Tag Archives: mirai

It’s Time for the Cyber 101 Discussion

In my role as a sales and business development consultant, I come in contact with sales professionals and business executives across numerous industries. I understand the trends involved with the integration of physical security, IT infrastructure and cyber solutions. The emergence of the Internet of Things (IoT), perhaps more appropriately described as the “Integration of Things,” has created more visibility to the convergence model generally and cyber threats specifically. That said, I see a fundamental problem with sales organizations, outside of the cyber industry, with initiating a cyber discussion. This is the first step in aligning cyber threats in the context of overall business risk, and for providing the managed services and secure products that the industry increasingly requires.

This Cyber 101 discussion is more of an informal conversation than a deep technical discussion. Cybersecurity is a confusing topic to many people and is at times assumed to be overly complex. In reality, it is a crime and espionage discussion with a rich history and interesting as a business case study. Put into this context, it is actually a compelling narrative and promotes a lively conversation that inevitably turns to the topic of operational risk and specific business issues.

See also: Best Practices for Cyber Threats  

The first step is to know your cyber history. This does not have to entail a debate as to when and how hacking evolved. I believe an appropriate starting point would be the first Gulf War. Perhaps the 1990s are ancient history for some, but most senior executives can identify. The important fact was the ease with which the U.S. military demonstrated technical dominance over the Iraqi army. Nightly newscasts of American generals proudly showing video clips of guided missiles accurately striking buildings and vehicles was enough to send chills down the spines of our nation-state adversaries, and jump start their offensive cyber commands.

“I believe the Chinese concluded from the Desert Storm experience that their counter approach had to be to challenge America’s control of the battle space by building capabilities to knock out our satellites and invading our cyber networks. In the name of the defense of China in this new world, the Chinese feel they have to remove that advantage of the U.S. in the event of a war.” –Adm. Mike McConnell (ret.), former Director NSA, and Director National Intelligence

Not to be left out, the Russian military also accelerated its cyber capabilities (post-Gulf War I), as well. In fact, many “retired” military cyber warriors established the early Russian cyber criminal syndicates and promoted global cybercrime as a business model.

As a result, cybercrime evolved, and Cyber Crime as a Service eventually exploded.  It is a well-known operational fact that you only exist as a significant Russian cybercriminal if you abide by three hard and fast rules:

  1. You are not allowed to hack anything within the country;
  2. If you find anything of interest to the government, you share it;
  3. When called upon for “patriotic cyber activities,” you serve.

In exchange, you are “untouchable” and immune from prosecution.

Tom Kellermann, CEO of Strategic Cyber Ventures, is a cyber intelligence expert, author, professor and leader in the field of cybersecurity serving as a global fellow for the Wilson Center. He is the previous chief cybersecurity officer for Trend Micro and vice president for security at Core Security. Kellermann has told me there are approximately 200 “cyber ninjas” globally: truly elite hackers. This select group of black hat ninjas realized they could produce “malware for dummies,” (or criminals with average skill sets), along with online “how to hack” support services, in return for a cut of the profits. This business model returned more personal revenue at scale, compared with individual hacking activities, with much less risk. These operations created the original “Malware as a Service” business models, and, as a result, cybercrime has since exploded. (By the way, the model provides a recurring monthly revenue stream.)

According to the Serious Organized Crime Agency (SOCA), global cybercrime has surpassed narcotics trafficking in illicit revenues, and in the U.K., more than 50% of all crime is now cyber-related. Kellerman added that cybercrime has moved from traditional burglary to digital home invasion: “The economic security of the West is in jeopardy.  Civilizing cyberspace must become a national priority.”

Research firm Cybersecurity Ventures (not to be confused with Strategic Cyber Ventures) produced a report that predicts that cybercrime worldwide will grow from $3 trillion in 2016 to more than $6 trillion annually by 2021! As a comparison, the entire gross domestic product (GDP) for the U.S. was $14 trillion in 2016.

