Picture this – your alarm clock goes off, you reach across the bed and take a look at your phone; it’s woken you up 30 minutes early – why? Well you have a meeting at 9:30am, but your car is running low on fuel so filling up will take 15 minutes, and traffic is a little worse than normal, so it will take an extra 15 minutes to get to the meeting. Welcome to the Internet of Things (IoT) a world where your phone can play your day ahead and your fridge knows when it’s running dry and orders the groceries itself.
IoT has captured the imagination of industry visionaries and the public for some time now; devices sending and receiving data, opening the door to a futuristic world previously the stuff of science fiction.
As the cities we live in grow into digital ecosystems, the networks around us will connect every individual device, enabling billions of new data exchanges. Industries will enter a new era, from medical devices that talk directly to medical professionals, to the emergence of smart homes that manage themselves efficiently, ensuring energy usage is checked and bills paid on time.
In the workplace it’s equally easy to see the potential advantages of the connections between devices, from intelligent service desk support through to printers, computers and other devices interacting with each other to deliver tangible user and business benefits.
The service desk is a key component for businesses in the digital age, acting as a communication hub for IT issues, a reference point for technology requirements and a tool for asset visibility. Organisations must ask themselves if their current service desk has the technological capacity and capability to manage the multitude of device and operational data in an efficient manner. An intelligent service desk can be the lifeblood of IoT implementation within businesses and enable automation to be realised.
A connected printer in a business ecosystem, for example, could effectively self-serve its own peripheral needs and order its own supplies when needed. However, the management of that data, effective registration and logging of the incident, as well as notification to the financial and technical teams would not be possible without an intelligent service desk – especially when you elevate this to an enterprise scale, with possibly hundreds of connected printers or devices.
When discussing the “connected office”, IT managers will understandably raise concerns around security. The more devices that are connected, the further the periphery is pushed, increasing potential entry points there are into a network.
An intelligent service desk will enable whitelisting to be integrated into communication protocols. This is a process which gathers and groups trusted individuals and their devices into a known category. This will enable any unusual requests from either IoT enabled devices or employee requests to be automatically flagged and questioned before action or access is given.
It is in this scenario that IT managers can reap the benefits of IoT, service desk and employee synchronisation. Through the IoT device communicating with the service desk, the service desk effectively managing all end points and the employee working in tandem with the service desk software, the minimisation of internal security risks can be achieved.
While much of this sounds quite out of reach, the benefits of IoT and service desk communication are already evident today, through use cases that are currently very fluid, personalised and often driven by an imaginative use of existing and sometimes emerging technology. Peripheral IT product vending machines holding keyboards and mice, for example, allow the realisation of this relationship to be seen.
However, with so much data being transferred and the IoT still very ‘new’, there are a number of challenges, the most critical being visibility of assets connected and operating under the network.
Communication between all end points and visibility should be fundamental considerations when planning for an IoT based implementation. Intelligent service desks, that can enrich the IT support experience as well as integrate and communicate with the business ecosystem, can host the technology capability to have oversight, communication and visibility of device end points communicating with a network.
While this may appear to be a straightforward concept, often enthusiasm to implement and complexity of service desk and technology transformation has a tendency to drown out and bypass the fundamentals – leaving potential backdoors open.
To ensure that there is a holistic approach toward securing connections with the IoT, organisations must challenge all stakeholders (vendors, integrators and consultants) to apply secure IoT principles to the service desk solution and IT operational unit, right from the “drawing board” phase.
Once a year either at the end of an old or the start of a new year, I deliver a view on the forthcoming year. Common to many industry analysts who “call” the market, it’s a view based on customer sentiment (I speak to many many customers), extensive research, market knowledge and many years of experience (an elegant way of writing “gut feel”). This year I will release the “Security 10 for 2017” earlier than normal to reduce the comparison to other market perspectives that will appear on mass in January. Important note: the views within are my own and do not constitute the views of Computacenter Group.
This overview will be slightly longer than my normal 400 – 500 words, however I hope you understand the content deserves the extra literary real estate. Happy reading.
1: IOT attacks will increase
Focus on IOT non-human devices with weak security may increase as they become the ideal candidates to be used as botnets or drones. The weaker security layers within IOT devices with less evolved security components may result in the industry acting in catch up mode as each compromise signposts the remediation required and the next likely targets. There is no easy fix in sight with between 24 and 50 million IOT connected devices expected by 2020 but security basics including changing default passwords and remaining in tune with vendor software and patch updates are mandatory first steps. Key tip when considering IOT to deliver a business outcome, start with security in mind and end with security by default.
