29 Nov 2018
Cyber-Security Conference Singles Out IoT as Largest Looming Threat
Data breaches may be collectively costing Asia-Pacific-based businesses more than US$1.75 trillion a year, according to delegates as this year's RSA Conference, with the wider adoption of the Internet of Things set to make things far worse.
Across the world, in the year leading up to April 2018, there were 90 cyber-attacks deemed "significant" by The Centre for Strategic and International Studies, the Washington-headquartered global security think-tank. Together, these virtual incursions are estimated to have cost big business and government-run institutions some US$600 billion, a sizable rise on the already sizable $500 billion reported for the previous year. With even these colossal figures likely to represent a mammoth underestimate, as many companies are unwilling to admit their data has been breached, this year's RSA Conference Asia-Pacific and Japan – billed as "Where the World Talks Security" – couldn't really have been timelier.
Perhaps in order to keep those hackers on their toes, despite its title, this year's event was not squirrelled away in Tokyo or in any other Japanese prefecture, but instead took place in downtown Singapore. In order to dispel yet more potential confusion, the "RSA" acronym cannot be easily reverse-engineered into some common-sense term – Regional Security Assembly? – but instead refers to the public-key encryption technology developed by RSA Data Security. More specifically, the acronym is derived from Rivest, Shamir and Adleman, the surnames of the technology's inventors. Armed with such insider information, the conference itself is perhaps a little easier to decipher.
Clearly keen on a little deciphering himself, one of the event's opening speakers, RSA President Rohit Ghai, was confident that industry had seriously misinterpreted the actual costs of cyber-attacks. Asserting that the actual figure was way higher, he said: "In 2017, in the Asia-Pacific region alone, cybersecurity violations cost businesses more than $1.75 trillion.
"For some reason, companies in Asia are 60-80% more likely to be the target of such an attack than their counterparts in the West. As a result, some 44% of all such incidents in the region are never tackled, partly because of the 'cyber-fatigue' that's now setting in among many local cybersecurity specialists.
"Bearing in mind the scope and immediacy of the problem, it's more realistic for companies to focus on being a little bit safer every day, rather than aiming to be totally unhackable someday. One way of doing this is to focus on any businesses' crown jewels – its people, its processes and its systems. Hackers do not have infinite resources and tend to go after soft targets. In line with this, it's best to prioritise the little things, patching vulnerabilities, for instance – basically, anything that will make you less of a target."
Maintaining that the already hugely complex issues relating to cybersecurity are set to be made murkier still thanks to the wide-ranging deployment of IoT devices, Lisa Lee, Chief Security Adviser for Microsoft, said: "Our problem is, basically, that we are drowning in data. On a global and monthly basis, we now need to analyse 400 billion emails, scan 1.2 billion devices, secure 750 million cloud user accounts, check 18 billion web searches and confirm 450 billion authentications. From within all that, we are currently detecting 930 million threats a month. Typically, an enterprise needs to grapple with 12 to 60 different security solutions, while its data is fragmented and its operations are increasingly complex. From my point of view, the only way forward is machine learning. We need to use machines to fight the hackers, many of whom are also using machines.
"As an indication of the scale of the problem, one company, using a typical rules-based security system, rated some 28% of all login attempts as suspicious, which meant it had to contend with 280 million potentially fraudulent logins. With such a huge volume of results, of course, there was no practical way to actively analyse every incident. When machine learning was deployed, however, the level of apparently illicit logins fell to 0.001%.
"More strikingly still, on 6 March this year, we got to witness machine learning in action. At around noon, a massive new cyber-attack was detected – the Dofoil virus. Within milliseconds, our machine learning system had blocked it more than 400,000 times."
Sharing Lee's enthusiasm for machine learning, Amit Zavery, Executive Vice-president of Oracle's Cloud Computing division, said: "Currently we are faced with an Artificial Intelligence-enabled army and trying to manually combat it is a recipe for disaster.
"Tellingly, 85% of all breaches exploit a vulnerability where a patch has been made available but has not been implemented. Typically, an enterprise receives about 17,000 alerts a week, of which only 19% are reliable and only 4% are investigated. As my boss, Larry Ellison, famously put it: 'It can't be our people against their computers. We're going to lose that war. It's got to be our computers versus their computers.'"
Despite such gloomy prognostications, there were some at the event who saw the danger from certain kinds of cyber-attack receding, at least at present. One such bearer of apparent good tidings was Dr. Thomas Keenan, Professor of Environmental Design at the University of Calgary's Department of Computer Science.
Citing ransomware as one cyber-attack subset that was currently in decline, he said: "Our 2018 survey showed that 45% of respondents had been hit by ransomware, well down on the 62% that had fallen victim to it the previous year. This, though, may only be a temporary respite and it may be wholly possible that that ransomware will pivot to IoT devices.
"A hacker, for instance, may target a hospital's MRI or CT scanner, threatening to kill a patient unless a ransom is paid. It's a problem that goes far beyond hospitals, however, with the definition of 'critical infrastructure' becoming an ever-broader term, as is the term 'mission critical' as it relates to the functions of a company.
"Overall, everything is becoming increasingly IoT-dependent, with this reliance exploited by the NotPetya virus, which cost FedEx, Maersk and Merck $800 million in October last year. As a result, it's vital that we take an inventory of our IoT devices and ensure they are patched."
Agreeing that the future of ransomware was very much IoT-shaped, Nick Savvides, Chief Technology Officer for Symantec's Asia-Pacific division, said: "Ransomware has evolved as our use of technology has evolved. The early ransomware, 2005-2008, took the form of scam apps, free applications that would find fake problems on your computer, with a paid version, supposedly, the only way to solve such issues. Then came fake antivirus apps running the same scam. In 2011, locker ransomware appeared in the form of a virus that disabled your computer. In 2012, we saw much more sophisticated locker ransomware and a subsequent explosion of incidents in 2016-2017.
"Now we are seeing a pivot towards crypto-jacking – the hijacking of computer resources for crypto-currency mining. For our part, we see the next pivot as targeting industrial and commercial enterprises via IoT devices. As a result, we recommend taking a zero-trust approach to all devices, while continuously monitoring systems and cloud services for any signs of mining activity."
Turning the focus specifically onto the particular problems facing the Asia-Pacific region, Kevin Skapinetz, Vice President of Strategy and Design for IBM Security, said: "The average cost of a breach in this region is $3.39 million. The cost is so high because the average time taken to detect and deal with such an incursion is 267 days. If we could reduce this time by 100 days, that would mean an average per-breach saving of $1.1 million. This is eminently achievable. It's all just a matter of getting smarter, responding faster, and working together.
"To that very end, we've been teaching Watson, our proprietary AI, the language of cybersecurity and it's already generating real, useable insights in minutes rather than hours. Overall, though, in order to respond faster, we need to look at security orchestration, putting in place companywide playbooks that detail how to respond to different threats. Defining the required steps and ensuring a co-ordinated approach is absolutely critical. You then have to break down the processes into drills and start to practice, ultimately ensuring the execution time is cut to the barest minimum."
The 2018 RSA Conference Asia Pacific & Japan took place from 25-27 July at the Marina Sands in Singapore.
Ronald Hee, Special Correspondent, Singapore