IP Expo 2016: Sophos, Kaspersky and Trend Micro talk future threats from IoT, Hired cyber criminals, and security education
Security experts have warned of lack of education, enterprise action, criminals for hire, and the rise of connected devices as the most worrying cyber threats.
Speaking on a future of security panel at IP Expo 2016, James Lyne, global head of security research at Sophos, said the development of the Internet of Things (IoT) is making everyone more reliant on Internet connected devices, yet these machines often contain firmware and software based on ancient version of code and operating systems, leaving them open to hackers.
Internet of Threats
“The big concern is looking at the whole landscape of different devices that we’re buying as small businesses and consumers; the weird connected junk, the Wi-Fi toothbrush all the way up to the connected car and the like; the whole ecosystem. What scares me is that as a society we depend on all of this stuff more and more and more,” he said in answer to what he believes is the worst threat in cyber security.
“Whether its economic or social or education, this tech is becoming a founding pillar for everything we do. Yet when you lift the surface slightly, it seems like we are so obsessed with building bigger and bigger boats to carry us to new places with our technology, while we are completely ignoring the fact we’re making the hole bigger.
“For me it’s the landscape fear of all this stuff coming in and re-opening old wounds that we really should have learnt are lessons from by now.”
Eugene Kaspersky, chief executive at security software firm agreed, calling the IoT the “Internet of Threats” from a cyber security perspective. He added his own fear of professional cyber criminals for hire that can attack IoT systems and critical infrastructure, like power grids, from across the internet at the behest of terrorist groups and nation states.
Rik Ferguson, global vice president of security research at Trend Micro, noted that such severe and high profile cyber attacks are enabled by companies not being rigorous enough with how they rollout and control cyber security within their enterprise.
“What scares me the most is all the people in this room,” he said addressing the IT and security professionals attending the panel talk. “All the people who work in and are responsible for security in organisations because you’re not in general doing a very good job, and attacks like TalkTalk, and Yahoo and many, many of others you can care to mention, is an illustration.”
“Those kinds of attacks, TalkTalk is a great example, shouldn’t be possible in 2016. A SQL injection attack should fail; it’s easily negatable. But because enterprises are not doing enough about the basics of security these attacks continue and induvial citizens are impacted by that.”
Ferguson highlighted that enterprises are not using enough up-to-date security practises, such as ensuring all their important data is encrypted and multistage authentication is used.
“These things are simply not rolled out and they’re easy tools, they’re cost-effective tools; most of the don’t require buying any or much technology from anybody,” he said.
This involves making sure the information people receive on the latest security threats and how to protect against them is current, as Lyne noted that people understand the threats and will spread information around, only it often happens to be several years out-of-date.
Ferguson and Kaspersky suggested that enterprises should allow their employees and technology teams to experiment with cyber security and potential threats in a sandbox environment where they can see the results of a successful hack attack but not have it pose any risk to critical systems.
“Let them along with security technologists simulate types of attacks; you can learn so much about your enterprise,” noted Kaspersky.
Highlighting the risk of IoT devices as an example, given the relative early stages the tech trend is at, Lyne said that security in devices should be robust to all existing threats and that the security sector has apart in ensuring companies working on such devices and software are made aware of this, rather than pass the blame onto consumers who happen to use weak passwords or not recognise spoof emails.
“I do think there is a greater burden towards the vendors and I do think there’s a part to play in the security industry, for us as professionals, and regulators in forcing those issues. But that doesn’t mean we shouldn’t take advantage of trying to educate consumers as well,” he said.
With massive data breaches like the one Yahoo has recently suffered grabbing headlines, it would appear enterprises need to wake up and smell the coffee when it comes to modern cyber security.
Are you a security pro? Try our quiz!