Cybercrime today is professional, organized, sophisticated and most importantly “relentless.” These are not personal attacks. If you have any digital footprint, you are a target, period. The entire internet can be scanned for open ports within a few days, and IP cameras being activated on the internet are normally pinged within 90 seconds. You can’t hide very long. When it comes to security, the adage that “offense informs defense” is appropriate when protecting your specific business operation. A former client of mine, John Watters, CEO of iSIGHT PARTNERS (now FireEye), used an example: “A burglar and an assassin can use the same tools and tradecraft to gain entry to a location, but the intent, once inside, is very different. One wants your property; the other wants to kill your family. Prepare yourself accordingly.”

Another challenge is that the risk of cyber attack is growing. This is a dual-edged sword in many regards. IoT and the Industrial Internet of Things (IIoT) open a much wider attack surface of many more devices. However, the operational efficiencies and human productivity advances cannot be denied and will move forward. This situation creates a new reality; essentially, cyber threats are morphing from a virtual threat into a physical danger. Matt Rosenquist, cyber security strategist, Intel Security Group, explained in his 2017 ISC West Keynote address that the same controls that provide auto assist to parallel park your vehicle can be hacked to force a car (or hundreds of cars) to accelerate to high speeds and turn abruptly, causing fatal accidents. Imagine for a moment what that hack does to that specific automobile manufacturer’s reputation? Would the corporation even hope to survive?

Planes, trains and automobiles are just the beginning. Intelligent buildings, campuses, hospitals, retail outlets, branch offices and mobile emergency services, etc., all need to be secured. Security, followed closely by privacy protections, will be at the top of all buying requirements to win business.

The bottom line is that cybersecurity, like terrorism or tornados, is about risk management. This is a discussion that owners, managements and boards of directors know well. It is the responsibility of the sales professional to educate prospects and customer organizations to the sophisticated level of cyber risk that exists today and into the future. This is why understanding and explaining the evolving cybercrime business model is so important as an initial discussion.

See also: How to Anticipate Cyber Surprises  

In 2017, I have had the “Cyber 101 Discussion” with sales leadership and executives from many companies and industries:

  1. The regional insurance firm in Texas (1,000 employees) that recognizes a huge and expanding cyber insurance market opportunity generating more than $3.5 billion in 2016, and growing at 70% annually! Yet the sales organization does not know the first thing about starting the cyber dialogue with potential clients. ‘‘We know insurance, not cybersecurity.”
  2. The global video camera distributor that needs assistance in aligning marketing and sales messaging to answer customer concerns about cybersecurity. The industry needs a response to the Mirai botnet attacks that virtually guarantee that the internet will be flooded by hacks of new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.
  3. The physical security integrator that recognizes the need to provide secure solutions and endpoints for enterprise customers, but needs to provide internal cyber education while recruiting strategic partners offering cyber solutions and support resources.
  4. The domestic security monitoring company that now offers cyber managed solutions to the SMB market but struggles with positioning a compelling ROI and explains that customers cannot “quantify” the cyber risk to their business? (Hint: That’s the job of your sales organization; your customers need cyber education.)

It begins with a cyber sales comfort level within your own organization. Cyber education allows you to pass knowledge on to others as a trusted adviser. Get the Cyber 101 discussion started as a first step. Additional education and specific solutions can always be provided to secure passwords, mobile devices, access control, VMS, encryption and backups, etc. It’s a long list, but security managed services are providing recurring revenues and need to be positioned correctly.

Whether providing cyber insurance, hardening physical security equipment or selling secure managed services, the Cyber 101 discussion starts with understanding cyber history and the evolution of adversary intent. Today’s cyber threat is a component in the new definition of digital business risk. Not always overly technically complicated, but essential to be countered and monitored constantly.

5 Predictions for the IoT in 2017

The IoT continued its toddler-like growth and stumbles in 2016. Here are five trends to look for in 2017 as the IoT enters its adolescence and how to benefit from them.

