Noblesse oblige

Blogs
(Image: Stockfresh)

23 October 2014

Paul HearnsThe recent Cyber Threat Summit run by the International Cyber Threat Task Force (ICTTF) was an eye opener on many levels.

Not only did the panel of speakers cover the rash of recent threats, from mobile vulnerabilities to new attack techniques and developing social engineering, but a worrying trend that has greater potential to threaten businesses at large also emerged.

I blogged recently about the excellent James Lyne, he of Sophos fame, and his presentation whereby he took his war-driving antics on tour. Having previously show the levels of insecurity that abounds in London among poorly or not at all secured Wi-Fi networks, he also took to several American cities to show the same. What he found was that people and businesses were failing to do the simple things that were necessary to secure their networks.

For example, he found that many businesses were using the likes of IP cameras attached to Wi-Fi networks that had either default or admin passwords that were unchanged. Lyne also found, more worryingly, that several manufacturers of such devices, including baby monitors that were Wi-Fi enabled and often equipped with webcams, still allowed access with the default password, even when the user had updated the admin password.

Now, the threat of baby monitors may be a remote one for many businesses, but the threat from the likes of IP cameras, Wi-Fi access points, multifunction imaging devices and others is not.

Another theme that emerged from the summit, and indeed from the governance industry too, is that third party attacks are also on the rise. This is where a black hat is targeting a large organisation for some reason, who may be relatively secure. Instead of trying to lay siege to this organisation, the black hat looks at its supply chain and goes along it until a suitable, insecure target is found. This might be a company that is several links in the chain away from the ultimate goal, but it is its level of insecurity that matters.

This often small organisation is then target and compromised, becoming an injection point for the strategy that will ultimately get the black hat to the top prize. This pattern of attack means that almost every business is now a target and the old adage of security through obscurity, at least in terms of organisation profile, does not apply.

The clear picture then is of a whole raft of smaller business, increasingly online, mobile and yet insecure — failing to do the basics. This raises the threat level for larger organisations.

It is akin to many years ago when the Internet was in its infancy and few people used antivirus, let alone a firewall. Then the likes of ZoneAlarm arrived and gave away a free product, immediately raising the protection level. By providing protection for those that otherwise not have it arguably made the whole Internet a safer place.

Flash forward to today, and there is a whole range of businesses who have fully embraced the range of possibilities of the Internet, smart connected devices (SCD) and even social media, but who have failed to understand, much less mitigate against, the risks they run in doing so. This fertile ground for hackers becomes is a target rich environment to recruit legions of zombie machines to create mass attacks. Or, to find a specific target to craft an attack to get inside a valuable target up the supply chain.

How can this situation be tackled? If the basics are still being ignored, despite the level of awareness and coverage this topic gets, what can be done?

I think the onus is on the companies closest to those at greatest risk. The small, local service providers need to talk to each and every one of their clients and make sure that they have a basic level of protection to ensure that they do not unwittingly become the instrument of a hacker. This would require support and resources from the technology vendors to allow these companies to ensure the basic security of their clients.

I am not advocating free services, or indeed free products, but a good range of basic protection is needed from every vendor who serves the market to ensure those that would otherwise not have the protection can have some. This is not just so that the end user benefits, but rather that an otherwise open target is secured for the good of the entire business community.

Now some vendors have already understood this and have a broad range of products including those designed specifically to protect the low end that have minimal options and configuration needs. But more can, and should, be done especially in the area of support for the front line service providers.

The ICTTF is a good example of how the people at the top of the security industry can use their time and resources to raise overall awareness, share information and raise the level of protection and thus safety, as a whole.

Paul C Dwyer, founder of ICTTF, chair of the summit and internationally respected security expert, is a tireless campaigner for all of these strategies. As shown by RSA too, in the wake of their own breach, the development of a grassroots movement to share and understand the risks and threats can do more than all of the firewalls in the world. These movements to develop understanding need that common touch to succeed. They need the contact with the organisations most at risk, and I strongly argue that for small businesses, that means their technology partner — the local service provider.

Knowledge is power but without a means of dissemination, it is merely information. The vendors need to do more to enable the small service providers to get the information out there, as well as making sure there are a range of simple, affordable solutions for them to implement that will protect the vulnerable, and it must be said, the ignorant, in a way that will ensure a greater level of safety and reduced risk for all.

Read More:


Back to Top ↑

TechCentral.ie