The Security Threat is Real and Increasing!
“At around 8:15am the Monday before Thanksgiving, that black screen of death came on (all the office PCs). They shut down the entire network. We couldn’t really work the rest of the week, which seemed OK because it was a holiday week. But as Tuesday and Wednesday progressed, it became clear that this wasn’t a simple hack….It wasn’t until Monday or Tuesday of the following week when we realized the extent of it. That’s when we got word that it might take weeks to get (our PCs and Data Centers) back up.”
Those words from an employee of Sony Pictures Entertainment who talked to Fortune magazine.
As is now common knowledge, Sony Pictures Entertainment revealed that it had been hacked by a group calling itself the Guardians of Peace, which the FBI claims was an agent of North Korea. Apparently, that repressive Communist country was using cyber-terrorism in an attempt to repress free speech in the United States.
Few remember that between April and May 2011, Sony Computer Entertainment’s online gaming service, PlayStation Network, and its streaming media service (Qriocity), along with Sony Online Entertainment (the company’s in-house game developer and publisher), were hacked by LulzSec – a splinter group of the hacker collective known as Anonymous.
The latest Sony cyberattack comes after many years where China’s government has been accused of hacking into U.S. State Department, Postal Service, military contractors and government agency computer networks.
Iran has tried to disrupt American banks with denial-of-service attacks, and conducted a destructive attack on a Saudi oil company’s computers in 2012. For years, organized crime groups in Russia have used cyberespionage to commit financial fraud, while the Russian government does nothing to stop it.
Expect to hear of more of our government networks infiltrated by rogue foreign states. A Georgia Institute of Technology report on Emerging Cyber Threats in 2015 states, “Low-intensity online nation-state conflicts become the rule, not the exception.”
It’s not only Sony and the U.S. government being targeted. Let’s not forget the cyber attacks and data breaches on Target, JP Morgan Chase, Home Depot, Apple, EBay, P.F. Chang (restaurants), Domino’s Pizza, Montana Health Department, Google, etc.
Reports, Maps, and Expert Opinions:
In it’s most recent State of the Internet Security report, Akamai states that there were a record setting number of DDoS (Distributed Denial of Service) attacks on websites in Q3 2014.The 22% increase in total DDoS attacks marked an 80% increase in average peak bandwidth compared to Q2 2014 and a 389% increase from the same period a year ago (Q3 2013). That means the largest companies with the highest bandwidth websites are being targeted by hackers.
This terrific interactive cyber map from anti-virus software maker Kaspersky, depicts all the current cyber attacks occurring around the world in real time. It clearly shows the growing intensity of hack attacks as the year progresses.
“Security will never be the same again. It’s a losing battle,” said Martin Casado, PhD during his Cloud Innovation Summit keynote speech on March 27, 2014. “Currently, cyber security spend is outpacing IT spend, and the only thing outpacing security spend is security losses,” he added.
A recent survey by the Ponemon Institute indicated the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.
Clearly, this isn’t an issue of investment, innovation, or priorities as most large industries are built around security. Mr. Casado believes there is a fundamental architectural issue: that we must trade off between context and isolation when implementing security controls.
Security Top Concern for Cloud Computing and Open Networking:
With today’s huge “cloud” resident data centers (Google, Amazon, Facebook, Microsoft, Yahoo, etc), there is a very large potential “attack surface” or “threat footprint” for malware and other cyber threats. That’s still the number one concern of users who are considering cloud computing.
In a Dec 17, 2014 article KPMG says “Data Security Still Top Cloud Concern.” However, theft of intellectual property (IP) is the most significant challenge IT executives face in doing business in the cloud. Isn’t theft of IP a security issue too?
The mega trend to replace hardware functions by software (known as open networking, software defined networking, network virtualization, and network function virtualization) greatly compound the security problem by exponentially expanding the threat attack surface.
For example, if the (centralized) SDN Controller goes down because of a DDoS attack, the entire network goes down. If multiple NFV “virtual appliances” are implemented on a compute server that has been compromised, all those functions stop working. Similarly, if a server running network virtualization (or tunneling in the overlay SDN model) is attacked, that network goes down too.
U.S. Infrastructure May Be Targeted Next:
Information security experts say the greatest danger is that foreign governments and cyber terrorists will go after the nation’s critical infrastructure — airports, water treatment plants, power companies, oil refineries and chemical plants.
Cyber terrorists could turn off the lights for millions of Americans by attacking power grids, shut down the nation’s airports by seizing control of air-traffic control systems or blow up an oil pipeline from thousands of miles away, experts say.
