Emerging Technologies: Managing Elastic Attack Surface

Introduction

Technology Innovation not only drives economic growth but also advancement in human life and behavioral change. Emerging technologies come with its own inherent risks and in the current cybersecurity climate of looming hacks and breaches, it can also be viewed as a double-edged sword, which opens new “attack surfaces” i.e. exposure, reachable and exploitable vulnerabilities for cyber criminals.

Emerging technologies like Cryptocurrency / Blockchain, Internet of Things (IoT), Intelligent Cloud, Smart Supply Chain, AI and Machine-learning enabled systems, Virtual Reality (VR) / Augmented reality (AR), Robotics and Unmanned Aerial / Aquatic Vehicles and more are intensely increasing the cyberattack surface within the organizations, all these technologies require protection.

Digital proliferation is outpacing the speed with which defence mechanisms are being invented and applied to protect these emerging technologies. On one side organisations need to ensure technologies continue to serve as a business enabler, facilitating productivity and optimising business processes, on the other hand, they also need to keep up with the increasing complexity and variety of new attack surface imposed by emerging technologies.

We are noticing a shift among cyber criminals from attack on legacy applications, systems and infrastructure to now on these emerging technologies.

Cryptocurrency / Blockchain

We are in the middle the crypto-currency boom, people are starting to appreciate the benefits of a decentralized systems and many large financial services; investment firms and governments are starting to explore the feasibility and usability of bitcoin and the underlying Blockchain technology to replace existing financial systems.

However, we should also be cognizant that Blockchain comes with its own set of cybersecurity challenges. There have been at least three dozen heists of cryptocurrency since 2011 and more than 980,000 bitcoins have been stolen, which today would be worth about $4 billion.

Just in late 2017 we saw a spree of hacks / take down on cryptocurrency. In July 2017 - CoinDash ICO hack with $7 million, Parity multisig wallet hack with $32 million and Veritaseum’s Ether wallet hacked with $8 million stolen. In September / October, 2017 - hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites

Internet of Things (IoT)

It is no longer ‘news’ IoT devices can be weaponized by threat actors to conduct cyber-attacks but it seems that many manufacturers and firms deploying IoTs are still not taking the security issue seriously yet. Cyber-attacks on IoT have seen a big influx and will continue to increase in severity.

In Feb 2017, 800,000 customer’s details were exfiltrated including 2 million private recordings from parents and their children from an Internet-connected toy company.

During October / November 2017, ‘BlueBorne’ vulnerabilities were found on the voice-activated Internet of things devices which Hackers could exploit BlueBorne to mount an airborne attack, using Bluetooth to spread malware and access critical data, including sensitive personal information. More than 20 million Amazon Echo and Google Home digital assistant speakers could have been impacted by the flaws.

Intelligent Cloud

Companies are now racing to migrate to the cloud and as a result, cybersecurity for cloud infrastructure is currently in a “delicate state of transition” as many companies assume that cybersecurity is the responsibility of the cloud provider. Cloud enablement is creating many blind spots for companies and thus paving the way to multiple successful intentional/unintentional data leaks.

In June 2017, Personal information of almost 200 million registered U.S. voters was accidentally exposed online due to an improperly configured security setting in Amazon S3 storage server. In July 2017, Millions of Verizon customer records exposed in security lapse, 14M customer were found on an unprotected Amazon S3 storage server controlled by Israel-based company, which was working on behalf of Verizon. In Nov 2017, a default Amazon AWS S3 settings by US Military has left terabytes of social media spying S3 data exposed to everyone.

Smart Supply Chain

Cyber-attacks are becoming prevalent in smart supply chain systems given its evolution from traditional supply chain to a connected, smart, and technology-driven ecosystem. From hacker’s perspective these systems host sensitive data like order, price, logistics, contractual, raw material and forecasting which could be a big catch.

In Jun 2017, the NotPetya outbreak locked up tens of thousands of systems impacting supply chain of major organizations such as AP Moller-Maersk, Merck, FedEx, Mondelez International and Saint-Gobain. In August 2017, ShadowPad backdoor emerged showing how dangerous and wide-scale a successful supply-chain attack can be. A backdoor was injected into a network management software suite and was pushed through a software update to the respective systems that had the software installed.

Artificial Intelligence (AI) / Machine Learning (ML) enabled systems

Artificial Intelligence (AI) and Machine Learning (ML) are the next big technology revolution trend that will re-shape the way we conduct business – and given the current pace of automation and digitalization AI/ML will be able to take over most of the manual and repetitive or even cognitive jobs which we do today.

It is important to be aware of opportunities and threats attached to AI/ML. There are already alarming information provided by thinkers on how attackers are exploiting AI/ML for their nefarious purpose. AI/ML will make existing cyberattack easier to execute and attacks will become more powerful and more efficient. AI/ML-enabled attacks will be self-learning and faster to react when counter majors are built against the attack, which means AI/ML enabled attacks may be able to exploit another vulnerability, or start scanning for new ways into the system – without waiting for human instructions.

Demonstrated by Two data scientists from security firm ZeroFOX conducted an experiment to show who was better at getting Twitter users to click on malicious links, humans or an artificial intelligence. The researchers taught an AI to study the behavior of social network users, and then design and implemented its own phishing bait. During test, the artificial hacker was substantially better than its human competitors, composing and distributing more phishing tweets than humans, and with a substantially better conversion rate.

Augmented reality (AR) / Virtual Reality (VR)

VR/AR will radically change how we work, learn, play, exercise, communicate, transact, socialize and consume content in the future—and with-it VR/AR also comes with its unique set of cybersecurity challenges. Here are some of the potential attack vectors we may see in coming days;

Illegal recording and theft of user behavior data – hackers recording users’ behavior in their VR/AR environment and threaten to publicly release the recording unless a ransom is paid. Interjection of information or data into VR/AR to mislead or entice users into selecting items that exfiltrate personal identifiable information. Hijacking and taking control of VR/AR remotely to impersonate someone in a workplace social collaboration scenario.

Robotics / Unmanned Aerial / Aquatic Vehicles

There is a huge buzz around the robotics market, with researchers forecasting that global spending on robotics will reach USD $188 billion by 2020. Robots can take on any form and it can be used for different purposes. The main idea behind these robots is allowing them to operate autonomously, without supervision while achieving the same outcomes as what a human can do.

Although an early warning raised by IOActive Inc, Seattle-based cybersecurity firm found some of the most popular industrial and consumer robots are dangerously easy to hack and could be turned into bugging devices or weapons. These vulnerabilities could allow the robots to be turned into surveillance devices, surreptitiously spying on their owners, or let them be hijacked, steal personal information and used to physically harm people or damage property.

What’s Next

Embedment of Emerging Technologies into businesses are redefining the cyber-attack surface and making it elastic; growing with every new technology adoption. The only way to address the elastic attack surface is with a detailed cyber strategy, a complete assessment of entire attack surface, possible attack scenarios, integrated monitoring control, emerging technology threat modeling, potential risks and mitigating controls.