comment on this article

Security risks in the connected world

Following massive web attacks, the security risks in the connected world have been laid bare.

To say the Internet of Things (IoT) is here to stay may be the understatement of the decade. We are all knee-deep in the IoT and there is no turning back – gone are the days of thinking connecting refrigerators, security systems and vending machines to the Internet is in a land far, far away.

As this phenomenon grows even stronger, it is more critical than ever that everyone understands how these connected devices are impacting our everyday lives and shifting how we interact with – and even trust – the objects that we have come to rely on daily.

When it comes down to it, the IoT is about devices being controlled by software, connected to the Internet, armed with sensors capable of reporting back to the mothership. We already have cars that are connected to our phones and thermostats connected to our home network, but what we may not consider are the vulnerabilities we risk every time we use a connected device. With Internet-connected devices, there will always be a risk from determined hackers that want to exploit vulnerabilities in a device and the applications that run on it.

It is not just consumers that are concerned; businesses also fear exposing customers to Internet criminals without a way to fix the problem. Indeed, the reputational damage and loss of trust resulting from these break-ins cuts far deeper than the cost of repairing the damage. According to PwC’s 2016 Global Economic Crime Survey, executives considered reputational damage the most devastating impact of a cyber breach, followed closely by legal, investment and enforcement costs.

The cost is massive for organisations when a hacker is successful in gaining entry. An organisation’s first line of defence to minimise cybercriminal threats should be to shrink the attack surface by decreasing the number of vulnerabilities on its devices. Taking this preventative measure will lower the likelihood considerably that a hacker can do any real harm.

Software vulnerability management
This is why software vulnerability management is so important – it is preventive. Most successful cyberattacks use known vulnerabilities to gain access to corporate IT infrastructures or to escalate privileges once inside them. Once hackers have successfully exploited a vulnerability, they have a base from which to roll out their attack – moving around systems, gathering information and deploying malware – an umbrella term referring to a variety of hostile or intrusive software, including viruses, worms, Trojan horses, ransomware, spyware, adware, scareware and other malicious programs – to steal or terminate business critical information or cause disruption.

The problem created by vulnerabilities is more broad based than most people – and companies – realise. In Flexera’s recently published Annual Vulnerability Review 2016, which presents global data on the prevalence of vulnerabilities and the availability of patches, it was found that, in 2015 alone, 16,081 vulnerabilities were recorded in 2484 products from 263 vendors. These findings illustrate the challenge faced daily by security and IT operations teams trying to protect against security breaches.

However, there are clues in the data that provide insights into how to handle vulnerabilities. Of the 16,081 vulnerabilities discovered, 13.3% were rated as ‘highly critical’ and 0.5% as ‘extremely critical’. Moreover, 84% of vulnerabilities in all products had patches available on the day of disclosure. This means that, by implementing a proper software vulnerability management strategy, organisations can significantly minimise their attack surface and the likelihood of a successful breach.

Vulnerability intelligence
The first element of that strategy is vulnerability intelligence – referring to all research data on vulnerabilities, including historical data, attack vector, impact, criticality ratings and fixes. Vulnerability intelligence can be integrated with an organisation’s security strategy to support risk assessment. It can also be used by software vulnerability management technology to feed and enhance tools.

How is vulnerability intelligence derived? It begins with investigation to determine whether the numerous vulnerabilities identified globally from countless sources actually exist. Once a vulnerability’s existence is confirmed, evaluation of its criticality is vital so the organisation can determine which pose the bigger risk and require more immediate attention.

Vulnerability intelligence feeds into the three critical stages of the software vulnerability management lifecycle.

The lifecycle starts with the ‘assess’ stage, in which the existence of a vulnerability is researched and verified. Next, the organisation needs to filter out the known vulnerabilities and focus only on those impacting the organisation. That entails comprehensive asset discovery and inventory to determine which systems are potentially threatened by the verified vulnerabilities. Once the universe of known vulnerabilities is winnowed down to the subset impacting the enterprise, then vulnerability intelligence can be applied to determine which are most critical and require prioritised attention.

The second stage of the software vulnerability management lifecycle involves mitigation. This is often where a handoff occurs between the corporate security team and the IT Operations team. However, a ‘siloed’ approach between security and IT operations is not recommended.

The IT operations team typically handles patch management and will use its application readiness processes to identify and download the applicable patches – remember that 84% of vulnerabilities have patches available on the day of disclosure. The patches then need to be tested – for dependencies, for example – packaged and distributed to the correct machines. This mitigation process must be well managed and automated to avoid system overloads and failures.

The last step of the software vulnerability management lifecycle is verification, whereby the application of the patch or other mitigation technique is verified. Once mitigation is complete, the attack vector for that vulnerability has been eliminated.

Being reactive and proactive
Organisations must be both proactive and reactive in order to fight cybercrime. They must be proactive in order to make it is as difficult as possible for a hacker to break into systems. They must also be reactive, prepared to detect and respond to incidents as they happen.

Many organisations focus on their reactive approaches, dealing only with an attack once it has happened. However, it is exponentially more difficult to identify and respond to breaches when there are too many holes and cracks for hackers to exploit.

A proactive approach via software vulnerability management means investment in the people, processes and technology to lessen the attack surface and minimise the likelihood that a software vulnerability can be exploited in the first place.

We simply can’t ignore the fact that our IoT devices are getting smarter. Technology is only going to continue to advance, but as we have seen, innovation almost always comes with inherent risks. Manufacturers and consumers share the burden of taking reasonable precautions to help ensure their devices do not become easy prey for criminals.

Author profile
Vincent Smyth is general manager, EMEA, with Flexera Software.

Author
Vincent Smyth

Related Downloads
147848/P20-21.pdf

Comment on this article


This material is protected by MA Business copyright See Terms and Conditions. One-off usage is permitted but bulk copying is not. For multiple copies contact the sales team.

What you think about this article:

A very thought provoking and informative article.

My concern is the myriad small businesses that are developing IOT products that may contain vulnerabilities. The question is : can the industry support these individuals and firms with education and information on vulnerabilities, in order to reduce the number of vulnerable products coming on the market that may then be incorporated into other products and larger systems?


Posted by: Patrick Fleming, 15/11/2016

Add your comments

Name
 
Email
 
Comments
 

Your comments/feedback may be edited prior to publishing. Not all entries will be published.
Please view our Terms and Conditions before leaving a comment.

Related Articles

ST buys Atollic

STMicroelectronics is acquiring the software-development tools specialist ...

Peeling the onion

The Internet of Things is developing from being a concept just a few years ago ...

The Sonic Internet

Whether in the smart home or in in-car entertainment the audio market is ...

Get to market faster

A quick look at using Vicor's PFM and AIM in VIA packaging for your AC to Point ...

Life without GitHub?

The software development platform and code sharing repository GitHub celebrates ...

Shaping the future

Alexander Everke, the CEO of ams, started his career in the semiconductor ...