of security management. Authentication
plays a vital role when humans use devices. By contrast, M2M devices
are remotely controlled by another instrument. Similarly, log file and
event monitoring, a wealth of information for detecting anomalies that
point to intrusion are not known to work well with the Internet of
Things.
“M2M is a booming industry, and hardware manufacturers pre-occupied
with selling devices while users are only beginning to realize the
importance of third-party security specialists to remotely monitor
security,” Spencer Cramer, President and CEO of Ei3 Corporation in New
York told us. “Access to the source code of the embedded device
controllers is needed to integrate with security software,” he informed
us. His company has been in the business of securing M2M devices for
the last fifteen years and specializes in the few verticals that are already
governed by standards. “We have developed a hundred custom drivers
to integrate with the embedded software where standards are absent,”
he revealed to us.
“Economic disincentives dissuade hardware manufacturers from taking
preventive measures before security risks snowball into disasters,”
Andrew Jaquith, Chief Technology Officer and Senior Vice President of
Cloud Strategy at Silversky told us. “Manufacturers do not internalize
the social costs of security breaches due to the absence of liability for
damages, the lack of compulsion to disclose them and the lack of
standards,” Mr. Jaquith explained to us. “Bugs are much cheaper to fix in
the early stages and companies like Codenomicon have the technology
to test for their presence,” he revealed (according to him, he does not
have business relations with the company).
The Internet of Things has opened a Pandora box of new challenges in
Internet security. A new, system-wide strategy is needed to cope. The
widespread ramifications of this new world of security threats need to
be grasped quickly before a possible tsunami of cyber-threats has
cataclysmic effects.
Virtual Counter-intelligence: On the offense against cyber-warfare By Kishore Jethanandani Cyber-security is a misnomer as state-sponsored agents wage war-like
cyber-attacks. The lexicon of cyber-security is increasingly drawing on
the metaphors of physical war, decoys, stalking horses, and counter-
espionage, to describe the offensive means to disrupt hostile intrusions
before they strike their targets.
Deception is common in physical warfare, behind the scenes, as
aggressors seek to mislead their enemies so that they are unable to foil
an attack. The countdown to the defeat of Germany in World War II
began with the Allied forces throwing wool on the surveillance eyes of
their enemies—Hitler was led to believe that an attack was looming in
Pas de Calais and not Normandy. The then newly developed radio
communications technology enabled the Allied forces to transmit pre-
programmed messages, ostensibly originating from diplomatic and
intelligence sources that could be inferred to be an imminent landing at
Pas de Calais. Allied forces had time to sneak across the English Channel
without being routed by forces positioned favorably on land at an
elevation.
Electronic signals can help create illusions to sucker intruders into
mistaking stalking horses for the targets they are seeking. In an earlier
article, we had discussed the vulnerability of control systems of utilities
and other physical facilities, as M2M connects to the Internet, which can
be hijacked by cyber-criminals and manipulated to harm them. For
example, criminals could alter water temperatures so that generators
are not cooled. Cyber-criminals, however, do not have visibility into the
sensors feeding analog data of electrical signals communicating with
control systems. A way to hoodwink cyber-criminals is to feed sensor
data from shell facilities. The nature of the interaction with them will
expose their intentions without doing any damage to the facilities.
Some companies are now specializing in active defense strategies for
trapping cyber-criminals before they reach their target. Datasoft, for
example, creates a cyber-smokescreen with virtualized instances of the
network machines, actually in use, or “honeypots” masquerading as
sources of valued information like login information. Cyber-criminals
are more likely to tamper with the wrong virtual machine and betray
their intentions. Jumpsoft creates a Winchester House-like maze of
shifting virtual systems where a blind alley is hard to distinguish from
the real. Cyber-criminals will recognize the high probability of a trap
and factor that into their risk perceptions.
Active cyber defense techniques are becoming more common as
defensive methods are proving to be increasingly ineffective against
attackers covering their tracks outside and inside the networks of their
victims. Google, for example, followed the footprints of its attackers and
determined them to be agents of the Chinese government. The trail led
to servers in Taiwan where proprietary information from a host of
American corporations was found and eventually led to Chinese
Government sources. One recent survey found that 36 percent of 180
companies surveyed were using offensive techniques against cyber-
criminals—defensive methods have been found to be ineffective with
only 6 percent able to trace the source of attacks.
The rapid increase in applications usage across a broader variety of
mobile devices, networks, and operating systems exposes companies to
an ever-rising risk of cyber-attacks. As the number of users increases,
the higher is the likelihood of inadvertent errors that expose IT systems
to an intrusion. The future is for security systems that can anticipate
and pre-empt cyber crimes.
