The report highlights that the growth of the Internet of Things is giving cyber-attackers more opportunities for increasingly “aggressive” and “confrontational” hacks.
It warns that ransomware criminals could steal important personal data, such as photos, private messages, and even health information, from everyday connected devices with limited security.
“This data may not be inherently valuable, and might not be sold on criminal forums but the device and data will be sufficiently valuable to the victim that they will be willing to pay for it.”
The report also alleges that the last few years have been “punctuated by cyber attacks on a scale and boldness not seen before,” referencing attacks carried out against the US Democratic Party last November, and the Ukrainian power grid in December 2015.
NCSC Chief Executive Ciaran Martin said: “Cyber attacks will continue to evolve, which is why the public and private sectors must continue to work at pace to deliver real-world outcomes and ground-breaking innovation to reduce the threat to critical services and to deter would-be attackers.”
The report identifies three key features that underpin current cyber threat trends: Technical expertise is not necessary to carry out attacks, a broadening attack surface is leading to more opportunities for attackers, and threat actors are learning from, and using one another’s skills and capabilities.
“The technical skill required to commit cyber attacks continues to decrease. Malware and services such as DDoS (distributed denial of service) are easily acquired on the dark web which means the number of individuals capable of launching basic cyber attacks is increasing,” it says.
“The lines between different threat actors continues to blur as individuals and groups learn from, hire and work with one another. Criminal groups are imitating suspected nation state methodology in order to attack financial institutions, and more advanced actors are successfully using ‘off the shelf’ malware to launch attacks.”
The report also claims that a growth in number of network connected devices has led to an increase in IoT botnet attacks. Large numbers of insecure devices can be found online that are vulnerable to being taken over by malware.
“Insecure connected devices can easily be recruited into a botnet which can then be used to mount DDoS attacks on an overwhelmingly large scale. The attack on internet performance management company Dyn’s DNS servers provides some illustration of the harm that IoT botnets can do. We should expect more such attacks, possibly on an even larger scale, in the future.”
The concerns over the increased risk posed by IoT devices have been echoed by experts across the industry. Speaking to DIGIT, Gordon Orr, Country Manager from F5 Networks, said that poor security in newly shipped products makes it easy for hackers to carry out attacks.
…there’s very much a speed to market issue…
“Typically, if we look at IoT devices, particularly at a consumer level, there’s very much a speed to market issue around them,” he said. “That means they are shipped with pretty poor security, often just a default username and password. That’s one of the reasons why it’s heaven for cyber attackers. They don’t have to go through sophisticated reconnaissance; they don’t have to have a targeted phishing campaign in order to capture credentials. They can just go and do a dictionary attack and be able to identify and take over hundreds and thousands of IoT devices at once.”
They can then be weaponised as a botnet in order to launch wide scale DDoS attacks.
“We’ve almost got to the point where we have an army of minions that are able to attack an organisation of any size, regardless of how much investment you make in your defensive capability. When you have a 1.2 terabit DDoS attack, that’s pretty challenging for any organisation to cope with.”
Stu Hirst, Head of IT Security at Skyscanner, added that IoT attacks present an “ongoing battle,” against unprecedented levels of traffic that are causing outages to technology that underpins the internet.
“We’re living in an increasingly connected society, where even our toasters, fridges, children’s toys and our gadgets are connected to the internet. Just a few months ago we saw a major distributed Denial of Service attack, levering millions of these devices to bring down a major Content Delivery Network provider. This caused a number of leading internet sites to be unavailable for a period of time… It’s an ongoing battle and one we at Skyscanner take very seriously in our efforts to protect against.”
Its an ongoing battle
James Kwaan, Chapter President of (ISC)2 Scotland, says that IoT devices bring a wide range of opportunities, but we must balance these positives with the risks:
…these things could be exploited.
“The danger is that we end up with a large number of devices out there which are basically insecure,” he said. “The positive side is that we could be more effective in food production for agriculture, and other things. But I think, like all things, that you need to balance the risk and reward, and determine what you’re doing – why do I need an internet enabled dishwasher, and realise what the consequences are if things are insecure. A lot of these devices could be in the field for ten to twenty years, so if they’ve got flaws in them then obviously there’s a risk that in the future these things could be exploited.”
So how do we mitigate the threat? Kwaan believes that there is not enough quality guidance for people that are entering into the global market for IoT devices. Governments, professional institutions (GSMA), and international associations such as (ISC)2, should seek to fill this gap.
“Ultimately what will happen, as with all things, is that if it’s not already regulated it will become regulated when a crisis happens.”