Connectivity and the Threat to Data Security

In the modern world, technology is pervasive. It impacts all areas of life from basic human interaction to how we shape and work with the world around us. From its inception in the 1980s, the internet has been a growing part of technology, encouraging increasing connectivity and the growth of the IoT (Internet of Things).

The invention of the computer replaced many older-fashioned technologies (or was incorporated into them). For example, various versions of the cash register have been around for centuries. Modern versions include computers that talk to each other and the company’s network – some even helping to track inventory. Before modern technology, if you wanted to contact someone across the country or on a different continent, you would have to send a letter via stagecoach or ship (later this was sped up through the use of the railway system). This process could take many months, and there was no guarantee that the letter would ever reach the intended recipient. Today, all you have to do is pick up a phone and you can be connected in seconds.

Before I get into the content of my article, I would like to emphasize that there are a lot of wonderful opportunities created by modern technology and the ever-increasing growth of connected devices. The potential to track your home’s security, your personal health, and the well-being of your business from devices you use every day is incredible. New and creative answers to daily challenges are being invented daily with the potential to bring about a happier, healthier, and more efficient world.

By: Janice Harvey

The Internet of Things

The IoT is, “the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other).” (Morgan) The impact of this is huge – ranging from personal use to practical business applications. Wouldn’t it be convenient to control your home’s security, lighting, energy usage, and feed your dog all from your phone? Well, this has become a reality. In the working world, this can include operating a manufacturing plant remotely or the ability for offices to integrate their devices (work computers, tablets, phones, etc.) to provide a seamless transition. Other potentials include “smart cities” where the technology is used to manage energy, reduce waste, and even control parking, (Morgan). 

The Internet of People

This encompasses what we as individuals disseminate online. Social media plays a huge part of this. We share large quantities of data about ourselves on social media – where we live, our phone numbers, our email addresses, our full names, our age, our education, our work, the names of our family members, pictures of our friends/family/pets, our activities/where we are/where we are going, our political interests, and so on. This can also include our banking information (debit/credit card numbers, routing numbers, etc.), our income levels, tax information, our credit scores, usernames, passwords, insurance information, and the list goes on and on.

The Internet of Services

This goes hand in hand with the Internet of People. These are the companies who offer services over the internet: financial, data, business analytics… They interact with their consumers through the internet, collect (and sell) data, interact with other companies, and publish articles. They offer video streaming, security video feed monitoring, access to banking information, access to financial services such as consulting and assistance with budgeting, education and information all online without interacting with their consumers face-to-face, regardless of where the consumer is located.

The Importance of Data Security

In 2013, the Transportation Security Administration (TSA) in the United States had to remove certain body scanners from airports over concerns regarding the detailed images that were being captured of passengers, (Ahlers, 2013). The biggest complaint from passengers was that they felt violated by the detailed images that were being reviewed by live personnel and that they were uncomfortable with these kinds of images being collected for any purpose.

However, data like this is collected about us every day. Everything from our interests to more concerning data like that layout of our homes and our medical records (from MRIs to blood work, to general profiles created by our doctors) is collected by various sources. For those with less than honorable intentions, significant profiles can be compiled on the subject in question. In the future, what kind of data will be available and who will have access to it? For example, could an employer decide not to hire a potential candidate because they have access to data collected by a smart pacifier that showed that the potential candidate may be sick more often than other candidates?

The vulnerability of technology to hackers has come under the spotlight. There have been many cyberattacks that have resulted in the loss of hundreds of thousands of consumers’ data per attack. Hackers have stolen bank account routing information, personal usernames and passwords, social security numbers, tax information, employment information – any information that exists on the Internet is at risk. In 2015, 157 thousand TalkTalk customers had their information stolen, and this was just one of many examples, (Farrell, 2015).

