Infosecurity Magazine, May 18, 2018, with comments by Satya Gupta;
“Ghoulies and ghosties and long-leggedy beasties, and things that go bump in the night…”*
If only what’s happening on the Internet these days were the stuff of imaginative poetry. Instead, what experts are seeing is categorized as pure evil – the scariest of what’s been seen so far in cyberspace. Part of the reason for the alarm is what’s already occurred -- a harbinger of things to come.
For four years running, Pwnie Express has polled over 500 security professionals and their compiled insights agree that 2018 amounted to “the scariest survey results we’ve seen yet.”
Eighty-five percent (85%) of these professionals reflected rising concern that their country’s critical infrastructures will be struck by a cyberattack in the next 5 years. This same fear is confirmed by many studies and experts around the globe. One such attack on the safety system of Schneider Electric last year demonstrated the brutal nature of attackers. Not only did they seek to damage infrastructure, which could have potentially harmed thousands if not millions, but the attack also included an additional diabolical twist intended to harm or even kill workers by attempting to knock out safety systems before the actual attack. Only a mistake in their calculations hindered the success of their plan.
Along with companies facing malware and ransomware, one third of survey responders indicated they had also been part of a distributed denial of service (DDoS) attack, with 22% of those being attacked through wireless access points.
Perhaps even more alarming is despite those surveyed being highly aware of the IoT threats, one in three believed their organizations’ level of readiness to detect future threats to connected devices to be lacking. And despite the knowledge of these risks, often, up to 40% of security professionals are not even involved in purchasing decisions regarding IT devices (computers, mobile devices, servers, etc.). For those who have security policies in place for IT devices (75%), only a little over a third have policies for their OT/IoT devices.
We don’t, however, have to sit helplessly our hands. Much can be done to build an effective defensive posture.
Satya Gupta, CTO and co-founder, Virsec, echoed the concerns of survey respondents but noted that, while understandable, anxiety needs to be turned into actionable security.
"There is still a gap in understanding between IT and OT [operational technology]," Gupta said. "While most of the concern focuses on the devices (is my refrigerator spying on me?), most attacks come through IT channels. Especially in the ICS [industrial control system] space, the real dangers are from IT systems that automatically control myriad sensors, switches and other devices. Hacking a one-off device will cause limit damage, but hacking an ICS SCADA system can bring down an entire power plant or worse."