Technology is embedded within almost every aspect of our daily lives, from the smart phones within our pocket to our office computers, washing machines or even light bulbs. This exponential growth and dependency upon technology now shapes how we live within a global growing society especially within a security environment.
Advances in artificial intelligence, computing, and wireless networks have made technology faster and more reliable, but they come with new cybersecurity threats. Hackers capitalize on people’s lack of understanding of how new technologies work, as well as undiscovered holes in the security of newer systems.
As companies and government agencies are moving towards digitization through enhanced use of Internet, it also make them more vulnerable to security threats. With more internet connectivity, the attack surface that’s vulnerable to hacks become wider. If hackers compromise one facet of an organization, it’s easy for them to laterally hack other devices on the network.
For example, the initial integration of email applications such as Microsoft Office 365 into business processes provided a plethora of new opportunities for better work environments, but also opened up new routes for potential hackers to access a contractor’s network, and consequently steal critical data or financial assets, often with catastrophic effects for the organisation in question. In October 2018, a third-party contractor was found to be culpable for a significant DoD data breach, where the Pentagon lost 30,000 employees’ personal and financial details to hackers, resulting in the termination of that firm’s contracts with the DoD.
As the world becomes increasingly interconnected through technology, information security vulnerabilities emerge from the deepening complexity. Unexpected interactions between hardware and software subcomponents can magnify the impact of a vulnerability. As technology continues its shift away from the PC-centric environment of the past to a cloud-based, perpetually connected world, it exposes sensitive systems and networks in ways that were never imagined.
In fact, the same technologies which facilitate these criminal activities also enable law enforcement to collaborate and apprehend suspects. For instance, encryption software is used within the security domain to share information securely and safely. However, it also enables criminals to hide critical evidence for their crimes. This example of the same technologies benefiting both law enforcement and criminal elements can be seen across the globe such as smart phones, apps, and the Internet.
The smart phones have also become attractive target for hackers to introduce malware. For two years, “hacked websites” were used to attack iPhones, with every iPhone potentially vulnerable, according to Forbes. An attack earlier this summer that targeted Uighur Muslims and Tibetans in China exposed flaws in systems like iOS that were previously thought to be impenetrable. The sophisticated hacks were discovered by cybersecurity researchers with Google’s Project Zero, who announced last month that iPhone users who visited certain malicious websites could be vulnerable to surveillance across the phone’s entire software, including passwords, messages, and location data.
Apps also poses a potential threat is the current generation of internal messaging apps (such as Slack or Telegram), or data storage and sharing apps such as Dropbox. As the recent La Liga app scandal has proven, many mobile applications are capable of running a number of functions on a network in the background whilst not always making it immediately apparent they are doing so. It is therefore possible that a phone with an unauthorised or unknown app may be able to interact with the network through an overlooked access permission, gathering and leaking information
“Deepfake” technology — which allows people to manipulate video and audio in a way that looks very real — has made leaps and bounds in recent years. It also allows hackers to make pornographic video that superimposes a celebrity or public figure’s likeness into a compromising scene. Though software that makes that makes deepfakes possible is inexpensive and easy to use, existing video analysis tools aren’t yet up to the task of identifying what’s real and what’s been cooked up. Manipulated videos and images that may be manually indistinguishable from the real thing present a series of real-world problems, including election and evidence tampering, blackmail, general propaganda and targeted social media misinformation efforts.
In September, Google announced that it had achieved “quantum supremacy,” meaning it built a functioning quantum computer — a feat that had been theorized but never achieved. The announcement was a major milestone in the field, but the technology is still nascent and doesn’t have many practical applications yet.
By harnessing quantum super-positioning to represent multiple states simultaneously, quantum-based computers promise exponential leaps in performance over today’s traditional computers. Quantum computers shall bring power of massive parallel computing i.e. equivalent of supercomputer to a single chip. They shall also be invaluable in cryptology and rapid searches of unstructured databases. Quantum algorithms can break current security by reverse computing private keys may only take days or hours. While quantum computers haven’t been used to this end by hackers yet, experts worry that the technology could continue to advance in years to come, threatening encrypted data sets that organizations like banks protect for decades.