In the past few months, two large ransomware attacks have grabbed headlines – WannaCry Ransomware and Petya (or Goldeneye) Ransomware. Ransomware is a type of cyberattack where a network’s files are held hostage until the company (or individual) pays the demanded ransom. In May 2017, WannaCry Ransomware was released, reaching across 150 countries in a matter of hours and causing havok with the UK’s NHS and Telefonica in Spain (among 200 thousand other organizations also hit). Those whose computers were infected were told to send a payment in Bitcoin in order to retrieve their stolen files. The attack was stopped when a security expert stumbled upon a “kill switch” that was built into the program, (Cara McGoogan, 2017). Petya Ransomware targeted Europe and the United States, causing difficulties for large companies like Saint-Gobain, Evraz, and Rosneft. Victims were told to submit a payment of $300 in Bitcoin, (Henley, 2017). Both ransomware attacks made use of vulnerabilities found in Microsoft operating systems that were discovered earlier this year by the NSA. Microsoft released a security patch to address these issues but it was dependent on the user to update their systems. To learn more about ransomware and how to prevent an attack, please read this blog post.

In October 2016, Dyn faced a massive DDOS (distributed denial of service) hack attack. The attack gained a foothold through the use of IoT enabled devices like webcams. For those unfamiliar, a DDOS attack is, “an attack that overwhelms a system with data – most commonly a flood of simultaneous requests sent to a website to view its pages, causing the web server to crash or become inoperable as it struggles to respond to more requests than it can handle,” (Zetter, 2016). Dyn is one of the largest distributors of DNS (Domain Name Systems) which allows websites to be converted into, “machine-readable IP addresses,” (DYN, 2010). Because of this, when they were faced with the DDOS attack, the shock waves were felt worldwide, bringing down websites (like Netflix, Amazon, and Twitter) and interrupting IoT.

The IoT, for all of the wonderful and fascinating solutions it offers for day-to-day challenges, is a world not well understood; one that presents serious security risks. The reality is that by incorporating IoT into our lives and into our companies, the amount of data collected about ourselves and our businesses is immense (which can leave us vulnerable to hackers) and in today’s world, it’s not just your data that is at risk. Hackers can access critical devices that are connected to networks and the internet – devices like X-Ray machines and insulin pumps, (Meola, 2016). On a larger scale, things like utilities can be at risk. Last year, through the IoT, hackers were able to break into Ukraine’s power grid and cause a complete black out in their capital, Kiev. People were left without electricity for a little more than an hour. This is the second such attack Kiev has faced in the past two years, and they are getting more complex, (BBC, 2017).

There is growing concern regarding the ability to hack into vehicles. Researchers were able to turn off and on car engines, disable acceleration, and even control steering. The potential is there to, “run [the car] off the road [or] kill it in the middle of the freeway,” (Szoldra, 2016). Taking this line of thought a step further, if a hacker can remotely control your car, it stands to reason that there is some capability there (especially with increasingly automated features) to steal your car without you even being near it.

Hackers are savvier, now more than ever, in covering their tracks and our legal system is having a hard time keeping up. We turn to the creators of these devices to increase the safety. However, the companies behind these devices have not been as diligent in ensuring the security of these devices (and the data these devices collect) as they need to be. The companies responsible for creating these devices (medical, personal use, industrial…) have been treating these devices as if their responsibility ends with the purchase of their product.

There is little research and development going into the maintenance of the security of these systems. Hospitals buy an expensive X-Ray machine and expect to get decades of use out of it – but the connected systems are not updated or modified to keep them secure. People buy cars expecting to get many years of use out of them, but, while the mechanical parts of the car are kept maintained, what about the information technology behind the infotainment system? These details have been continuously overlooked by the industry. In a survey conducted by AT&T of more than 5,000 companies worldwide, 85% were already involved in IoT, but only 10% were confident in the security of these devices, (Meola, 2016).

What can TUV USA, Inc. do (as a Certification Body) to help companies protect this data?

The value of quality system certification is not only in the piece of paper developed at the end of the audit process. The certificate assures clients and suppliers that the products and services offered are being designed, manufactured, and distributed by a company that takes quality seriously while also helping companies find areas for growth and improvement to improve their products and services.

