The Internet of Things (or IoT) is already here. As I described last week, it has already been misused to launch the largest DDoS (or Distributed Denial of Service) attack in history. Attacks against cyber security writer Brian Krebs and a French Internet service provider moved the record flood rate from 363 Gbps to 620 Gbps, and then to over 1,000 Gbps, within about a week.
Every time you turn on your Blu-ray player, it contacts the factory to see if a firmware update is available. Or at least we hope it’s the factory. Learning Tree’s System and Network Security Introduction course describes several ways that DNS, the Domain Name System, can be subverted to misdirect connections.
Go somewhere people are waiting, like a bus stop or an above-ground rail station. How many are on their smartphones?
Or go to a museum. People have paid for a special opportunity to go in and look at the collection. But how many are on their phones? Then you realize that the museum has its own app. It serves as a personal guide, providing a wealth of further details about the objects on display. This might include interviews with curators or other experts. Visitors can use the app to greatly enhance their visit and learn far more. Some do. Others, I’m afraid, are feeding their Facebook addiction.
Go to a small business. I guess we still say “cash register” for historical reasons, but much of the time it’s an iPad handling credit and debit transactions. It communicates over 802.11 wireless to the shop’s Internet router, and through there to the banking and credit networks.
Look at your smartphone’s wireless signal list. You may see a wide-open “CoffeeGuest”, but there will be another encrypted with WPA2 (I hope!), possibly with a cryptic name. That one is the payment system.
Get a meal in much of the world outside the U.S. The server brings a small payment unit to you. You plug in your smart credit card, enter your PIN, and select the pourboire or tip by amount or percentage. The unit talks 802.11 to the main payment system, that talks out to the Internet, and in seconds a receipt is printed and you have paid.
We can find out when the next bus or train will arrive. We can get more out of a museum visit. Small businesses can do more business more efficiently. But we trust all of this to work correctly.
Availability is important. “I can’t buy my coffee because the network connection is down.” That would have been the basis of an absurd joke about a Hyper Text Coffee Pot Control Protocol ten years ago, but now it’s a real problem. Availability is, unfortunately, the one cyber security goal we can’t guarantee. We can’t even put meaningful numbers on how good it is.
Confidentiality is certainly important, with our credit card numbers flying back and forth through the air for almost every purchase. Seriously, who uses cash? That’s so 20th Century.
Integrity is easy to overlook, but it’s also very important. We might think of it as accuracy. “My smartphone app is telling me to turn down this dark alley. I’m sure that’s right.”
As I said, availability and integrity (or accuracy) are crucial. I’m out of space here. Come back next week for some thoughts on how our systems need resilient design.