It comes as no surprise to anyone that the computing landscape is changing rapidly. The number of edge devices connected to the internet is growing exponentially. Industrial automation and AI are driving demand for lower latency, mostly made possible by 5G and edge computing. Internally, employees are increasingly mobile, accessing home office systems from a vast array of devices, from wherever they happen to be.
These changes are good for business, but they also have a dramatic impact on the IT security threat landscape. Paul Mazzucco is TierPoint’s Chief Security Officer and a veteran of the IT security market. We asked him to paint a picture for us of where we are today, where the business of IT security is headed, and how business will adapt to these changes down the line.
The Future of IT Security: The Bad
Interviewer: Paul, we called this interview ‘the good, the bad, and the ugly,’ but let’s start with ‘the bad’. What is ‘the bad’ in the context of the future state of IT security?
Mazzucco: With the rise of 5G, we’re seeing a real push to move workloads as close as possible to the IoT edge to remove the latency and other inefficiencies created by having to push data back to a centralized computing center. Now eventually, that data is going to need somewhere to live and be stored, but IT leaders need to be realistic about this and realize that not everything is going to live in their data center.
The challenge with this from an IT security perspective is that it creates a much larger, much less secure attack surface. Most of these workloads are processed at the application layer, and they bypass the typical network security protocols that you’d find in a centralized data center. Unfortunately, upwards of 70% of edge devices don’t require authentication for 3rd party APIs, and more than 60% don’t encrypt that API data natively. That adds to the speed and efficiency of the application, but it amplifies the security concerns.
Interviewer: How big is this issue, and how do you see cybercriminals exploiting it?
Mazzucco: When the IoT first started out, the estimates were that it was going to be roughly 75 billion connected devices by 2025, mostly consumer-related devices such as your home security cameras, connected doorbells, and large appliances connected to the internet. Now, that’s a lot of devices, but the estimates today are somewhere in the 200-300 billion range as the idea of an Industrial Internet of Things has started to take off.
When Mirai hit in 2016, we started to see the potential scope of the security threat created by edge computing. When the attack traffic was analyzed, investigators found that Mirai exploited 61 user names and passwords on industrial-type devices that still used default, factory-set passwords. This allowed Mirai to create a botnet that led to what was at the time the largest DDoS attack on record.
Mirai made it abundantly clear that the IoT botnets were not going to just attack home devices with minimal security. Hackers were going to go after industrial devices as well and in a big way. They know that people don’t change the default passwords on their devices or they use the same passwords across devices. These devices make an easy target.
And, of course, the growing IoT is going to be even more attractive as time goes on. Since the introduction of 5G, both public and private sector organizations will look to internet-connected devices to improve efficiencies. As 5G becomes more widely available, this emphasis on connected industrial devices will increase, and cybercriminals will have an even larger attack surface available to infiltrate, including essential infrastructure such hospitals, buildings, shipping, energy, and more.
The Future of IT Security: The Ugly
Interviewer: Now that we know what’s the bad, what’s the ugly?
Mazzucco: There are botnets on the dark web that make Mirai look tame. Radware, one of our business partners, discovered what they called the Zyklon botnet. It had the ability to launch multiple types of attacks and malware contamination at the same time. It could do http flood attacks, TCP flood attacks, UDP flood attacks, SYN flood attacks AND deliver malware payloads for understanding cloud-based inspection.
So, for example, the 'http' botnet could look at start-up files and understand what sort of malware protections you had and try to bypass those. The same exact botnet allowed browser password and ftp password sniffing and could go in and find license keys installed on your infrastructure. It had email recovery password infrastructure, and it encrypted its own communications back to its command and control servers.
You know how much it costs? $75 to buy it on the dark web. These tools based on this same basic building block infrastructure have gotten more and more sophisticated, and they’re now in the hands of pretty much anyone who wants them.
The Future of IT security: The Good
Interviewer: Please tell us there’s an upside to this story. Is there a good?
Mazzucco: While there’s no doubt in my mind that cybercriminals have the upper hand right now, I’m hopeful that we’re going to eventually figure this out with artificial intelligence and machine learning. But, it will be a real battle. 51% of the internet traffic right now is made up of bots – bad and good. It’ll all come down to how fast good bots can use machine learning to make changes to the infrastructure to thwart the bad bots that are using machine learning to try and bypass the security measures in place.
The good news is that there’s a huge commercial aspect to this. A lot of companies have a vested interest in creating these protection protocols and selling them to the commercial market and the government market in order to try and keep these bad bots at bay.
Eventually, we expect to get to the point where we will have the ability to autonomously sniff this edge and have an advanced understanding of packets moving through this edge infrastructure. 5G will contribute to that. So as machine learning and these pieces get stronger, I’m hopeful we’re going to have edge computing protections that are much more efficient and autonomous, and we won’t have worry so much about the internal devices.
How Businesses Should Adapt to the Changing Threat Landscape
Interviewer: If you were to give one piece of advice to business leaders to help them protect their systems and data today, what would that be?
Mazzucco: They need to adopt multiple protocols across their security stack right now. This includes the entire fabric of their infrastructure and not just the endpoints themselves. For example, a company might contract for 200 servers, 500 laptops, 200 firewalls, and so on. They create their network and hope that it’s protected. But, probably some 90% of these firewalls don’t get updated, and they don’t patch their endpoints.
Interviewer: Can you put a finer point on the need for patch management?
Mazzucco: That’s easy. Once a month, Microsoft releases a roadmap for infrastructure vulnerabilities. Within three to four days of a vulnerability being announced, an exploit is available on the dark web. Cybercriminals take advantage of the fact that the vast majority of companies have poor patch management practices.
Of course, larger companies hopefully have more well-established patch management practices, and any company that pays for security monitoring may also be paying for patch management. But again, it’s not just how you protect your laptops and servers. It has to be a much broader focus on your entire infrastructure and the larger attack surface created by 5G and the IoT.
Understand the Threats and Find a Managed Security Provider
With the constant evolution of cyberthreats, IT organizations need to have a good understanding of the threat landscape and a plan to protect their vital data and applications. Some organizations, understandably need help staying up to date and ahead of these threats.
As an IT security services provider, we assist our clients with the development, implementation and management of comprehensive IT security strategies. Contact us today to learn more and see how we can help you.