Internet of Things
Recently, attackers broke into an unnamed casino and stole data by compromising an internet-connected fish tank. If this were a plot device in a Hollywood thriller, the cyberattack method would likely be deemed far too implausible and left on the cutting-room floor — not to mention the preposterous idea that thieves find a better return on investment (ROI) in stealing data from a casino instead of stealing money. But both the method and “goods” targeted by the thieves are real.
As implausible as this scenario seems, increasing internet of things (IoT) adoption portends worse cybersecurity breaches unless businesses recognize the need to improve IoT components.
In the fish tank example, it is particularly ironic that the pun “phishing” evolved back to the original “fishing.” Phishing attempts to steal valuable information through deceit. An email, for example, elicits confidential information by pretending to come from a boss or colleague. Rather than attacking systems directly, phishing uses social engineering to prey on parts of computer systems that are traditionally far weaker: users. But in the weakest link contest, we have a contender rising quickly — IoT devices.
Unfortunately, IoT did not rise to the top of the weakest-link leaderboard because we the users all strengthened our security chops. Despite constant prescriptions for better user education, it is difficult to raise every user’s security prowess — and the resilience of a defense depends, by definition, on the minimum weakness. Instead, IoT devices may become the preferred path for attackers by creating far better ROI for attackers along an IoT path rather than a user path.
The use of “ROI” here is important. It’s tempting to think of security as a technical problem — one that we wish some smart technical folks would just solve. Despite many smart people working on it, this is highly unlikely. Instead, security is an economic problem — attackers are economic actors who will strike when benefits exceed costs and will turn their attention elsewhere when it doesn’t.
The “return” part of the attacker ROI is based on the value of data. The value of data has increased dramatically over the last decade. It stands to reason that the same data would be valuable to attackers as well.