5G is beginning to roll out as the next generation of wireless network, promising faster wireless internet with the bandwidth to support more devices. The coming 5G standard will offer towering benefits, such as enhanced speed and performance, lower latency, and better efficiency. But it will also come with risks. Because 5G netowrks will be mostly software defined network, future upgrades will be software updates and thus will be vulnerable to much like the smartphone upgrades. 5G networks will support a massive number of connected devices, which together with an elevated use of virtualization and the cloud will equate to many more 5G security threats and a broader, multifaceted attack surface. The increased speed could make 5G devices more susceptible to DDoS attacks, which aim to flood victims’ servers with traffic in order to overwhelm and shut them down, according to Security Boulevard.
Cyber enabled AI
As artificial intelligence makes leaps forward in sophistication and versatility, hackers are already using it to get around cybersecurity defenses. Hackers can use AI-driven programs to quickly scan networks to find weak points, or predictive text functions to impersonate insiders and trick targets into handing over sensitive information. Symantec expects artificial intelligence-enabled cyber attacks to cause an explosion of network penetration, personal data theft, and an epidemic-level spread of intelligent viruses in the coming years.
Supply Chain threats
Commercially available ICT solutions present significant benefits including low cost, interoperability, rapid innovation, a variety of product features, and choice among competing vendors. However, the same globalization and other factors that allow for such benefits also increase the risk of a threat event which can directly or indirectly affect the ICT supply chain, often undetected, and in a manner that may result in risks to the end user. These ICT supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the ICT supply chain.
This trend is the result of an increasing number of companies and agencies outsourcing services to third parties, which widens the range of potential victims for hackers to target. According to a recent report by cybersecurity firm Aon, the number of targets that are potentially vulnerable to supply chain hacks is growing exponentially.
Augmented Reality (AR) uses technology to add context to a user’s surrounding environment is increasingly being adopted by. Using real-time imagery and other sensor-provided input, an AR system aims to enhance or otherwise alter how people perceive physical reality. For example, some flight navigation systems overlay recommended flight paths and visual indicators for runways, buildings, and other hazards onto the aircraft’s forward-facing video feed.
However, these AR systems can be hacked and made to display false information which may pose risk military, medical and infrastructure or other mission-critical applications. For example, a navigator using a navigation system may rely heavily upon the accuracy of the system’s output to safely pilot a vehicle. Similarly, medical professionals must be able to trust the output of AR systems when using them to perform medical procedures.
Internet of things
The “internet of things,” or networks specifically made for internet-connected devices and appliances to communicate with each other, is now used widely across industries. As this technology becomes more common, however, hackers are increasingly finding vulnerabilities in IoT networks and using them to compromise companies’ operations. In one high-profile example, hackers breached the network used by Verizon’s shipping vessels and were able to track where the company was shipping its most valuable cargo.
One often-cited breach involved the exposition of the exact perimeters of a top-secret US military base, after Strava fitness devices showed the exact location and perimeter of a US military base. Similarly, a casino in North America was the target of a significant data breach after hackers found an overlooked IoT fishtank thermometer connected to the network, allowing 10GB of hacked data to be siphoned to a node in Finland.
For consumers, one application of IoT is the connected home involves automation of home devices, appliances, and computers that integrate with a centralized service for consumer use and control. The devices are diverse, from sensors (temperature, motion, movement, humidity) to controllers (smart thermostats, refrigerators, light bulbs) and are able to interact with the environment and each other. Online service such as If This Then That (IFTT) and ThingSpeak provide a common platform to trigger actions to environmental stimuli on certain devices.
The IoT devices have constrained hardware and software and cann’t have elaborate security measures like firewalls hence make them more vulnerable to hackers. Hackers could target home routers to carry out their attacks. Many home routers deployed today have outdated firmware, insecure configurations, and aren’t supported by the vendor.
Enterprise 3D printing (additive manufacturing).
3D printing is an additive technique used to create three-dimensional objects by applying physical materials iteratively via an automated system. These devices contain ethernet or Wi-Fi connectivity, a programmable logic controller, and various servomechanisms to control the heating units and distribution nozzles. While a security compromise could result in damage to the device or the surrounding area (due to heated material produced) these risks are not fundamentally different from those posed by existing industrial machinery.