The specter of pervasive sky-jacking
By Kishore Jethanandani
The countdown to an era of commercial drones has begun with the FAA
approving the first of the six tests for their business use. So compelling
are the applications of drones in remote locations, such as navigating
the perilous snows of the Arctic for shipping companies and the
downside of cyber-security is apparently so minimal that their business
case is seemingly irrefutable.
Cyber-security risks will keep regulators on tenterhooks as they test the
air for drones. Eventually, they want regulations to create a safe
environment for mass adoption of drones in densely populated areas
where the risk of a catastrophe is very high. Intrusion into drones could
potentially have the same devastating effects like the one in the Air
Spain passenger airplane which prevented the alert system from
reporting a system failure and led to its horrific crash. Drones will also
extend the reach of the internet into the far corners of the world and
expose them to the cyber-security risks common in more densely
populated regions.
The cyber-security hell of the future is the hijacking of swarms of
drones. Hackers have shown that any one of these drones, once sky-
jacked, can create a potential entry point for penetrating every other of
its peers in the vicinity. Insecure Wi-Fi connections, with their
unencrypted signals, leave the door open for hackers to take control.
They can then begin to use the hijacked drone as a command center that
would be able to instruct every other of its peers to do its bidding
including engagement in the criminal or war-like activity. The GPS
sensors that guide the movement of unmanned aerial vehicles can be
spoofed to redirect them at will.
Drones have the technological wherewithal to be a network node, a
wireless tower in the skies, and have the ability to intercept signals from
mobile devices as was recently demonstrated in London. They can
masquerade as one of the networks that mobile devices are calling to
connect and unsuspecting users will unwittingly send their private
information to them. As growing numbers of drones loom over mobile
devices, they will have the ability to hijack mobile devices on an
increasing scale.
Drones will inexorably grow in numbers and to prevent their expansion
will be no more practical than it would be for commercial aircraft.
Flying commercial aircraft on auto-pilot is barely distinguishable from a
drone. In fact, some hackers demonstrated a lab-scale version of the
remote hijacking of commercial aircraft with mobile devices including
the ability to spin them in the sky in the manner of a game!
Reliable cyber-security, in such an environment, would need a mastery
of all the protocols, platforms and applications, and the diversity of
operating systems of devices in use all across the system and its
continuous monitoring. It is hard to conceive a system of this size
managed with methods designed for enterprise networks. More likely
their security management will be akin to the heterogeneous telecom
networks with distributed intelligence. Drones will contribute more
complexity with their movements aided by sensors.
The progression of drone use from its early adoption in the military to
remote area commercial applications and widespread use in urban
areas will likely hinge on the successful design of a distributed network
with layers of cyber-security driven by big data. Each sub-system will be
as homogenous as possible with distinct groups of experts managing
each one of them.
Cyber-detectives on the trail of cyber-criminals
By Kishore Jethanandani
Cyber-security in the Enterprise is caught in a dangerous time warp—
the long-held assumption that invaluable information assets of
companies can be cordoned off within a perimeter, protected by
firewalls, no longer holds. The boundaries are porous with many access
points available to a mobile and distributed workforce, and partners’
networks, with remote access rights to corporate data via the cloud.
Mobile endpoints and their use of the cloud for sharing corporate data
have been found to be the most vulnerable conduit that cyber-criminals
exploit for launching the most sophisticated attacks (advanced
persistent threats) intended to steal intellectual property. Poneman
Institute’s survey of cyber-security attacks, over twenty-four months,
found that 71 percent of companies reported that endpoint security
risks are the most difficult to mitigate. The use of multiple mobile
devices to access the corporate network was reported to be the highest
risk with 60 percent reporting so. Another 50 percent considered the
use of personal mobile devices for work-related activity to be the
greatest exposure. The second most important class of IT threats was
perceived to be thirty-party cloud applications with 66 percent
reporting so. The third most significant IT risk of greatest concern was
reported to be Advanced Persistent Threats.
In an environment of pervasive vulnerabilities, enterprises are learning
to remain vigilant about anomalous behavior pointing to an impending
attack from criminals. “Behavioral patterns that do not conform to the
usual rhythm of daily activity, often concurrent with large volumes of
traffic, are the hallmarks of a cyber-criminal,” Dr. Vincent Berk, CEO and
co-founder of Flowtraq, a Big Data cyber-security firm that specializes in
identifying behavioral patterns of cyber-criminals, told us. “A tell-tale
sign of an imminent cyber attack is unexpected network reconnaissance
activity,” he informed us. Human beings need to correlate several clues
emerging from the data analysis before drawing conclusions because
criminals learn new ways to evade surveillance.