1. Ecosystems begin to determine winners and losers

Previously these were nice in-the-future concerns; now they will really count. Filling out a whole product value proposition through partnerships has repeatedly proven its importance across B2B and enterprise software sectors. In the IoT, they will be even more critical.

As an example, the Industrial Internet Consortium (IIC) is driving the definition of platforms and test beds and should show results in 2017. In the meantime, expect some IoT companies to fail when they can’t gain traction.

If you’re developing IoT infrastructure or platforms, it’s time to get real, regarding building great partnerships, developer programs, tools, incentives and joint marketing programs. Without them, your platform may appear like an empty shopping mall.

If you’re a device manufacturer or application developer, it’s time to place your platform bets so you can focus your resources. If you’re implementing IoT-based systems, you’ve been through this before. Welcome to the next round of the industry’s favorite game, “choose your platform.” Make sure you also evaluate vendors based on their financial health, business models and customer service — not just technology. Learn more in Monetizing IoT: Show me the Money in the section “Ecosystems as the driver of value.”

See also: Insurance and the Internet of Things

2. Vendors get serious about experimenting with business models and monetization

This was a big theme at Gemalto’s recent LicensingLive conference and was further driven home by solution partners like Aria Systems. Tech won’t sell if it’s not packaged so that buyers want to buy. Look for innovation in business models and pricing, including subscription models, pay per use, recurring revenue, subsidization or replacement of hardware device revenues with service revenues, monetizing customer data and even pay-per-API call models. If you’re marketing whole solutions, be sure to avoid the “partial solution trap” as described in my article, The Internet of Things: Challenges and Opportunities.

3. Big Data gets “cloudier” (pun intended)

No doubt there will be a lot more data with billions of new connected devices. Not just text and numbers but also images, video and voice can all add significant monetization opportunities to different participants in the value chain. More devices mean more data, more potential uses and more cooks in the kitchen. This is a complex cluster of issues: Do not expect a resolution of ownership, privacy or value in 2017.

Instead, approach this by building a clear vision of what you want and don’t want with respect to data rights as you enter these discussions. And try to anticipate the genuine needs of your partners. Device manufacturers will likely have a going-in desire to own data produced by their devices; and apps developers, the data they handle; others may be okay with aggregated info. Buyers should make sure they understand what’s happening with their potentially sensitive data. We have already started to see partnerships and deals stall out over intense discussion on data ownership and rights.

4. You’ll need to prove your security, with privacy not far behind

2017 IoT systems are going to need to up their game. No one is going to stand for hacked doorlocks, video cameras or Mirai botnet/DDoS attacks via connected devices much longer. Similar events will come with very high price tags. So far, the IoT has dodged any major incidents with large losses suffered directly by end users.

We could see growth flatten if a major hack of thousands of end users occurs in 2017, especially if hardware devices are ruined or people get hurt. At that point, users will need to receive greater guarantees of security, privacy and integrity. This risk needs to be mitigated if the industry wants to avoid an “IoT winter.”

Vendors will need to invest more in security development and testing before deployment and offer assurances, possibly including insurance. Installers and integrators will need to ensure ecosystem integrity, and buyers will look for these guarantees. Just one flaw could be very expensive: Gartner believes that by 2018 20% of smart buildings will suffer digital vandalism through their HVAC, thermostats and even smart toilets.

5. Voice-powered, AI virtual assistants drive a next round of platform wars

Voice will become increasingly important to control IoT systems and computing infrastructure. Google Assistant, Apple Siri, Amazon Alexa, Microsoft Cortana and Samsung’s Viv Labs acquisition underscore the importance of these new AI-assisted voice interfaces. They’ll be used across multiple devices like phones, PCs, tablets, cars, home appliances and other machinery. By 2020, Gartner believes smart agents will facilitate 40% of mobile interactions. This is the beginning of a new round of platform battles that you need to recognize, internalize and prepare for.

