The white-hot market for wearable devices, bolstered by increasing connectivity speeds and better battery technology has led to an almost unprecedented explosion in the Internet of Things. These IoT devices are challenging traditional notions of security and security practices due to their sheer volume and variety - in a few years there will be billions of tiny, connected devices in almost every item we encounter.
This fact, alongside the increasing government engagement with security issues (most recently demonstrated by the US closure of e-QIP after a security audit) has raised the bar and made IoT the biggest security challenge yet, according to renowned industry expert and visionary Righard J. Zwienenberg, Senior Research Fellow, ESET.
Cybersecurity is high on government agendas now. Is this a case of them being ahead of the game, or trying to play catch-up?
This is definitely a case of catching up. Fact is that they are too late. It is of course great that they on one side are creating initiatives to fight cybercrime, inform the public, raising awareness, cooperate more globally, but where on the other side, they knowingly keep working with outdated operating systems, insecure platforms, etc. for lots of governmental operations (as social security systems).
The media seems to have caught up on reporting security issues, and malware especially in light of the Sony breach last year. Do you think this focus will last?
Media will always report on crime, and crime has shifted into cyberspace. The good thing is that [the media] are all competing to break news coverage first, and this hopefully raises awareness and helps to educate the readers and make them more security conscious.
"It won’t be long before every device is connected to the internet, making IoT and the security of it *the* key item for the foreseeable future"
For example, last year security researchers found weaknesses in software for lightbulbs. Lightbulbs? Yes, lightbulbs that fit in a regular socket, but can connect to the internet using WiFi enabling you to turn on the light, choose its color, etc. If you would have said 10 years ago that in the near future your lightbulbs will be network aware and connect to your WiFi network, people wouldn’t have believed you, and yet now we are dealing with security issues and firmware updates for… lightbulbs. Imagine that criminals can take over your lightbulb. Not as a prank to turn it on or off, but to use it as a spam-center, for instance.
It won’t be long before every device is connected to the internet, making IoT and the security of it *the* key item for the foreseeable future. The big challenge is that it will not be possible to secure all devices as there may not be enough memory to run security software on them, so the network has to be better protected to discover breaches or even better, prevent them of entering the network.
How much has the industry changed in the last 20 years?
It has changed a lot. In the late 80s it was all individuals with a passion to protect the world – we all knew each other. Now there are huge companies where for some security is a side business as their main objective is how they can earn the most out of monetization.
One of the reasons I started working for ESET is that they still have this passion, they care about their users, they like to educate, they won’t monetize by bundling 3rd party software!
Of course the early days were lots of fun. It was a cat and mouse game between the virus writers and the antivirus experts. The virus writers wanted to be known (with their nickname), it was all for the fame and glory of being mentioned.
"In the early days it was a cat and mouse game between the virus writers and the antivirus experts."
No longer, unless of course you think about ransomware and/or cryptolockers. Malware in general now does not want to be visible, the cybercriminals even less. And then the motivation changed from being seen into stealing your data, acquiring money, intellectual property, etc.
And if we touched on the world of state-sponsored malware and millions of dollars of development money, we would open a completely different can of worms.
And finally, what was the most challenging threat/piece of malware you’ve ever dealt with?
That is a difficult question as all have their own intriguing challenges. Looking back in time, perhaps Dark Avenger’s first multipartite virus called Anthrax (1990). At that time I was cooperating with Jan Tersptra who maintained Virscan.dat, a public resource of signatures, used by several products as TBScan (Thunder BYTE) and HTScan. We received a new scanner UScan, it was actually a program that wrote itself to the MBR of the hard disk and then “scanned” all the executable files on the disk. Upon the next reboot, the virus would get loaded and all executable files would get infected, something the normal user couldn’t see as it also had stealth capabilities.
For that time, it was very technologically advanced and had some great social engineering to make us run it too!
--
Righard J. Zwienenberg is a Senior Research Fellow at ESET, and began dealing with computer viruses in 1988 after encountering the first virus problems at the Technical University of Delft. He has been a member of CARO since late 1991, and is now President of AMTSO, Vice-President of AVAR and on the Technical Overview Board of the WildList. He is a popular speaker at industry conferences, including Virus Bulletin, EICAR, AVAR, RSA, InfoSec, SANS and CFET.