However, they are vulnerable to supply chain and hardware threats. 3D printing, for health- and safety-related products such as medical prostheses and aerospace parts are being printed with no standard way to verify them for accuracy.”Imagine outsourcing the manufacturing of an object to a 3D printing facility and you have no access to their printers and no way of verifying whether small defects, invisible to the naked eye, have been inserted into your object,” said Mehdi Javanmard, study co-author and assistant professor in the Department of Electrical and Computer Engineering at Rutgers. “The results could be devastating and you would have no way of tracing where the problem came from.”
Telematics encompasses all functions of the vehicle electronics that are designed to be accessible to users, including the dashboard, controls, and navigation system. Many vehicle manufacturers have recently added cellular connectivity to their vehicle to provide richer, more interactive services to the consumer. Developers of smartphone operating systems have also begun to integrate their products more closely with telematics systems.
The upcoming mass deployment of this domain will increase the risk of new vulnerabilities, especially those of a systemic nature. The emerging smartphone-telematics integration technologies (e.g., Apple CarPlay, Google’s Open Automotive Alliance, Blackberry QNX) are of particular concern. Telematics should therefore be considered a high-risk domain for systemic vulnerabilities. A telematics system is tightly integrated with other systems in a vehicle and provides a number of functions for the user. The recent additions of wireless connectivity such as Bluetooth, Wi-Fi, and LTE increase the risk of compromise. An Internet-connected vehicle is vulnerable to a wide range of attacks, both from determined attackers and traditional threats such as malicious code and phishing.
Smart medical devices.
These biomechanical machines interact with the human body in an inpatient or outpatient context. The medical industry has moved to more connected devices, in part, due to the benefits the data from such devices provide to hospital systems. Given the risk to human lives, our team recommends prioritizing this domain. The regulatory structure of this domain has shown that the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the FDA will be the primary champions of good security practices. In addition, the National Health Information Sharing and Analysis Center has begun developing best practices to improve the security of medical devices.
As more devices are connected to hospital and clinical networks, patient data and information will be increasingly vulnerable. Even more concerning is the risk of remote compromise of a device directly connected to a patient. An attacker could theoretically increase or decrease dosages, send electrical signals to a patient, or disable vital sign monitoring.
Smart robots or autonomous machines are independent, self-correcting, and learning machines. Unlike robots of the past few decades, modern smart robots are increasingly user-friendly and integrated with the human worker. These autonomous systems are used to automate warehouse retrieval and storage, automate some part of a human task, mix and dose drugs, and transport items from one area to another.
Although autonomous machines are 5 to 10 years away from mainstream adoption, the devices could be compromised through networked back-end servers that provide some of the automation, or through the robot itself, which is networked and communicates across the Internet to the manufacturer for diagnostic information and software updates.
Smart sensors are one of the key technologies of ubiquitous computing (i.e., IoT). Sensor technologies provide information about or control of a physical environment in response to certain stimuli. Two major types of sensors are being deployed by manufacturers: non-actuated and actuated sensors. Non-actuated sensors send information about the environment to a processing engine. Examples of non-actuated sensors include temperature sensors, vibration sensors, and soil moisture sensors. Actuated sensors send information about the environment but also receive commands or react to the environment in a particular way, usually by flipping an electronic switch or through mechanical manipulation. Examples of actuated sensors include wirelessly controllable smart lights, switches, and door locks. Both non-actuated and actuated sensors use wireless technologies to communicate. (While this domain is similar to SCADA, it differs in that smart sensors use a greater number of standard network protocols and the Internet to facilitate communication.). These devices are also susceptible to cyber attacks which can leak, modify their information.
Commercial unmanned aerial vehicles.
Colloquially known as drones, these vehicles are remotely operated and controlled by an operator with full control (via joystick) or semi-autonomously (via map waypoints, for example). UAVs were initially developed for military applications to provide warfighters with remote strike capability. In recent years however, the open source and commercial communities have developed UAVs for traffic monitoring, surveillance, agriculture, filming, and shipping.
