Cyber Breaches Will Kill

People's property and life are getting increasingly exposed to cyber-attacks because just about everything today has computing power, an information security expert warns. A world of "smart" devices means the Internet can kill people.

“It used to be what with computer security, we were worried about computers, desktops and laptops,” Bruce Schneier, (pictured) a special advisor to IBM Security, said Tuesday 14th May during the Payments Canada Summit in Toronto.

But cars, appliances, power plants and medical devices are at increased risk from hacking attacks, suggested Schneier, author of Click Here to Kill Everybody.

Everything is a computer. Ovens are computers that make things hot; refrigerators are computers that keep things cold. These computers, from home thermostats to chemical plants, are all online. The Internet, once a virtual abstraction, can now sense and touch the physical world.

As we open our lives to this future, often called the Internet of Things, we are beginning to see its enormous potential in ideas like driverless cars, smart cities, and personal agents equipped with their own behavioral algorithms. But every knife cuts two ways.

“All the lessons from computer security, about vulnerabilities, about hacking, about complexity, about changing technology, become true for everything everywhere, and I am not convinced we are ready for that,” Schneier said during the recent  Payments Canada Summit in Toronto.

“There’s a fundamental difference between ‘my spreadsheet crashes and I lose my data,’ and ‘my embedded heart monitor crashes and I lose my life,'” said Schneier.

But the computer you use for the spreadsheets could have the same type of operating system and central processing unit as one with an embedded heart monitor, added Schneier, and therefore the same method can be used to attack both.

“It’s only what the computer is attached to that makes a difference and that is the world that is coming.”
Conventional computers can be made more secure with patching but this is because the software vendors have teams working on software that addresses security issues and can be installed by the users.

“That fails with low-cost medical devices. The teams don’t exist.”

Schneier suggested that although he worries that someone might hack into his medical records and steal his private health records, he is even more worried about the consequences of a hacker being able to alter his health records and show that he has a different blood type.

Cyber security has three major elements, confidentiality, integrity and availability, said Schneier.

Confidentiality means only certain authorised people can access the data.

Integrity means the data cannot be changed and availability means that one has access to the data. So a corporate data breach means the data is no longer being kept confidentiality, while a ransomware attack means the data is no longer available.

If a criminal can hack into medical records and change what is recorded as the patient’s blood type, then the integrity of the data is compromised.

“When you get to computers that affect the world in a direct physical manner, the integrity and availability attacks are much worse than the confidentiality attacks because there are real risks to life and property,” said Schneier.

He demonstrated the significance by using an example of hackers targeting a connected car. Listening to one’s conversations on a Bluetooth-enabled cellphone or figuring out someone’s location is a confidentiality breach, suggested Schneier.

“I really don’t want them disabling the brakes. That is a data availability attack,” said Schneier, who is also a fellow at the Berkman Klein Center for Internet & Society at Harvard University

“Your car used to be a mechanical device. Now it’s a computer with four wheels plus and an engine.”

Canadian Underwriter:

You Might Also Read: 

Security Flaws In Smart City Technology

 

 

« The Worldwide Skills Shortage Is Growing
Iranian Cyber-Espionage Exposed »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Hex Security

Hex Security

Hex Security Limited is a specialist Information Assurance (IA) consultancy working with associates and partners to deliver security certification and accreditation support.

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

Quokka

Quokka

Quokka (formerly Kryptowire) is the source for mobile security and privacy solutions, staying steps ahead of the threat and delivering peace of mind.

ADL Process

ADL Process

ADL Process offer secure data destruction, certified product destruction and responsible electronics recycling services to businesses and institutions.

Intercast Global

Intercast Global

Intercast's mission is to be a strategic resource to our clients in Risk Reduction. We are a global leader in cyber security staffing and consulting to the enterprise.

The Cyber AB

The Cyber AB

The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.

Alcon Maddox

Alcon Maddox

Alcon Maddox is a niche recruitment and executive search firm specialised in sourcing exceptional Cyber Security sales and commercial leadership talent. Serving clients across the Middle East & Europe

CACI International

CACI International

CACI is at the forefront of developing and delivering technological breakthroughs that transform and optimize government operations.

Guernsey

Guernsey

Guernsey provides a wide range of engineering, architecture and consulting services to multiple markets, including cybersecurity consulting and CMMC certification.

ZX Security

ZX Security

ZX Security is a New Zealand owned and operated cyber security consultancy.

NexusTek

NexusTek

NexusTek is a managed IT services provider with a comprehensive portfolio comprised of end-user services, cloud, infrastructure, cyber security, and IT consulting.

Semgrep

Semgrep

Semgrep is a fast, open-source, static analysis tool for profoundly improving software security and reliability.

Iolo

Iolo

Iolo develops patented technology and award-winning software that repairs, optimizes, and protects computers, to maximize system speed and performance while keeping them safe.

Silobreaker

Silobreaker

Silobreaker is a SaaS platform that enables threat intelligence teams to produce high-quality and relevant intelligence at a faster pace.

Trium Cyber

Trium Cyber

Trium Cyber - Expert Cyber Underwriting and Claims Management. Based in the US and UK. Backed by Lloyd’s of London.