2: DDOS mega attacks will continue and worsen
DDOS attacks haven’t gone away, in fact Akamai cite a 125% increase in year on year attacks. With an increased volume of bots enabled via compromised IOT platforms and the real world turmoil generated by the massive DYN DDOS attack in October, attackers may consider the potential for disruption second to none. DDOS protection solutions have been deploy and forget for far too long with insufficient proactive scrutiny of logs and early warning alerts that may indicate a future larger attack is pending. Now is the time to fully understand the protection delivered by the service provider as a minimum to determine the likelihood of a successful attack.
3: Rise of insider (user) driven attacks.
Sadly humans can be a weak link with non-malicious user errors and insiders encouraged, bribed or bullied into undertaking actions that compromise systems. As client and datacentre security solutions increase in capability, therefore deliver enhanced protection, the user remains the least protected vector. User awareness, education and (with emphasis on accountability and liability) is continually highlighted as essential – now is the time to act and assign the highest priority level possible to security education for end users.
4: Last minute rush for GDPR compliance
Common to other historical compliance requirements, GDPR may suffer from a yearlong “wait and see” with the result slow progress, then a crisis driven rush to design and deploy solutions. GDPR shines a light on privacy with emphasis on data that contains personally identifiable information must be secure by default. The journey to compliance starts with awareness of the key GDPR directives, quickly followed by the need to understand the type of data in existence, where it resides across the enterprise and whether it is within the scope of GDPR. GDPR assessment and remediation solutions will be a major business impacting activity through 2017.
5: Social engineering attacks may become undetectable
Social engineering attacks may become so personalised and well-crafted they may be hard to detect from a human or systems perspective. Whether it’s sales driven “Black Friday” or the Christmas “social” season updates, the endless stream of social media publicised events may act as a catalyst to drive increased volumes of “better than good enough” phishing messages with amazing offers (that sadly deliver a malware payload or redirect). Social engineering is an area positively affected by enhanced user awareness and education.
6: Ransomware may spiral out of control
2016 has proved a successful year for ransomware with ransoms increasing in size and frequency – 2017 may see attacks increase rather than decrease. Recent vendor commentary indicates as many as 54% of UK businesses have experienced some form of attack (source: malwareBytes). Ransomware authors based of the sheer volume of malware released have access to an unprecedented amount of potential human targets. Client security solution enhancement, with the arrival of specialist anti exploit solutions may slow the ransomware march but not without the assistance of greatly increased end user security education. The fear of modern ransomware will drive a review of existing endpoint security technologies to reduce or eliminate the number of “first casualties” as surely one casualty is one too many
7: Cloud computing specific attacks will increase.
With organisations moving to the cloud, dedicated attacks (compromised permissions, etc) on cloud delivered applications and workloads may become the norm based on the potential to gain the largest prize. Cloud platforms are extremely well protected but the long list of potential attack vectors including credential theft, DDOS, data theft, compromise via zero day exploits and many other general security attacks (but targeted at cloud computing) may steadily increase as enterprises accelerate their use of cloud computing solution delivery modes.
8: Credential theft will continue to rise.
A robust digital identity is fast becoming a key deliverable within modern enterprises to facilitate secure single sign on across multiple platforms. This makes a stolen credential more lucrative than ever. Digital identity and credential theft may rise to the top of the security risk agenda for many organisations with digital credentials the golden key to both known and unknown “digital enterprise locks”. Attackers are familiar with the process of stealing credentials for access or to create subsequent hidden and elevated credentials for use during an attack. A least privilege, zero trust approach to IT security must become the new normal.
9: Banking and payment system attacks will increase.
As the world moves to digital payment by default, compromise of a payment system, ATM, contactless platform or digital financial services intermediary may deliver a major shock to the confidence of the financial sector as a whole. We now have attacks on banking and payment systems that have successfully breached existing defences leveraging both known and unknown techniques. This may encourage attackers to invest further to ensure they remain one step ahead of not just those defending but equally other assailants seeking to attack first then disappear. Enhanced visibility is a must with assistance delivered by big data and machine learning enabled advanced security platforms to proactively stargaze “what could happen next” before it occurs.
10: Dedicated attacks on “HomeHub” smart technology
We are entering an era of smart home devices and intelligent digital assistants. This style of attack may exhibit nothing previously seen and include highly non standard attack modes including homes held to “thermal ransom” with heating systems shut down or the potential for unexpected orders / purchases from voice activated digital assistants that may not be detected until a later date. It is a valid assumption that “smart home” technology with wireless enabled devices, creating and accessing data continually will permeate even the most basic home / work environment. Protection of smart home / IOT platforms will evolve as adoption increases, but the initial lag may create a window of opportunity for attackers.