See also: How the ‘Internet of Things’ Affects Strategic Planning

What do you think? Email me with your predictions, comments or war stories.

You can find the original article here.

Why More Attacks Via IoT Are Inevitable

The massive distributed denial of service (DDoS) attack that cut consumers off from their favorite web haunts recently was the loudest warning yet that cyber criminals can be expected to take full advantage of gaping security flaws attendant to the Internet of Things (IoT).

For much of the day, on Friday, Oct. 21, it was not possible for most internet users to consistently access Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal.

Using malware, dubbed Mirai, an attacker had assembled a sprawling network of thousands of hacked CCTV video cameras and digital video recorders, then directed this IoT botnet to swamp the marquee web properties with waves of nuisance pings, thus blocking out legitimate visitors.

See also: Insurance and the Internet of Things  

Mirai is designed to take over lightweight BusyBox software widely used to control IoT devices. The source code for Mirai can be found online and is free for anyone to use. ThirdCertainty asked Justin Harvey, security consultant at Gigamon, and John Wu, CEO of security startup Gryphon, to flesh out the wider context and discuss the implications. The text has been edited for clarity and length:

ThirdCertainty: Why do you think these attackers went after BusyBox systems?

Wu: Because Busybox is lightweight; it’s used on most IoT devices that have limited memory and processing. Busybox is a utility with lots of useful commands.

Harvey: BusyBox is very standardized. It is highly used in the field, and it also runs Linux, so the internals are very straightforward and easy to duplicate in testing systems.

3C: How did the attacker locate so many vulnerable devices?

Wu: Standard IP scanning would identify the devices, and then the attacker could use the admin interface to install the malware. These devices had weak default passwords that allowed hackers to install Mirai.

Harvey: Cross mapping manufacturers with types of devices. Then using the website Shodan to get a list of open devices. Once they had the list of devices, they could create a massively parallel script to step through each and determine whether they used the version of the OS they wanted.

3C: How many devices did they need to control to carry out three waves of attacks over the course of 12 hours?

Harvey: 300,000 to 500,000.

 Wu: Probably a few hundred thousand devices. Because it’s distributed, there is no way to simply block all the IP addresses.

3C: Are there a lot of vulnerable devices still out there, ripe for attack?

Harvey: Yes! Shodan specializes in noting which devices are out there and which are open to the world. The devices used in this attack were but a small fraction of open or insecure IoT devices.

Wu: We don’t know exactly how many devices are still out there as sleeper bots. Mirai also is actively recruiting new bots. From what I understand, these IoT devices had open channels, and the users had practiced poor password protection for root access to install additional components.

3C: What do you expect attackers to focus on next?

Wu: I would expect the attacks to get larger and more sophisticated. Mirai also is working in the background to recruit more devices. The next attack may not be as public because they’ve already shown what the botnet network is capable of.

3C: What should individual consumers be most concerned about at this point?

Harvey: Consumers need better education on changing the default access and security controls of their IoT devices. Manufacturers need to take security seriously. Period. Congress needs to step in, conduct some hearings on IoT issues and perhaps regulate these devices.

 Wu: Consumers need to be concerned if their device is one of the devices already compromised or at risk of being compromised. They should contact the manufacturer to ask if a security patch is available. A simple solution would be to take the device offline, if it’s something you can live without.

3C: What is the most important thing company decision-makers need to understand?

Wu: If you are dependent on the internet for your revenue and business, you should be planning alternative communication channels. If DNS is critical to your business, you should look at backups to just one service provider. Let people know that, if email is down, you can still get business done over the phone.

Harvey: Businesses need to understand the implications to running IoT devices within their companies and question the business need for using IoT devices versus the convenience.

See also: How the ‘Internet of Things’ Affects Strategic Planning  

This article originally appeared on ThirdCertainty.