The Internet of Things is just at the beginning of its development, but “thanks” to it, malware, similar to monsters that came out of the screen of an old TV set, are already starting to stretch their tentacles in the realworld…
As mentioned in a previous article, U.S. research firm Gartnerpredicts that by 2020, connected devices will be more than double what they are today, reaching 20 billion units. But the interconnectedness of objects already invades practically every field – we go from electric cars to railways and airlines, from household utensils to industrial robots, from financial to electrical systems, from smartphones to prosthetic healthcare – and where the internet exists there is also alwaysthe possibility of cybercrime.
To bring example of the “empirical damage” that a Cyber-attack is able to cause, we can cite the case of thousands of Ukrainian families victims of the blackout caused by the Crash Override malware, which in December 2016 infected the power grid operator Ukrenergo. It’s impossible to forget the WannaCry ransomware, which in May of this year put public and private companies around the world in check, affecting approximately 100 countries and causing losses of $8 billion!
Faced with such scenarios, it is evident how much computer security plays, today in particular, a role of capital importance. In this regard, one of the most urgent problems to be solved is related to the “Time to discovery”, that is the time that separates a successful malware attack from its discovery. According to some industry surveys, currently the Italian “Time to discovery” corresponds on average to over 100 days! This figure, considering the imminent coming into force of the GDPR with its strict rules on data protection, is anything but comforting… The greatest ambition for those who deal with Cyber Security, would be to unmask the attack in the early stages: in fact, it is estimated that the greatest damage occurs in the hours immediately following the compromise. After this period of time, even in case the infection is detected, the only way forward will be to implement a slow and cumbersome containment and data recovery plan.
According to IT security experts, one of the main flaws in the defensive arsenal of many large companies is the lack of integration between the protection tools used: it is not uncommon to encounter organizations supplied by 5/6 different producers of “technology security”, but lacking the skills and time resources to be able to manage the heterogeneity of such a system. As a result, major corporate entities find themselves reporting up to 10,000 security incidents per day and, in a panic, increasing their dedicated staff… with no other outcome than to hypertrophy their IT department. What seems to be missing, therefore, is a simple, functional strategy that is oriented towards the defense process rather than the stacking of technological products.
In 2016, during the convention “Cybercrime and Data Security” organized in Milan by the American Chamber of Commerce in Italy together with Affinion International, it emerged that the annual amount of money lost in our country as a result of hacker attacks, amounts to 9 billion euros! The first three causes of business vulnerability, as emerged during the event are: unconscious behaviors (78%), distraction of people (56%), mobile access to information (47%). Among the most typical unconscious attitudes, we can certainly include the connection sessions to Free Wi-Fi (of bars, hotels, etc..) often unprotected, where any data – company passwords, bank etc.- can be easily intercepted by the “hacker on duty”. Another naive and/or absent-minded behaviour adopted by many public and private employees is to remotely access the company archives using easy and predictable usernames and passwords (e.g. admin – admin). These examples show how awareness and evaluation of risk contexts, fundamental when dealing with the network, are elements that are usually neglected.
Most smartphone users also don’t pay enough attention to the huge amount of “private” information made available by apps on a daily basis: contact details (where bank PIN codes are often entered as memos), biographical data, images, videos and, in the case of “fitness apps”, even weight, height and heart rate: appsthat know what we eat, how many hours we sleep and, through geolocation, know our every move. The applications installed on smartphones (an average of 50 in the life cycle of a phone) almost always require the opening of an account with the insertion of personal data, and the fate of unused apps is invariably the same: after a couple of days they are uninstalled or set aside, but without deactivating the registered account. Sooner or later, the data previously entered, lying on the net in some database, will fall into the hands of someoneand, among the many unfortunate cases, there are those of people who found themselves with rented or leased cars without their knowledge… It is the “small” distractions and lightness of the user, therefore, that nourish criminal events of gigantic dimensions, such as the Data Leak known among cyber-criminals by the name of Anti Public: a gigantic deep web archive -discovered recently by the Cyber Division Var Group– of stolen mails and passwords traceable to enterprises, public institutions, armed forces and police, universities and critical infrastructures all over the world. In light of these facts, in addition to paying close attention to where one connects, what one downloads, and updating antivirus software, the use of tools such as two-factor authentication (password plus code) for email/cloud services will be essential to significantly reduce the danger of “cyber disasters”, and where the option does not exist, be wary of the service offered.
Another risky and useless habit, but (especially in Windows environment) very widespread, is to use the computer with administrator privileges active even when it is not strictly necessary. In fact, by taking advantage of this setting, many malware (including the aforementioned WannaCry) are able to exploit these privileges once they have penetrated the system, in order to act more quickly in their work of infection and propagation.
Up to now we have focused on the material damages that a cyber-attack can cause using smartphones and computers, but at the beginning of the article we have premised as the typologies of the interconnected devices (and therefore at risk), although in exponential increase, already range in every field: we want therefore to conclude with a brief reflection related to the potential dangers of the immediate future, bringing two examples referred to the industrial and medical-health sphere. Regarding the latter, the vulnerability of last generation pace-makers and insulin pumps to cyber-attacks has been proved, and the hypothesizable consequences -imagine a ransomware able to take hostage, instead of a computer’s data, the life of a human being- are really worrying. A similar concern arises with respect to industries 4.0, where the use of “smart” and interconnected robots is on the rise. Here, too, constant monitoring and refinement will be necessary: suffice it to say that -as one research of Trend Micro– a minimum distortion in the lines of code transmitted to the robot, can lead to defective manufacturing and the consequent functional compromise of critical components belonging, for example, to airplanes or cars.
Therefore, we can only trust in the common sense of the manufacturing companies, hoping that they take into particular consideration the security factor not only in the design and development of the devices but – thanks to frequent software updates – during the course of their entire life cycle.
Marcello Argenti