March 15, 2018
Published in USA Trailblazer Magazine
For years, computer and other technology original equipment manufacturers (OEMs) have diligently responded to business and consumers’ ever-constant demands for more and faster features to make their lives convenient and cost efficient. However, as the design and architecture of the newer technology have indeed included features that made things more connected, convenient, efficient, and faster, bad actors have been quietly finding ways to rapidly misuse those former benefits for malevolent purposes.
Unlike creating malware and malware-infested hardware per se that fills the media with bad headlines almost daily about one organizations after another being compromised, this adverse manipulation is beginning to appearas a different trend when opposed to a mere coincidence. While there are numerous examples, and more being discovered all the time, here are three most notable high-level summary examples of former features being exploited and turned against us all, now as flaws.
- October 2016 – A massive Distributed Denial of Service (DDoS)assault manifests as one of the worst hacking fears coming true as criminals exploited millions of “Internet of Things – smart devices” like —Internet-connected baby monitors, burglar alarms, cameras, thermostats, printers, etc.—to launch a successful attack, crippling individuals’ ability to the connect to the Internet and the websites of major companies like Amazon, Netflix, and Twitter for hours at a time. The fix is to harden the access (a.k.a.; make it more difficult to use) on every IoT device already out there (nearly 9 billion) and every new one coming (around 21 billion by 2020).
- May 2017 –Not announced publicly until January 3, 2018, the Spectre and Meltdown CPU (Central Processing Unit – the brains of a computer) vulnerabilities, the by-design OEM features to enhance CPU performance, can be exploited toallow any program (including web apps and browsers) to view the contents of protected memory areas, which often contain passwords, logins, encryption keys, cached files, and other sensitive data. This affects nearly every device in the world that has a CPU. For now, there is no fix yet, only mitigations that make the exploit more difficult to execute. However, in some cases, the stop gap measures may cause the systems to crash or to lose as much as 30 percent of performance capabilities!
- January 2018 – A long known feature [Intel AMT(Active Management Technology)]to enable computer systems administrators to remotely manage enterprise devices, like servers and PCs, has been transformed into a flaw to allow attackers to gain remote access to laptops within seconds. For now, the fix is to NEVER allow anyone else to boot up your laptop.
OK, so why should any of us care? The cost to an organization that is not taking proactive steps of some type, could be catastrophic to their reputation (bad headline club) and/or bottom and top lines. Further, it has been long proven that mere reaction is far costlier. Still, that proactivityalso causes an enormously costly disruption to business as usual. How costly? Before this trend emerged, in 2015, a CSO magazine article estimated that the average organization spends over $40,000 per day on prevention and mitigation of computer malevolence against them. Again, before this trend fully emerged, Fortune magazine prognosticated that global cybersecurity spending will hit nearly $102 billion. Bear in mind, these figures are NOT inclusive of incident or compromise response costs, which exponentially increase costs. Now factor in this new trend where the goal appears to be disrupting business as usual – and these profit and growth killing expenses can do nothing but continue to increase.
In the three situations described above, some might say,the cure is worse than the ill. “Disruption as a service” may be what is behind it all. The premise here is, while none of these new flaws may become fully weaponized to actually steal valuable information in the near term – they could be. So, organizations must act or, is doing nothing a viable option? No, not really. However, a calculated but only temporary wait and see approach is probably warranted, dependent upon your individual circumstances. That is, as long as you are taking all the usual precautions like (to name a few):
- routine systems and app patch/update testing,
- routine and tested backups,
- heightened systems monitoring,
- defense in depth,
- fully vetted, business-unit-cross-functional incident response plans
The examples covered above illustrate that many of the great, intentional technology innovations and features we have come to enjoy could eventually be exploited as flaws. I doubt that unless we all become Neo-Luddites that SkyNet is right around the corner. However, we cannot take the ostrich approach either. We all need to remain vigilant and situationally aware, lest we become part of the bad news headline club du jour.