With rising employment of commercial and military drones the cyber-attacks on drones are also becoming common. In 2011, Iran claimed to have downed a sophisticated American stealth drone and unveiled what it alleged was a reverse-engineered copy of the futuristic looking RQ-170 Sentinel UAV, Drones can also be privacy and safety hazards, if there are no proper regulations, drones can be easily used for illegal purposes ranging from surveil-lance and unauthorized tracking to even criminal uses such as targeted assassinations and terrorist attacks. Some of these risks might include invasion of privacy (overflights with sophisticated cameras/microphones), physical damage/harm (drones carrying explosives or using itself as a projectile), or aviation interference, among others.
Vehicle autonomy (driverless cars).
Autonomous vehicles have the ability to move without direct commands from an operator. They can navigate to a destination using an autopilot-like capability, relying on onboard sensors, including GPS, cameras, lasers, and radar. The onboard sensors also enable autonomous vehicles to avoid potential obstacles.
While these driverless cars shall be highly useful for underage, elderly, blind, intoxicated, and handicapped users, however these driverless cars and remote controlled cars can also become terrorist’s best weapon as warned by FBI’s report. These cars can also be hacked by terrorists and used by terrorists to carry out spectacular attacks.
Vehicular communication systems.
To reduce a large number of roadway crashes and the associated societal costs, different countries have been promoting connectivity between vehicles, known as vehicle-to-vehicle communication or V2V, and between vehicles and transportation infrastructure components, which is vehicle-to-infrastructure communication or V2I. This type of Intelligent Transportation System strategy has the potential to reduce roadway crashes significantly. V2V provides vehicles with the ability to communicate their speed, position, and other status information to nearby vehicles. V2I allows for vehicles to receive and send information to smart roads, tollbooths, and other infrastructure components.
However, the risk of cyberattacks increases as vehicles become more connected through the Internet, and wireless networks. One of the cyberattack gateways to connected vehicles is V2I. Cyberattacks on V2I communication can have devastating consequences if V2I systems are not properly secured. V2I applications present a variety of vulnerabilities that create an attractive target for hackers. For example, hackers could take control of traffic signals, create hazards, and even cause a breakdown of the traffic system. Given the millions of vehicles expected to use this technology–and the potentially fatal consequences of failure. There is need for vehicular communication systems to have adequate safeguards to protect privacy and safety of automobiles.
Mitigation of emerging technologies threat
One critical challenge which applies to security professionals but not to criminal elements is the rules and regulations which apply to their use of technology. Illegal activity thrives within a changing environment and nothing changes faster than technology. Criminals often use technological changes to target vulnerable individuals, duping them into sending money to another account or gaining access to their computer. Security professionals on the other hand must evaluate and utilize new technologies methodically and deliberately. This can lead to situations where those of us within the security domain are a step behind criminal elements consistently. In this manner, technology is double-edged sword providing new effective methods of combating crime whilst creating new and novel challenges for security professionals to overcome. If one thing is evident, technology has created a tectonic shift in how criminals operate and likewise, their security domain must be agile and adapt or fall behind.
Assessing the threat from new tech is the first priority. Companies and governments must anticipate new methods of hacking to fend off the next generation of attacks. Organisations should carefully evaluate the risk that new applications may have to their network before beginning to implement them, as not doing so could open up a range of new avenues of attack.
Researchers in the SEI’s CERT Division examined the security of a large swath of technology domains being developed in industry and maturing over the next five years. Their approach evaluated each technology domain based on the disruption that a cybersecurity event would have on the following four factors: safety – impact to human health or life; privacy – amount of personally identifiable information that may be released; finance – amount of losses for an individual or organization; an operation – impact on performance of the technology. The report helped US-CERT make an informed decision about the best areas to focus resources for identifying new vulnerabilities, promoting good security practices, and increasing understanding of systemic vulnerability risk.
