In one of the biggest blockbuster movies of the 1990’s, Armageddon, there is a scene shortly after they discover the existence of the killer asteroid on a path towards Earth where Dan Truman (played by Billy Bob Thornton) says something to the effect of “for years people have been questioning the need for NASA, let’s show them that their money was not wasted.”
As I’ve written about multiple times, convincing executive teams on the value of investing in security solutions can represent a challenge of epic proportions as well. And while I’m quick to call foul on the hype machine that sometimes permeates the security industry, I must say that after attending the Black Hat Conference this year and reading as many of the case examples as possible, I’m convinced that the need for cyber security solutions has never been greater.
There was a great article that appeared on The Verge by Adrianne Jeffries detailing the top ten reasons to be afraid of hackers. While written for more of a general audience than for the enterprise, it is easy to make the leap from what is possible at the consumer level with inexpensive, low-grade equipment as to what would be possible with sophisticated technology and the funding of an organized syndicate or nation state. To put it bluntly, what is now possible through hacking is in a word, terrifying.
If you did not have the opportunity to attend either Black Hat or Def Con this year I encourage you to read up on some of the new threats and capabilities being reported. While the coverage paints some scary scenarios, it is also the healthy dose of reality needed to maintain discipline in dealing with these threats on an everyday basis. These types of events help to educate the market as to the types of threats that are possible and focus the vendors on what they need to be doing to combat the advancements of the hacker community. Or as Dennis Fisher put it so eloquently in his Black Hat summary for Threat Post:
…the good thing about Black Hat and other conferences like it is that vendors and manufacturers now pay close attention to the research presented there and use it to learn and do better the next time. Rather than threatening researchers with legal action–which used to be the norm–they are now sitting in the audience looking for ways to harden their products and work with the researchers to improve their security models. That’s progress.
One of the general themes that stood out to me throughout the conference was the use of hacking to overtake or disrupt so many aspects of our daily lives. I’ve included the top three stories that stood out to me at Black Hat this year as things that were either shockingly simple or potentially so damaging that it calls for immediate action to correct.
The write-ups of these stories first appeared in The Verge:
• Hackers could take control of your car while you’re driving: Car hacking has turned out to be one of the biggest hacking trends of the year. Hackers can break into your car remotely or sneak in to tweak things under the dashboard. You might be driving and find that suddenly your brakes don’t work, or your wheel starts jerking, or your display is showing the fuel tank is full when it’s actually empty. Charlie Miller, security researcher at Twitter, and Chris Valasek, director of security intelligence at IOActive, recently demonstrated these terrifying feats with Forbes reporter Andy Greenberg behind the wheel.
• Hackers could shut down a power plant: Wireless networks are pretty useful for controlling power plants. They’ve also been implemented in nuclear, oil, gas, and water facilities. A pair of hackers discovered a vulnerability in a certain type of wireless device made by three of the leading industrial wireless automation solution providers. The vulnerability means that a hacker within a 40-mile range of the plant could read and write data into these devices using only radio transceivers. From there, the attacker could inject false sensor measurements in order to wreak havoc on the plant’s operations, triggering surges of electricity or mixing oil in the wrong proportions. The hacker could also simply disable the network and shut down the entire facility. This type of interference could have disastrous consequences depending on the size of the plant.
• Hackers are haunting your house: Let’s start with your smart television: hackers can grab your account information, install a virus, or take over your webcam and microphone and stare at you while you scarf popcorn on the couch. Suddenly you’re sweating: the hackers have cranked up your thermostat to sauna levels. Next, the lights start flickering on and off. And finally, your smart door-lock, which uses Wi-Fi or Bluetooth, suddenly clicks open. As connected devices make our home lives more convenient, the paths of entry multiply from just the computer to everything in the house.
So while at first glance some of these stories might seem like they were pulled from a Hollywood script, let me assure you that the vulnerabilities are very real. At a time when many are questioning the need for continued spending on security, it’s time for us as security professionals to step up and meet these challenges and prove that it is money well spent.