Internet Of Things Might Be Greatest Risk To Security, Privacy: Sophos Researcher

Dozens of solution providers went back to school on Saturday night to learn about the latest security threats to online systems, and the business opportunities those threats create for the channel.

The Channel Company's 2015 XChange conference got under way in Dallas, Texas with IT Security University, a series of sessions aimed at helping solution providers build successful security practices. The Channel Company is the publisher of CRN.

Kicking off the event, James Lyne, global head of security and research at Sophos, shared his insights with solution providers about what cybercriminals are up to, and how the Internet of Things will give them exponentially more vulnerabilities to exploit.

Lyne, who told the attendees he spends half his time reverse engineering "nasty creations," said nearly 250,000 new pieces of malicious code are released every day, and 30,000 new web sites are infected.

Sponsored post

[Related: Sophos CEO To Partners: We're Poised To Disrupt The Network Security Market]

His adversaries -- the hackers -- have productized and embraced a cloud service model better than most legitimate businesses, he said. Cybercriminals have created mature platforms that make it easy to disseminate malicious code and evade security services, and they're even offering technical support to their colleagues.

"You can email the cybercriminals and get help configuring your malicious code server," Lyne said.

It’s a misconception that attackers need to be computer geniuses. All they really need is some money to purchase malicious tools that are readily available (often with tutorials on YouTube), and the desire to attack businesses, he said.

Even the quality of spam has markedly increased of late, making it often indistinguishable from legitimate correspondence from online service providers. Lyne showed attendees an email with a malicious link that looked identical to a LinkedIn notification he received instructing him how to change his password.

"What I'm saying is this idea that you can obviously spot things is a little out of date," he said, "which is a little scary."

Lyne demonstrated the methodology of several types of advanced persistent threats. APTs often serve as excuses for data breaches, he said, when in actuality they are surprisingly easy to defend against.

One demonstration showed how easy it was to implement a back door that could be used to breach a point-of-sale system and steal credit card numbers. He also showed the ease with which cybercriminals could use key loggers or remotely activated video cameras to eavesdrop and steal data.

"Gangs are collaborating and sharing information," Lyne said, with increasingly sophisticated campaigns targeting enterprises, politicians, even military organizations. In many instances, those campaigns employed malicious code Sophos was easily able to detect at each of five layers of security, yet the attacks were successful.

Billy Merchant, senior account executive at United Data Technologies, Doral, Fla., told CRN that Lyne's presentation has given him much to discuss with his colleagues. The atypical breaches Lyne discussed and demonstrated opened his eyes to issues "about security, and the lack thereof, in places you wouldn't think of."

"We're in the business to stop that kind of thing," Merchant said. "If you don't know about it, how can you do something."

Showing the family tree of a piece of malware, Lyne explained how malicious code is created, copied, shared and modified to serve various illicit purposes throughout its evolution.

But the greatest threat to privacy and security might just be around the corner: the Internet of Things.

NEXT: Capitalizing On The Security Opportunity

The interconnected devices that are automating so many consumer and business tasks will present hackers with nearly unlimited numbers of vulnerable targets.

"I have spent a lot of time breaking the Internet of Things," Lyne told the audience.

From networked power switches in our homes to CCTV systems streaming video of stores and schools, these "smart" devices are being sold with astonishingly outdated security, Lyne said.

Most IoT devices hit the market with security technology reminiscent of 2004, Lyne said. Hackers simply write scripts to find vulnerable devices, then commandeer them to infiltrate individuals, companies and public institutions.

That's just the beginning. "There are more serious prospects coming," he said, describing a penetration test that revealed the ease with which a cybercriminal could cripple a power station.

People aren't getting hacked by super viruses, Lyne said. It's just run-of-the-mill attacks that are only successful because users, and often vendors, fail to implement basic best practices.

A multi-layered defense running basic controls will eliminate almost all of the security issues seen today, Lyne told attendees.

"All we have to do is get people modernizing their approach to security," Lyne said. It's not about spending more, but about making sensible choices, like a service approach to security.

But then Lyne told the audience: "I think this is an opportunity for you."

Dave Gilden, who spoke at the Security University session just before Lyne, is an example of that opportunity.

Gilden founded Acuity Solutions, a Tampa, Florida-based solution provider, around 2002.

Acuity's security practice was about a quarter of the company's total business, Gilden told his peers, but he realized when talking to clients that it addressed a common pain point. Early on he saw the rest of the business was healthy and growing, but not nearly as fast as the security component.

So Gilden decided that Acuity would focus on security as a differentiator.

"We just made the decision that we were going to double and triple down on security," Gilden told attendees.

It proved a lucrative strategy -- seven years later Gilden sold his company to solution provider Fishnet Security.