“This is a much bigger threat over time than losing some credit cards to cyber-criminals,” said Derek Harp, lead instructor at the recent training conference run by SANS Institute, which provides cyber security education and certification for people who run industrial control systems.
Maryland Rep. Dutch Ruppersberger, the senior Democrat on the House Intelligence Committee, said cyber attacks will be “the warfare of the future.”
“Just think what could happen down the future if North Korea wanted to knock out a grid system, an energy system, knock out air- traffic control,” he said in a December 22nd interview on CNN.
What Will U.S. Government Do in Response?
At a news conference last week, President Obama urged Congress to try again next year to pass
“strong cybersecurity laws that allow for information-sharing. … Because if we don’t put in place the kind of architecture that can prevent these attacks from taking place, this is not just going to be affecting movies, this is going to be affecting our entire economy.”
A front page article in the December 26th Wall Street Journal reported “that (U.S. government) officials have held a series of briefings on the issue in 13 cities across the country advising companies not to connect industrial control systems to the Internet.” The article does not state or infer what those systems should be connected to.
Finally, we infer that the highly touted Internet of Things will be subject to the same cloud security issues as industrial control systems. I shudder at the thought.
References:
- ETSI NFV Security problem statement (PDF)
- NFV Security; Security and Trust Guidance (PDF)
- Providing Security NFV (PDF)
- Security Challenges SDN – Software Defined Networks
- SDN Security Attack Vectors and SDN Hardening
3 replies on “Security is Biggest Issue for U.S. Infrastructure, Cloud Computing, Open Networking, and the Internet of Things”
Thanks Alan for writing this excellent summary and for bringing together datapoints heretofore not connected. I completely missed the WSJ article about the Federal Government advising companies not to connect industrial control systems to the Internet.
And although I am a bullish on autonomous vehicles, security of the communications channel and prevention of non-authorized control of them may be the biggest issue they have. These “Mobile Internet of Things” could easily turn deadly.
The ironic thing is that I couldn’t get in to the draft version of this post to take a look at it because of security measures Viodi’s ISP took.
It is this sort of hidden “opportunity cost” of fixing security threats – real or imagined – that isn’t easily measured. Still, these threats extracts a real toll on the economy and on people (there is real mental anguish trying to remember passwords, making two-factor authentication work, etc.).
The analogy is probably the airport security and the real costs and hassle to individuals it causes. I often have the same type of feeling that I do in an airport security line as whenI am trying to log into a web site. Frustration abounds!
The flip side is the convenience of using social media log-in credentials for third-party sites. It is easy for the consumer, but from my experience in developing web log-ins, I am very wary of using third-party credentials to log-in to sites, as those credentials can sometimes expose a great deal of data to third-parties (e.g. friends, friends of friends, etc.).
Ken, In the 10+ years I’ve been working with you at Viodi, your comment above is by far the best I’ve seen from you OR anyone else! The IT security problem has continued to be underestimated and not properly recognized. I read today that JP Morgan (which had experienced a hack attack earlier this year) was DOUBLING the $ it will spend for IT security in 2015! Many thanks for your superb comment! Alan
A Sept 27, 2014 Barron’s article (on line subscription required) hints that VMWare may sell Hypervisor security software to commodity servers and bare metal switches:
In an age of break-ins at major retailers like Target and Home Depot, he notes, more and more network attacks can’t be stopped by conventional network firewall devices sold by Cisco and Check Point Software Technologies (CHKP). To Martin Casado of VMWare, the virtual machine will assume a new role of protecting all the precious containers running on each server.
“So, call it a security visor, call it whatever you want,” he says. “The nature of a hypervisor changes to one of providing isolation for those applications,” he says. Casado’s ambition is even broader. Some of the traditional network switching business of Cisco can be disrupted, he says. VMware hypervisor software can be sold as a program to manage inexpensive switches from Dell and others that undercut Cisco’s premium. It is, to Casado, a grand transformation of the networking business, one that clearly excites him as he draws various diagrams on a white board of the shifting architecture of networks. “We haven’t even seen yet what will happen with this fundamental change” in IT, he says.
The business he oversees, called NSX, is running at over $100 million annually, still small, but Casado has 3,000 VMware salespeople to help sell it, and 50 million VMware-enabled virtual machines running in data centers—”enormous” resources,” he says.”
If he can transition VMware to the next era of data centers and networking, Casado may both save the company from obsolescence and open up a new frontier on Cisco’s turf.