NEWS …Continued from page 2 chair of the New Zealand Internet Task Force (NZITF), are AU$6,000, and going as high as $7,500, payable in bitcoins. Extortion is a common use of DDoS, and the amounts being demanded here are relatively modest, but the campaign is notable for the number of firms being targeted. The criminals are threatening 400Gbps attacks, although firms that have refused to pay have more commonly suffered just 10Gbps floods – although that’s often enough to cause severe business disruption. According to Brailey, the kinds of businesses coming under attack are retailers and gaming firms that have online payment gateways.
IoT multiplies risk of attack
T
he proliferation of devices, networks, platforms and applications to support the Internet of Things (IoT) multiplies the vulnerabilities and greatly increases the potential for malicious attacks, according to a new report by Beecham Research.
‘IoT Security Threat Map’ highlights the key areas where external or internal attacks may originate and where the fastgrowing IoT industry needs to do more to provide better security controls. Professor Jon Howes, technology director at Beecham Research, believes that the only reason we have not seen serious IoT breaches already is because the IoT has not yet been deployed in large-scale consumer or enterprise applications. “Traditional M2M (Machine to Machine) applications are typically very focused, using specific edge devices, a single network and custom platform, making it relatively easy for security professionals to secure to the acceptable level,” said Howes. “But the IoT cuts across different sectors and embraces multiple devices and networks – from satellite to cellular – along with a growing number of IoT platforms and big data systems, which present threats on many different levels and fronts. Wherever there is a new interface between devices, networks, platforms and users, there is the potential for a new weak link.” Beecham pointed to a number of specific internal and external threats inherent 20
Network Security
in the IoT ecosystem. When it comes to sensors and devices, the challenge is largely around identification, authentication and authorisation, to ensure a level of trust and avoid risks such as application hijacking. There is also the threat of physical intrusion. “Using Differential Power Analysis (DPA), it is well known that by ‘listening to’ very small changes in power consumption when different calculations are performed in a chip, it is possible to work out an encryption key,” said Howes. The main threat at the network level comes at the interface between different types of network. “With a mix of fixed, satellite, cellular and low-power wireless networks as well as personal and body area networks (PAN & BAN), the challenge is to secure the transfer of multiple streams of data between selected networks without exposure of key secrets or equipment control,” he added. With over 100 players now offering IoT platform solutions combined with the growth of big data and cloud-based technologies across multiple market sectors, Beecham believes that this is where most attacks will be focused. “The benefits of IoT by definition rely on lots of data with high levels of searchability and analysis,” he said, “but this also means that the data must exist in plain text, which presents multiple threats – not least from insider attacks from sysadmins and authorised users.” Beecham Research believes that while work is going on to secure different parts of the Internet of Things, there is no joined-up approach. “We talk about the need for a deep Root of Trust in security and this is even more critical in a complex, connected IoT ecosystem,” said Howes. According to Duke-Woolley, CEO at Beecham Research: “Security in the Internet of Things is significantly more complex than existing M2M applications or traditional enterprise networks. Data must be protected within the system, in transit or at rest and significant evolution is required in the identification, authentication and authorisation of devices and people.” There’s more information at: www.beechamresearch.com/download. aspx?id=43.
EVENTS CALENDAR 2–4 June 2015 Infosecurity Europe Olympia, London, UK www.infosecurityeurope.com
2–3 June 2015 Infosecurity Intelligent Defence Olympia, London, UK www.infosecurityeurope.com/ intelligentdefence
8–12 June 2015 IEEE Cyber 2015 Shenyang, China www.ieee-cyber.org/2015/
14–19 June 2015 Forum of Incident Response and Security Teams (FIRST) Berlin, Germany www.first.org
15–19 June 2015 Hack in Paris Paris, France www.hackinparis.com
2–3 July 2015 European Conference on Cyber Warfare and Security (ECCWS) Hatfield, UK http://academic-conferences.org/eccws/ ECCWS-home.htm
20–22 July 2015 Secrypt – International Conference on Security and Cryptography Colmar, Alsace, France www.secrypt.icete.org
26–30 July 2015 AHFE – Human Factors in Cyber-security Las Vegas, NV, US www.ahfe2015.org/board.html#hfc
May 2015