Recent attacks on: Bycycklen, (Copenhagen's public city bikes system); the discovered vulnerabilities in Cardiac devices and plenty of other frightening DDoS attacks expose the precarious and costly state of affairs in IoT security.
With spending set to hit $1.5B in 2018 and increase to $3B by 2021, it's time to look at how effective our current preventative methods are, in targeting IoT vulnerabilities. With an endless flow of cash pumped into securing digital surroundings we are moving further away from an advanced level of security for the Internet of (our) things.
[Cyberhub Summit is Coming back to Atlanta, Ga | October 9-10, 2018 - Cyber Security education for executives and business owners and Powerful Networking. | Get the latest from Cyberhub Summit by signing up for their newsletters. ]
There are numerous IoT attacks occurring around us as we speak and if our IoT devices are attacked, sometime we are able to fix, throw or simply live with a worse version of what we had initially purchased. However, the real threat with IoT attacks lies, in the ability to proliferate and target other devices, the adaptability of malware to attack a multitude of different yet similar IoT products across the board.
Take, as a stunning example, the Mirai Botnet attack. Back in 2016, the DDoS attack that brought down large chunks of the Internet, including Twitter, CNN, Netflix and Reddit shook our confidence in IoT security. It was launched using an IoT botnet, initiated by the malware, Mirai that spread across the Dyn service provider.
As computers become infected with Mirai they engaged in a search-and-destroy mission across the internet for poorly secured digital cameras, DVR players and other IoT devices. Systems with the Mirai malware scan the Internet for other vulnerable IoT devices and perpetuate DDoS attacks.
Once the virus loaded into the memory on the BOT, it deletes from the disk but remains active until the BOT is rebooted. The device is virus-free after reboot but a few minutes later is rediscovered and re-infected.
The advice published by PC Magazine were:
- Avoid devices that cannot have their software or passwords updated
- Change default usernames and passwords must be mandatory
- Make Unique Passwords for Internet connected IoT devices
- Update IoT devices with the latest software and firmware
Everyone could suddenly breathe, it was the fault of the consumer, rather than inherent weaknesses in our cyber security framework that caused the chaos, or was it?
Our current security solutions for IoT are not up to speed with ongoing attacks and the financial risks are getting higher. This alone should force us to pause for thought as to how we are addressing the security solutions.
In the aftermath of terrifying Bot-Army attacks on our IoT devices, the same narrative is played over and over, if we as consumers protected our devices better, we would be safer. We break down our cyber security costs after an attack into: Function (as the functioning power is severely compromised); Repair; Replacement and of course additional other costs like ransomware payments.
Perhaps funding different models of cyber security where security solutions were diversified could reduce the long-term costs?
In short, if we create Start Up incubators for security solutions, maybe the solutions need to be unique to the device being protected, limiting the spread of DDoS attacks.
The current landscape of IoT cyber security is filled with all-encompassing security solutions that can not realistically defend against nearly enough emergent threats. With an increasing monetary loss, it's time we rethought our cyber security solution.