CYBER

Recommendations

Info

Steps to SAFEGUARDING THE IOT Our world is becoming more connected than ever as the Internet of Things (IoT) has evolved from a sci-fi ideal to a reality in our homes and cities. Who could have predicted that our connected car could think for itself, and dolls could hold a conservation with a child? As crazy as these ideas sound, they are now squarely within the realms of possibility. There is a catch, however. Unlike laptops or smartphones, IoT devices are often lacking when it comes to cyber security, with manufacturers swept up in the drive to impress us all with new and exciting WiFi wizardry. Their expertise simply does not lie in IT. Consumers tend to care even less for cyber security and in many cases will sell their password for a bar of chocolate, [1] and so we quickly come to understand both the incredible potential and the serious insecurities of the IoT. But why does this matter? Hacking the IoT What many people don’t realise is that by connecting a device to a computer network, it is instantly transformed from a simple gadget into a gateway attack vector. Your WiFi-enabled kettle or talking Barbie provides opportunities to get inside the network boundary, helping attackers gain access to personal data. The network is only as strong as its weakest component, and this is increasingly likely to be an IoT device. Ruthless commercial pressures are also to blame for bringing insecure IoT products to the market before they are robust enough to fend off hacking attempts. And this carries a significant safety risk. Take the Jeep Cherokee case for example: Just last year, two hackers demonstrated remote access to vital functions (including brakes and steering), leading to 1.4 million vehicles being recalled in order to patch the software. [2] The IoT army While an individual’s motivation for securing connected devices might be focused on their personal safety and security, we recently witnessed an even greater threat to the internet as a whole. Distributed Denial of Service (DDoS) attacks are by no means new, but these are now being taken to a whole new level by hackers using the IoT. This is exactly what happened on the 21st October 2016, when Dyn (a large DNS provider) was attacked, wiping out major websites including Twitter and Amazon across the East Coast of the United States. [3] Malware known as Mirai was discovered as the cause, and this is where it gets interesting. Mirai continuously scans the Internet for IoT devices and attempts access via known factory default usernames and passwords pulled from a database. If successful, it then conscripts these devices to join botnets and bring about powerful DDoS attacks like never experienced before. Although documented hacks and DDoS attacks have so far been either high-impact and focused or disruptive and widespread, what if the next targets were both high-impact and widespread? Imagine the chaos caused by breaking hospital infrastructures, power stations or air traffic control centres. Recent attacks have highlighted how the IoT’s vulnerabilities can be exploited in unexpected ways, and as a society we cannot afford to ignore these warning signs. 28 28
Towards a secure solution Unfortunately, securing the IoT is no simple task. The sheer diversity of IoT devices presents a stark contrast to the historical computing ecosystem and its approach to patching security updates, and this is a real challenge. Many questions must first be answered, addressing confidentiality, integrity and availability – as well as safety. For example: • What personal or device data do we (or should we) care about? How can we ensure data is kept private and secure? • How do we ensure updates are trusted? • Who has access? Maintenance channels must be secure to prevent unauthorised control, yet allow updates. • What happens if a device operation is disrupted? A driverless car cannot simply stop in the middle of traffic; it must always remain a safe form of transport. • Can we make systems secure, safe and easy to use? A balance must be achieved, especially in the case of driverless cars. • How can we encourage consumers and manufacturers to care about security – and how can we help consumers make informed decisions? There is no security equivalent of the ‘energy efficiency class’ rating. In answering these questions and considering our path towards a secure future, two facts are indisputable. Firstly, IoT devices must be built with security baked into the design, taking full advantage of the available skills and knowledge in the computer security industry. The industry needs more experts in all facets of security, able to apply those skills to the design of new connected devices. Secondly, the development of security standards and associated testing are a key part of our future IoT. While systems may claim adherence to formal security standards, how can this be trusted without third party certification? Independent testing is essential to certify such claims and collaboration is the key to turning these ideas into reality. Organisations such as the IoT Security Foundation (IoTSF) have emerged for this very purpose and work closely with industry partners to support the transition into a secure IoT era. Our awareness of the IoT’s security implications is growing as the trend gains pace, and one day this will allow the consumer to choose products with the right level of cyber security certification. Although we have a long way to go in the quest to protect our country from the increasing threat, by working together we are sure to achieve this goal. Mark West, Roke Manor Research www.roke.co.uk • How will this happen? Perhaps the framework itself needs a wider re-think. One possibility is shifting the security liability onto the consumer and creating a market for insurance to drive technology maturation. Links [1] Happ, C., Melzer, A. & Steffgen, G. (2016). Trick with treat – Reciprocity increases the willingness to communicate personal data. Computers in Human Behaviour. 61;372-377. [2] Wired (2015). Hackers Remotely Kill a Jeep on the Highway—With Me in It [3] Dyn (2016). Dyn Statement on 10/21/2016 DDoS Attack The Internet of Things is vulnerable to security breaches, but a secure solution is on the horizon. Connected driverless cars are set to be connected to the Internet of Things, but they present challenges in both security and safety. (Image: Roke Manor Research) 29
Page 1 and 2: inside CYBER Bringing you the insid
Page 3 and 4: inside CYBER Contents 04 ..........
Page 5 and 6: them. Despite this, the government
Page 7 and 8: Northrop Grumman is a leading provi
Page 9 and 10: top Universities even offer an unde
Page 11 and 12: 11 11
Page 13 and 14: 13 13
Page 15 and 16: Too many unreported cases The priva
Page 17 and 18: faced a competency-based interview.
Page 19 and 20: My Experience with the Cyber Securi
Page 21 and 22: 21
Page 23 and 24: SUCCESS STORIES UNIVERSITY CAMPS As
Page 25 and 26: MAKE EVERY EMPLOYEE A BARRIER TO BR
Page 27: The dark web: What it is and what
Page 31 and 32: CYBERUK 2017: Bringing together The
Page 33 and 34: 1. Shred, Shred, Shred… In my TV
Page 35 and 36: Consider all of our four sources of
Page 37 and 38: Cyber Security Extended Project Qua
Page 39 and 40: Word from the Chair Dr Robert L Now
Page 42: Opposite is a selection of cards to

CYBER

Create successful ePaper yourself

Delete template?

Save as template?