The “Security 10 for 2017”mentioned could be 20, 30 or 100 depending on the enterprise, vertical market and enterprise current state. A few of the perspectives mentioned may concur with other industry / market watchers and others may even deliver a totally different viewpoint. However all are areas of potential attack or compromise that should be considered to determine the likelihood of a successful attack and therefore form part of a pre-emptive protection or remediation plan for 2017.
2017 will be the year good enough security may not be “good enough”. Now is the time respond to minimize the need to react.
Until next time.
Chief Technologist Computacenter UK: Networking, Security and Collaboration
Important note: the views within are my own and do not constitute the views of Computacenter Group.
The beginning of the wrong end – dare we consider the impact of a “multi-tier / multi speed” Internet?
One of the most fundamental pieces of news for ALL Internet users broke last week across in the USA but seems to have slipped under the radar over here.
Put simply it’s the start of a change of stance by a number of major US carriers of “data” to levy additional charges to content providers that generate large volumes of Internet traffic. To explain this further, at present if an end user chooses to use the service of “content provider A” they access it via whatever internet connection or point of presence choose to use (whether a paid or free service), fixed or mobile. But the current result could be a popular service (for example social network site content or video streaming) delivering a mass of internet traffic generated by “content provider A” across the major carriers networks with no additional charge paid to the carrier (who must still maintain quality of service, manage bottlenecks, etc.).
However the news broadcast last week highlighted a change of stance by a major US carrier who is now requesting an additional charge from a major TV/film streaming company to carry its traffic across the carriers’ network. And what happens if the content provider refuses to or does not have a cost model that supports the payment of such a charge – does that mean traffic generated by an end user of the service is discarded, rejected?
This overt change seems to be by many as a first small step to a multi-tiered internet, not the “free ish” flowing internet we have today. And the worry, what originates in the US seems to have a tendency to quickly permeate to the UK/Europe (and how could this not).
I revisit the title of this blog, “Could this be the beginning of the wrong end”, which sees types of content only running at optimum levels when transported via “Carrier As” network but not “Carrier B”? And what happens when the networks join at various parts of the Internet, will traffic formally slow down at certain points because “Content provider C” hasn’t paid the carrier “traffic transport” premium? As an end user of an internet service does anyone really need to understand where, who and how to connect to gain not only the best experience but potentially the service at all?
This could be deemed an unsolvable problem as many think for carrier to seek to maximise the monetary income from transporting data is not unreasonable especially when they are fundamental to service delivery – but equally it’s tough for content providers (and that is virtually everyone on the internet) to factor in yet another variable in their income cost model (if they have a cost model at all). The Internet is only of value if “content” is available to the widest audience and can deliver the optimum end user experience with/from that content – a variable end user experience without the end user understanding why does not bode well.
This one is one to watch with very interesting times ahead. However this is resolved, and there are unlikely to be any true winners, ramifications to every popular content provider on the internet are great (and likely to cascade down to the end user).
Watch this space.
Until next time.
The current next big thing, the Internet of Things (IOT) or “Internet of Everything” could easily be relegated to the “hype” or more damningly the “spam” folder of your mental inbox.
It is currently one of the hot topics driving the dialogue of industry analysts & business thought leaders as they strive to unlock the potential of the abundance of digital sensors and IP connected devices now pervasive in the modern world. In enterprise “systems rich” organisations, it’s fairly straightforward to understand the importance of the IP connected elements that underpin both personal and professional activities. However, the Internet of Things ideology captivating the imagination of many embraces the access and use of data from the almost invisible sensor based digital community hidden in virtually every modern, electronic device. They exist in the most diverse places including household devices (alarms, TVs), environmental (weather, planet), government (traffic signals), retail (rfid tags) and even the common SmartPhone. But without rambling “Star Trek” style perspectives, it has proved challenging to showcase IOT use cases with real substance which makes the following example from the non IT community looks very exciting.
A major well known luxury carmaker is leveraging the Internet of Things (IOT) ideology via a real world implementation within forthcoming vehicles. By using on-board wireless and GPS technology, exchanging data in real time with traffic and environmental sensors, cars with traffic light assistance will help the driver to avoid stopping at red lights (thus speeding the journey, increasing safety, reducing fuel, and vehicle wear) by adapting the vehicle speed in relation to real time traffic flows.
The well known car makers approach to leveraging the IOT, is a real world example of the power of connected devices, the Internet of Things (IOT) and a valid use case that delivers commercial and human benefits. For the “Internet of Things” to make sense to us all, emerging examples must deliver personal benefits to drive the end user/customer to seek more and greater IOT benefits in the future (thus making it commercially attractive). Following that track, the Internet of Things will evolve from an urban IT myth to deliver real world human impacting benefits.
Maybe this next big thing could actually be the biggest next thing of all time
Until next time.