Perhaps the best known and most widely used certificate is the ISO 9001 certificate. However, TUV USA believes that there is a standard that is growing quickly to fill the shoes of ISO 9001. ISO 27001 is a comprehensive standard based off of ISO 9001 and the former BS7799-2 standard, considering over-all quality and Information Security Management Systems (ISMS). Technology has grown to be a part of all aspects of life in the modern world. This push for connectivity will force companies to start monitoring and controlling their ISMS to ensure that they are taking proper consideration when incorporating connective technology into their own processes and the products and services they offer.

In addition to ISO 27001 certification, TUV USA’s parent company, TÜV NORD, has developed a separate certification, the Security4Safety (S4S), which is based off ISO 27001 and IEC 62443. This standard considers safety measures and the security of databases, software, and connected devices. This certification helps companies pin-point areas in their IT Security (confidentiality of data, integrity and accuracy of the data, and the availability of data) and Functional Safety (reliability of safety systems) that need improvement to prepare them for the new world driven by technology, while also helping provide solutions to these areas.

Conclusion

There are many concerns regarding the progression of connectivity in technology. Companies that act now to secure their systems and their products become a part of the solution in addressing and resolving these concerns. Embracing the new technologies with open arms while also incorporating caution in how they are used and what happens with the data they collect is a recipe for success in the evolving future of business and technologies.

References

Ahlers, M. M. (2013, May 30). TSA removes body scanners criticized as too revealing. Retrieved from CNN: edition.cnn.com/2013/05/29/travel/tsa-backscatter/index.html

BBC. (2017, January 11). Ukraine power cut 'was cyber-attack'. Retrieved from BBC News Technology: www.bbc.com/news/technology-38573074

Cara McGoogan, J. T. (2017, May 18). What is WannaCry and how does ransomware work? Retrieved from The Telegraph: www.telegraph.co.uk/technology/0/ransomware-does-work/

DYN. (2010, August 25). DNS: Why It's Important & How It Works. Retrieved from Dyn: dyn.com/blog/dns-why-its-important-how-it-works/

Farrell, S. (2015, November 6). Nearly 157,000 had data breached in TalkTalk cyber-attack. Retrieved from The Guardian: www.theguardian.com/business/2015/nov/06/nearly-157000-had-data-breached-in-talktalk-cyber-attack

Henley, J. (2017, June 27). 'Petya' ransomware attack strikes companies across Europe and US. Retrieved from The Guardian: www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe

Leetaru, K. (2016, October 31). The Dyn DDOS Attack and the Changing Balance of Online Cyber Power. Retrieved from Forbes: www.forbes.com/sites/kalevleetaru/2016/10/31/the-dyn-ddos-attack-and-the-changing-balance-of-online-cyber-power/

Meola, A. (2016, December 19). How the Internet of Things will affect security & privacy. Retrieved from Business Insider: www.businessinsider.de/internet-of-things-security-privacy-2016-8

Morgan, J. (2014, May 13). A Simple Explantation of 'The Internet Of Things". Retrieved from Forbes Leadership: www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/

Nagaraj, V. (2014, Feb. 26). The industrial IOT isn't the same as the consumer IOT. Retrieved from Forbes: www.forbes.com/sites/oreillymedia/2014/02/26/the-industrial-iot-isnt-the-same-as-the-consumer-iot/

Roberts, F. (2016, October 31). 9 examples of manufacturers making IIoT work for them. Retrieved from Internet of Business: internetofbusiness.com/9-examples-manufacturers-iiot/

Szoldra, P. (2016, June 28). The truth about car hacking is scarier than we realized. Retrieved from Business Insider: www.businessinsider.com/hacker-car-hacking-2016-6 Z

etter, K. (2016, January 1). Hacker Lexicon: What are DOS and DDOS attacks? Retrieved from WIRED: www.wired.com/2016/01/hacker-lexicon-what-are-dos-and-ddos-attacks/