The development of new cyber security technologies is another way forward. For example, Blockchain, is a growing list of records, called blocks, which are linked using cryptography. Blockchains which are readable by the public are widely used by cryptocurrencies. Private blockchains have been proposed for business use. Blockchain a transformative decentralized digital currency, a secure payment platform free from government interference, is being considered for security of additive manufacturing .The technology has the potential to enhance privacy, security and freedom of conveyance of data. Blockchain is based on open, global infrastructure, decentralized public ledger of transactions that no one person or company owns or controls, ensures security of transfer of funds through public and private cryptology and third parties to verify that they shook, digitally, on an agreement. However, these technologies are themselves susceptible to cyber attacks. In Oct 2017 paper, Researchers mostly from Singapore claimed that key protocols securing technology undergirding bitcoin are “susceptible to attack by the development of a sufficiently large quantum computer”, in their paper “Quantum attacks on Bitcoin, and how to protect against them (Quantum),” made available through the Cornell University Library.
Governments are already acting to try and establish better, more timely regulation, with industry leaders and cyber security experts coming together regularly to advise on national security and determine strategies for protecting critical resources. Defence-based regulatory body capable of analysing emerging technologies is another important step towards securely integrating such technologies into military contracts, the speed of change in the cybersecurity market presents may challenges.
NSA Wants to Help Design Safer Tech Products.
The U.S. military’s codemaking agency says it wants to help the tech industry make its products more secure, and better able to use emerging technologies like 5G networking. But the National Security Agency is also the military’s codebreaking agency. Can it win over Silicon Valley types long suspicious of its help? NSA aims to do this outreach with a new Standards and Futures group, part of the public-facing Cybersecurity Directorate. Anne Neuberger, the director of the new Directorate, said that the NSA now believes its mission includes spreading the word about small problems before they become huge ones.
“Our role is taking the insights we have…whether it’s 5G, whether it’s quantum system crypto, whether it’s distributed ledger, and trying to work to ensure those products are built more secure. And we give advice to users who need different levels of security.” Neal Ziring, the directorate’s technical director, said the new group aims to inoculate the public by reaching out to the tech industry before bad products gain wide adoption. “Futures and Standards is going to look out a little ahead of today’s threats…look what’s coming down the pike, what sort of risks [a new technology or architecture] might engender, what sort of security improvements might be made to it, and then work with entities that might help effect those changes, usually industry, but sometimes standards bodies, to try and make sure that some of those security improvements are in there before that technology becomes widespread.”
The widespread adoption of IT and other new technologies have made the U.S. more vulnerable. “There are two lessons that our defensive mission needs to learn. One is they [adversaries] will take the easiest way in. And, if they are given national security intelligence leads, it’s their mission to achieve those,” she said. “We have some critical government networks, critical military networks, where a foreign adversary has been given direction to get and gain access and we want to ensure that the security advice that we’re giving is as sophisticated and as persistent as those kind of actors.”
Ziring said the NSA would offer recommendations to help businesses use some products and emerging technologies as safely as possible. Chinese-produced 5G telecom equipment has become an issue of disagreement between the U.S. and some in Europe. But many institutions, businesses, some governments have quietly acquiesced to the fact that Chinese 5G equipment from makers like Huawei, will be in a lot of places in the future, despite the fact that Huawei’s products are highly vulnerable to attack from Chinese intelligence services (among other actors.)
Europe, which has declined to ban Huawei products, is moving toward a method of what might be called quarantined architectures. As senior vice president at the Center for Strategic and International Studies James Lewis explained in April, “They don’t let Huawei near their sensitive intelligence facilities, their sensitive military facilities.” Ziring said the new group would look at Huawei and other 5G equipment, asking, “How can it be used most safely? When can it be used for national security purposes and when might it not be so suitable? Understanding that stuff takes time. And experimentation…And collaboration with the folks who are developing or deploying the technologies, that’s where our Futures and Standards” group will come in.
Of course, the NSA still has a longstanding mission of breaking into and spying on computers, phones, and networks. Should device makers, network administrators, and userstrust NSA to for advice on setting up a 5G network? The answer from Neuberger is: Yes. Really. She says her directorate will speak out only “in the white-hat mission,” meaning to help friendly organizations stiffen their defenses. “Those who break things know best how to secure them.”