Shifting paradigms in the age of IoT

How many smart devices do you own? However many, it’s just the start.

A new Markets and Markets study estimates 15.4% growth in smart appliances in the next five years, which means that by 2020 these smart autonomous devices will reach 30 billion in number and the market will be worth about $52.6 billion. In particular, millions of consumers around the world are increasing the demand for smart home security products. But what are the security implications of smart security?

To answer this all-important question, international security futurist Marc Goodman provided an insightful perspective in his address to ASIAL’s Security 2015 Conference in Melbourne. He said security devices moving into the digital realm will “create tremendous opportunities to improve security, but it’s also going to create its own risks and threats”.

Size and scale of the risk

“When we talk about internet changing its size from a metaphoric golf ball to the sun, we are talking about the number of available connections to the internet,” said Goodman.

With IPv6, there are 78 octillion possible connections. That’s 78 billion billion billion, or enough space to give one trillion IP addresses to each grain of sand on Earth! So more and more things are going online, hence the ‘Internet of Things’.

“The challenge about it from the security side is we can’t even protect the devices that we have online today. The Internet of Things is just more things to be hacked. While we have been excellent at wiring the world, we have failed to secure it, and that’s something we need to give grave consideration to,” warned Goodman.

“Not only are these new technologies creating massive security risks, but they are also opening up new challenges for law, public policy, regulation, privacy. So the technology is following Moore’s Law and is exponential — doubling, doubling, doubling — but all our traditional legacy systems are completely analog and linear and so we’re really headed for some very interesting times ahead.”

Smart systems and their hackability

Let’s take security cameras, for example. Goodman says around 30% of the systems, particularly those of consumer grade, come out of the box with no passwords whatsoever.

“So if anyone knows the right IP address or the right address to reach your camera, they can log in and see you at any time. And there are thousands of websites that are dedicated to exactly this kind of voyeuristic viewing of people,” said Goodman.

“30 to 40% of cameras do have passwords, but those passwords are administrative passwords that are in the manuals for the camera, so if you go online and Google the name of the manufacturer, you can download a PDF of the camera operations manual and see what the administrative password is.”

But even those who spend tremendous sums on security can be hacked.

“Former FBI director Robert Mueller recently said, quite famously, ‘there’s only two types of companies: those that have been hacked and those that will be’. A sense of overconfidence is the enemy in a situation like this,” said Goodman.

“We’ve had prisons in Florida who actually had the prisons’ doors online, available to the internet, and they were hacked and all of a sudden the prison doors are opening […] We have 300,000 implantable medical devices that have an IP address — so your heart is now online, which means now, for the very first time, the human body itself is becoming subject to cyber attacks.”

Who is at risk of cybercrime?

From big business to small business, right down to the individual, everyone is vulnerable because, as Goodman warns, attacks are generally not personal.

“When you think about these cyber attacks, they are not coming against you — they are coming against everybody. There are not people that are coming after your company — there is software that is coming after your company. The days of humans hackers sitting at keyboards, trying to break into your network, are mostly over. Almost all of these security threats are carried out by automated tools.”

Crimeware (a type of malicious software designed to carry out or facilitate illegal online activity) shakes the doors and finds an opening, Goodman explains. Then the average time to detection of a cyber breach is 211 days, according to a study by Trustwave Computing. That means the average company that is broken into has hackers living in its systems for nearly seven months before they even realise it. According to the same study, 75% of Fortune 500 companies in America could be penetrated in just under 15 minutes.

“That’s not just a security threat — that’s like a hot knife going through butter. It’s like taking candy from a baby,” Goodman said.

What it means for security moving forward

Goodman says all of the security paradigms that worked well previously are now broken by these technologies. Moving forward, curiosity and collaboration will be key.

“The skill set required for successful security professionals moving forward will be quite different from what it was in the past, but I would say the key skill set people need is curiosity,” Goodman said.

“You need to be curious about the world around you because things are changing so, so rapidly. And you need to be adaptive and flexible and open to new things and recognise that you may not have all of the answers.

“We in security tend to think that we have to do it all alone […] but the security threat is growing so exponentially greater day by day that we’re going to need outside help. There’s currently, according to CISCO, a shortage of 1 million cybersecurity professionals around the world today. By 2020, that number’s going to grow to 2 million people. So if you are a chief security officer or you’re a chief security information officer, you’ll never be able to battle this by yourself.

“You need to get your COO and CEO on board, you need to get your board of directors thinking about this and you need to get all of your employees involved. You even need to get the general public involved. Your customers. You need to create channels […] so that you can bring in all of this outside intelligence. We on the security front need to be much smarter and much more clever about crowdsourcing security and getting non-traditional players to feed into all of this.”

So the next time you install an internet-connected device, make sure you give enough thought to securing the device from would-be hackers!

*Kirsty Jagger is the Marketing and Communications Manager for the Australian Security Industry Association Limited. Established in 1969, ASIAL is Australia’s peak national security industry body. ASIAL is dedicated to supporting its members, promoting standards and safeguarding public interests.

Image credit: ©duncanandison/Dollar Photo Club