The second edition of INTERPOL World 2017 Congress is closing today, where experts shared three days in a row their knowledge and discussed how to protect the world from cybercrime in an age of globalization. The theme of this year’s congress was “Fostering Innovations for Future Security Challenges” and Asian eMarketing focused on the discussions on security challenges the world is facing by using big data and Internet of Things (IoT) products, as well as Darknet marketplaces, since these are the most pressing issues the digital media and marketing industry must tackle, apart from the fact that the cost of cybercrime to the global economy is estimated at $445 billion a year.
Digital marketing, e-commerce, and social media are closely connected with emerging technologies and consequently go hand in hand with cybercrimes as total security can’t be provided when pioneering new innovations. Not to mention that endeavors are on both sides as we see cybercriminals increasingly getting more and more sophisticated and seem to always be a step ahead. INTERPOL’s goal to accelerate knowledge sharing in order to understand and prevent future threats is definitely a step into the right direction. The fact that more heads think better than one is commonly known, but the computing power of IT analytics is giving the proof.
According to Jean-Luc Vez, Head of Public Security Policy and Security Affairs, who is also a Member of the Executive Committee of the World Economic Forum (WEF), there are many instruments dedicated to fighting cybercrime today, including platforms for sharing information, private industry standards and best practices, but these efforts tend to be industry specific or regional at best. “Leveraging on INTERPOL’s unique position as the global hub for cybercrime related data and intelligence, the INTERPOL-WEF led dialogue will help broaden the awareness of available tools among organizations to aid in dealing with complex cyber threats”, he said.
Holistic view is needed to tackle IT security and privacy threats
Especially the omnipresent networking via IoT will keep us busy in the future, as IoT products are entering more and more areas of life, creating new security gaps that criminals discover very quickly, of course. Inadequate security solutions and data protection problems make it easy for them, but there have also already been discovered huge botnets that consist of IoT-like devices that implemented DDoS attacks to such an extent that it’s frightening.
The OECD's Global Privacy Network (GPEN) survey, for instance, revealed that there are still serious data protection problems with all IoT products tested, stating that even sensitive data is often transmitted completely unencrypted and that users are in general inadequately informed about the data collected, where they are stored and to whom they are passed on.
In view of this highly unsatisfactory situation, not only INTERPOL, but the Cloud Security Alliance (CSA) as well, are seeking to counteract this. CSA has published a new guidebook, which I can only highly recommend, as it specifies a series of concrete measures to increase the security of the networked devices, recommending encrypted data transfer, secure key management and firmware updates, as well as backup apps that control the devices. But in addition to all these general guidelines, the IoT Working Group of the CSA provides numerous detailed tips on the practical implementation of these principles in its whitepaper Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products.
Interestingly, the devices themselves are generally not compromised, but the online services the devices connect with are unfortunately often not sufficiently secured. IoT devices do not operate in a vacuum, they are a part of a much larger ecosystem that must also be secured sufficiently. Hence, wearable products will introduce privacy concerns which we have to consider in order to prevent any harm.
New computing power could be abused for DDoS
It is not difficult to imagine how IoT products can be abused to perform a Distributed Denial of Service (DDoS) attack, considering that some IoT products ship with no password protection, or use default passwords such as admin for local access. Attackers that identify these low hanging fruits can victimize large populations of the product quickly and employ them for their malicious purposes.
Considering that in the Asian region, cybercrime levels are rising due to stolen and breached identity data and the fact that Asia has the highest global levels of identity spoofing attacks and attacks on account logins, we all should be worried. Not to mention that there are constantly new innovations popping up in the ever-changing online space: The web crawling service ‘Shodan’ e.g. crawls the Internet at random looking for IP addresses with open ports. If the port lacks authentication, the script takes a snapshot and moves on, but this data is searchable publicly and can end up in the hands of the ‘good’ and ‘bad’ guys.
With predictions of having more than 50 billion devices connected by 2020, IoT products will enter our homes, workplaces, vehicles and even airplanes probably faster and to a wider extent than we can imagine right now. Adding interconnectivity between these devices and our existing network infrastructures will give law enforcement and public security forces a headache as new attack vectors that many will attempt to exploit, and which will have to be taken care of. Although, researchers are working hard to identify vulnerabilities associated with many of the existing IoT products, it won’t be easy to patch them up prior to a malicious attack. You can imagine the consequences of a particular IoT product being used to compromise sensitive user information - or worse, to cause harm or damage – which will be simply catastrophic to the product vendor. Then, marketing and communications experts will be called in to save the day.
Making use of Machine Learning and Artificial Intelligence
IoT devices operate as part of a larger ecosystem, therefore each integration point represents a potential new pathway into the systems that can be used to gain unauthorized access to information or control systems. Consideration must be given to ensuring that apps and services that are paired with IoT devices have been developed using secure development best practices.
To manage this and get the work done, we have to make use of Machine Learning and Artificial Intelligence, said Nick Savvides, Information Security Specialist & Strategist of Symantec during his presentation at the INTERPOL World Congress, as both are acting as a force multiplier.
“The sheer scale of the threats, devices and networks that are operated today make it impossible for humans and traditional systems to scale, to understand, to correlate and to connect and this problem is only expected to get worse, as huge new networks of devices and systems roll out, each acting as both a source of attack, a target of attack and generator of information and logs”, Nick Savvides explained. “Consider the volume of new connected devices in the IoT that will come online in the next few years. All of these are potential vectors of attack’, he added.
In fact, Gartner forecasts that by 2020, more than 25% of identified attacks in enterprises will involve IoT. With the emergence of Artificial Intelligence (AI) we might be able to stay one step ahead of cybercriminals, Symantec’s expert believes. Eventually, intelligent security systems have to be built that learn fast enough to predict and prevent attacks. “It is foreseeable that a cybersecurity Artificial Intelligence could observe all the outputs from Machine Learning models, looking at threats, anomalies and even current affairs news, and detect that an attack is about to happen”, he concluded.
Smartphone apps are often used to configure IoT devices, or to interact with IoT devices and also provide gateway functionality in some instances to funnel data from the IoT device to the cloud. Smart phone application developers will want to make use of security credentials to enable authenticated and integrity protected communications to IoT devices. “In some instances, developers should consider implementing Certificate Pinning to prevent Man-in-the-Middle attacks occurring within untrusted networks and IoT product developers must also consider limitations on the privileges afforded to mobile apps”, CSA recommends.
As IoT devices often interface with cloud services that tie together devices and services even across industries, we should indeed exercise extreme caution, not to give cybercriminals a chance to get their hands on any data.
Since the trade exhibition of INTERPOL Word is still on till tomorrow, you might want to take the opportunity and meet international manufacturers and solutions providers there, getting more insights into their latest cutting-edge technologies across cybersecurity, public safety, biometrics, identity solutions, forensics and investigations.
Anyway, INTERPOL World is a truly strategic platform for mutually beneficial collaborations, information sharing, innovations and solutions that supports fighting crime in the 21st century.
By Daniela La Marca