Enterprises now recognize the importance of learning to recognize the
“fingerprints” of cyber-criminals from their behavior. A 2014 survey by
PriceWaterHouseCooper found that 20 percent of the respondents see
security information and event management tools as a priority and an
equal number event correlation as a priority. These technologies help to
recognize behavioral patterns of cyber-criminals.
“Scalability of Big Data solutions to identify the behavior of cyber-
criminals is the most daunting challenge.” Dr. Vincent Berk told us. “We
extract data from routers and switches anywhere in the pathway of data
flows in and out of the extended enterprise,” he explained to us. “The
fluidity of enterprise networks today with increasing virtualization and
recourse to the cloud makes it challenging to track them,” he informed
us. “Additionally, mergers and acquisitions add to the complexity as
more routers and switches have to be identified and monitored,” he
explained to us.
Dr. Berk underscored the importance of avoiding false positives which
could lead to denial of access to legitimate users of the network and
interruption of business activity. “Ideally, we want to monitor at a more
granular level, including the patterns of activity on each device in use,
and any departures from the norm to avoid false positives,” he told us.
The filter of human intelligence is still needed to isolate false positives.
“Granular monitoring is more accurate and has uncovered sophisticated
intruders who hide inside virtualized private networks (VPNs) or
encrypted data flows,” Dr. Berk revealed to us. Often, these
sophisticated attackers have been there for years unnoticed. “The VPNs
and the encryption are not cracked, but the data is analyzed to
understand why they are in the network,” Dr. Berk explained to us.
Cyber-security will increasingly be a battle of wits between intruders
and the victims. Big Data analysis notwithstanding, cyber-criminals will
find new ways to elude their hunters. The data analysis will provide
clues about the ever changing methods used by cyber-criminals and
means to guard against their attacks. The quality of human intelligence
on either side will determine who wins.
HTML5’s Private view
By Kishore Jethanandani
Mobile devices make their transition from personal devices to intimate
devices with HTML5. They can now potentially see, hear and sense the
world of smartphone users aided by APIs that open the doorways to the
cameras, microphones and the sensors in mobile devices. The cross-
platform capabilities of HTML5 also enable virtual peeping toms,
stalkers, and spies to snoop into the private world of smartphone users
while covering their tracks.
Sensors like accelerometers, gyroscopes, and compass, commonly
embedded in mobile devices, can record motion as well its direction and
slope. This data can help to determine the pathway of the user using
applications built on HTML5 for mobile devices. Using cross-site
scripting and Javascript, hackers can remotely gain access to the data.
Applications like Highster Mobile have been used to keep track of
movements of cheating spouses to verify their stories.
Remote tracking of mobile devices does not necessarily have the dark
motives of cyber-criminals. They are also widely used to track teenagers
and their risky behaviors with mobile devices. Location Labs now sells
the FamilyBase plan for alerting parents when their teenage children
are texting and driving. While intrusive, these kinds of applications can
even improve safety.
HTML5, designed for bandwidth efficiency, is used for real-time, cross-
platform, multi-user, interactive streaming applications that need
persistent connections for the transmission of small bits of data for
content like stock price updates. A typical use case is the trading
platform created by Interactive Brokers for day traders and hedge
funds. Users receive real-time quotes with charts on an iPad and other
mobile devices. The diversity of mobile devices calls for a cross-
platform solution that HTML5 can provide but not native applications.
Websocket, one of the platforms within HTML5, saves bandwidth use by
processing multiple requests for content with a single persistent
connection with minimal security overheads (the headers that
accompany every packet of data transmitted). By contrast, polling
makes multiple requests for content in real-time with traditional HTTP.
Similarly, several data streams flow in opposite directions with a single
connection. Since multiple data streams flow on a single connection,
Web sockets also open the way for distributed denial of service attacks
that are hard to control without the benefit of security overheads
commonly used with TCP connections.
Deep Content Inspection is the alternative method for securing
networks when multiple streams of data are flowing without the packet
security headers to filter for malware. This approach examines the
content inside packets to look for signs of criminal activity including
inspection of addresses and URLs of applications to ensure they are not
coming from disreputable sources. Additionally, the content flows are
parsed to uncover any lurking malicious intent that might be harmful to
the receiving servers.
HTML5 is indispensable in the emerging world of browser-to-browser,
data-rich multi-media communications prone to traffic spikes.
Cumbersome security inspection methods will impede new
applications. The alternative is to look for identifiers that are giveaways
of criminal activity. Security management will need to get a lot more
intelligent to be consistent with the needs of today’s applications.