Cyber Breaches Will Kill

People's property and life are getting increasingly exposed to cyber-attacks because just about everything today has computing power, an information security expert warns. A world of "smart" devices means the Internet can kill people.

“It used to be what with computer security, we were worried about computers, desktops and laptops,” Bruce Schneier, (pictured) a special advisor to IBM Security, said Tuesday 14th May during the Payments Canada Summit in Toronto.

But cars, appliances, power plants and medical devices are at increased risk from hacking attacks, suggested Schneier, author of Click Here to Kill Everybody.

Everything is a computer. Ovens are computers that make things hot; refrigerators are computers that keep things cold. These computers, from home thermostats to chemical plants, are all online. The Internet, once a virtual abstraction, can now sense and touch the physical world.

As we open our lives to this future, often called the Internet of Things, we are beginning to see its enormous potential in ideas like driverless cars, smart cities, and personal agents equipped with their own behavioral algorithms. But every knife cuts two ways.

“All the lessons from computer security, about vulnerabilities, about hacking, about complexity, about changing technology, become true for everything everywhere, and I am not convinced we are ready for that,” Schneier said during the recent  Payments Canada Summit in Toronto.

“There’s a fundamental difference between ‘my spreadsheet crashes and I lose my data,’ and ‘my embedded heart monitor crashes and I lose my life,'” said Schneier.

But the computer you use for the spreadsheets could have the same type of operating system and central processing unit as one with an embedded heart monitor, added Schneier, and therefore the same method can be used to attack both.

“It’s only what the computer is attached to that makes a difference and that is the world that is coming.”
Conventional computers can be made more secure with patching but this is because the software vendors have teams working on software that addresses security issues and can be installed by the users.

“That fails with low-cost medical devices. The teams don’t exist.”

Schneier suggested that although he worries that someone might hack into his medical records and steal his private health records, he is even more worried about the consequences of a hacker being able to alter his health records and show that he has a different blood type.

Cyber security has three major elements, confidentiality, integrity and availability, said Schneier.

Confidentiality means only certain authorised people can access the data.

Integrity means the data cannot be changed and availability means that one has access to the data. So a corporate data breach means the data is no longer being kept confidentiality, while a ransomware attack means the data is no longer available.

If a criminal can hack into medical records and change what is recorded as the patient’s blood type, then the integrity of the data is compromised.

“When you get to computers that affect the world in a direct physical manner, the integrity and availability attacks are much worse than the confidentiality attacks because there are real risks to life and property,” said Schneier.

He demonstrated the significance by using an example of hackers targeting a connected car. Listening to one’s conversations on a Bluetooth-enabled cellphone or figuring out someone’s location is a confidentiality breach, suggested Schneier.

“I really don’t want them disabling the brakes. That is a data availability attack,” said Schneier, who is also a fellow at the Berkman Klein Center for Internet & Society at Harvard University

“Your car used to be a mechanical device. Now it’s a computer with four wheels plus and an engine.”

Canadian Underwriter:

You Might Also Read: 

Security Flaws In Smart City Technology

 

 

« The Worldwide Skills Shortage Is Growing
Iranian Cyber-Espionage Exposed »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Exodus Intelligence

Exodus Intelligence

Exodus Intelligence are an industry leading provider of exclusive zero-day vulnerability intelligence, exploits, defensive guidance, and vulnerability research trends.

Metasploit

Metasploit

Metasploit penetration testing software helps find security issues, verify vulnerabilities and manage security assessments.

STMicroelectronics

STMicroelectronics

ST is a global semiconductor leader delivering intelligent and energy-efficient products and solutions that power the electronics at the heart of everyday life.

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

IABG

IABG

IABG offer independent, product-neutral consulting as well as technical and scientific services for the use of safety-relevant systems and technologies.

RIPS Technologies

RIPS Technologies

RIPS Technologies delivers automated security analysis for PHP applications as platform independent software or highly scalable cloud service.

Oneconsult

Oneconsult

Oneconsult provides cyber security services focusing on penetration tests / ethical hacking, ISO 27001 security audits and incident response & IT forensics.

Cyverse

Cyverse

Cyverse is a cyber-security firm which provides corporations with state-of-the-art cyber-security service-based and technological solutions made in Israel.

Cyber Security Austria (CSA)

Cyber Security Austria (CSA)

Cyber Security Austria (CSA) is an independent non-profit association with the aim to address security issues in the area of IT/cyber security of critical/strategic infrastructures in Austria.

National Accreditation Agency of Ukraine (NAAU)

National Accreditation Agency of Ukraine (NAAU)

NAAU is the national accreditation body for Ukraine. The directory of members provides details of organisations offering certification services for ISO 27001.

EU Joint Research Centre

EU Joint Research Centre

JRC is the European Commission's science and knowledge service which employs scientists to carry out research in order to provide independent scientific advice and support to EU policy.

Third Point Ventures

Third Point Ventures

Third Point brings deep technical expertise, a strong network of relationships, and decades of investing experience to add value to our partners throughout their journey from idea to IPO and beyond.

Core to Cloud

Core to Cloud

Core to Cloud provide consultancy and technical support for the planning and implementation of sustainable security strategies.

J.S. Held

J.S. Held

J.S. Held is a global consulting firm providing technical, scientific, and financial expertise across all assets and value at risk.

Single Point of Contact

Single Point of Contact

Single Point of Contact is a Managed IT Services provider that helps businesses to achieve a seamless and secure IT environment.

Tsaaro Academy

Tsaaro Academy

Tsaaro Academy is a unique privacy certification training platform and here you earn a privacy certification CEH, CISM and DPO from India’s No.1 Privacy training platform.