CIOs and CTOs say their No. 1 concern this year is dealing with online security threats, according to a survey conducted by IEEE about their biggest challenges. The results were featured on the IEEE Cybersecurity Vulnerability Navigator, which provides insights from IEEE technical experts on current and future threats.
In 2015 a hack of a credit rating agency released the names, addresses, and social security numbers of more than 15 million people.
Although the incident made headlines, the breach was just a drop in the bucket. Worldwide, it’s estimated that hackers stole more than 2 billion records last year alone. The thefts are so common because data can be as valuable as cash, according to IEEE Senior Member Zhen Wen, who discussed data breaches in an audio commentary on the Cybersecurity Vulnerability Navigator, and is even harder to safeguard. The sensitive information was for sale in the dark corners of the Internet almost immediately. Wen is a researcher at IBM focused on complex and social network analysis.
“Protecting data is more difficult than protecting money, because data can be easily replicated,” Wen says. “It demands a more comprehensive approach than putting data into a safe.”
And it’s not just personal information that can be garnered through such breaches. Some servers hold trade secrets and other intellectual property that can be tempting bait for cyberattackers
The good news is that online data is getting more secure, says IEEE Senior Member Kevin Curran. The bad news is that the more effective countermeasures may be mucking up your online experience.
“We’re seeing operating systems getting better security, but that security always comes at the cost of convenience,” says Curran, a professor of cybersecurity at Ulster University, in Coleraine, Northern Ireland.
When attacking an organization’s network, hackers often are on the lookout for employees’ log-in information. Those credentials can provide attackers with the keys to the kingdom, so to speak, giving them access to other parts of the system that could be harder to break into, IEEE Senior Member Kevin Du explains in this audio commentary. He’s a computer security researcher at Syracuse University, in New York.
That’s what happened in 2013 when cybercriminals broke into Target’s smart lighting system and then used those same credentials to break into its servers—which wasn’t discovered for more than two weeks. During that time, more than 40 million customer credit card numbers were stolen.
After a few hard lessons like that one, Du says, companies have started to take steps to prevent such attacks. A typical approach is to use cofactor or multifactor identification, Du says, requiring employees to use multiple credentials to log in.
“Though it makes it inconvenient for users, it’s a very effective way to protect the system,” he says.
DISTRIBUTED DENIAL-OF-SERVICE ATTACK
DDoS attackers use thousands of hijacked IP addresses simultaneously to flood a server so that a network becomes overloaded, making it unavailable to users.
“When we first discussed this threat back in 1999, we had a five-tier plan for how we could work on it and mitigate it,” IEEE Senior Member Sven Dietrich says in an audio commentary. “And here we are, almost 20 years later, still dealing with variants on this attack.” Dietrich is an associate professor in the mathematics and computer science department at the City University of New York.
The technique is an oldie but goodie, sticking around because it has adapted to new situations over time. In fact, the latest technologies allow for even more effective DDoS attacks. Previously, the attackers depended on malware-infected PCs. But a new generation of Internet of Things devices (which are often poorly secured), such as smart refrigerators and light fixtures embedded with sensors, have introduced additional avenues to overwhelm a network with a tidal wave of traffic, according to Dietrich.
A recent attack on a major domain-name server activated a botnet—a network of private computers infected with malicious software and controlled without the owners’ knowledge. That was done through IP addresses of unsecured digital cameras, each with its own independent Internet connection and Internet address, Dietrich explains. The result was traffic twice as large as any previous attack, he says—which temporarily shut down Netflix, Twitter, and numerous other major online services.
It is estimated that by 2020 there will be more than 30 billion Internet-connected devices at work. If security measures aren’t taken more seriously, many of these gadgets could be used to seriously disrupt online services, Dietrich says. With so many connected devices proliferating, government regulations might become necessary to ensure that they meet security standards and can’t be weaponized by DDoS perpetrators.
Hackers use ransomware, a type of malware that can invade systems and then encrypt the data to essentially put devices in a state of lockdown. Users are then given a choice: They can pay the attacker to release their device, or watch the data stored on it disappear forever.
Ransomware attacks can be devastating to institutions. Last year Hollywood Presbyterian Medical Center, in California, had its patients’ medical data locked down for two weeks. Attackers demanded a US $3 million ransom, and the hospital decided to pay it.
Such malicious code can impact individuals too. Although keys to some ransomware are available online, Curran shares in this audio commentary a foolproof way to protect yourself. “The simplest protection mechanism is to have your files backed up,” he says. “If you don’t back them up, you can’t get them back.”
Without improvements to their security, Internet-connected devices, like smart televisions, could become increasingly popular targets for such attacks.
To learn more about the threats, visit IEEE’s Cybersecurity Vulnerability Navigator, where you also can find insights into the state of cybersecurity for companies and what keeps industry insiders up at night.