“The 2016 US presidential election made one thing clear – that data landmines, properly placed, can make it very difficult for anyone to truly determine fact from fiction,” he told the 2017 RSA Conference in San Francisco.
“And while I am not questioning the outcome of the election, I am calling out that cyber attacks played a real role in that election. It was data manipulated and intended to mislead our ability to make good decisions.”
Politics aside, Young said data is becoming the bedrock of the economy, with billions of decisions being made every day across millions of organisations using big data models.
“And because business increasingly relies on big data analytics to make decisions, we have to pay a lot more attention to the integrity of the small data that goes into those models,” he said.
Young warned that if data is manipulated, it can be turned into a weapon that can be used to disrupt society. He cited as an example the insertion of false data into the data models that are increasingly being relied on to ensure the safe transport of millions of people and items every day.
“We are talking about attackers going after the traffic systems themselves,” he said.
But Young does not see big data as a problem. “Big data is going to usher in many possibilities for all of us, but when the big data gets manipulated, a small insertion of false data can have huge consequences,” he said. “And this is where we appear to be headed next. The next threat vector is the weaponisation of data with us as the targets.”
Real risk for everyone
In the context of the evolution of attacks over time, it is clear that data manipulation attacks are a real risk for everyone, said Young.
Just as the introduction and popularity of bitcoin has boosted ransomware attacks in recent years – although they have been around since 1989 – the increasing reliance on big data analytics will drive the weaponisation of data, he said. “And I’d argue that this is likely to be our next advanced persistent threat.”
While organisations still have to deal with the types of attack that have existed since the dawn of the information technology industry, they also have to deal with an ever-growing number of attack types and an ever-increasing attack surface, said Young.
This is not only because of the growing use of cloud-based services, but also because of the growing importance and vulnerability of the IT environment within homes, he said.
“We have to re-orient our efforts around the home because it is increasingly where all of our employees do their work, and so the next corporate or government vulnerability is likely to be in the home of people who work for those organisations,” said Young.
Read more about IoT security
- Growth of the internet of things will be slowed or stunted if the industry fails to be proactive about data security, according to IoT Security Foundation.
- The influx of internet of things devices will inevitably bring security headaches. Don’t miss out on the opportunities of IoT, but learn how to avoid IoT security issues.
- The five key information security risks associated with the internet of things that businesses can and should address.
- The growing threat of the internet of things is quickly becoming a reality as new attack methods emerge.
Another reason to increase attention on security of home IT environments is that homes now have more powerful, more connected devices that are increasingly being used to launch larger and more sophisticated attacks, he said.
“This is not a new story, but we have been reminded over the past year that this can happen,” said Young, referring to the Mirai botnet attacks in which thousands of routers and internet-connected cameras were hijacked to carry out distributed denial of service (DDoS) attacks.
For these reasons, he said, the home must be taken into account in the design of company security architectures and provision of cyber security tools.
Some companies really lock down employees when they are working from home, but there are still many that do not, said Young.
“They simply rely on policy and hope people will do the right thing, but that freedom can create vulnerabilities, not only for the organisation itself, but for others.
“DNS services provider Dyn had nothing to do with the thousands of unsecured devices that were hijacked by the Mirai botnet to carry out the DDoS attack on Dyn.”
Test by attackers
Young also warned that the Dyn attack should not be dismissed as just another DDoS attack because it may have been a test by attackers of what they can do next or to explore the limits of a new attack tool.
He emphasised that the Mirai botnet is still alive and recruiting more vulnerable devices, which Intel Security proved with a recent test in which a fake digital video recorder was put on the open internet.
“In just over a minute, the honeypot device was compromised by the Mirai botnet from the other side of the world,” he said, adding that this underlines the likelihood of devices in employees’ homes being infected and compromised.
“We have to make sure that the internet of things does not become the internet of terrorism because we have not paid enough attention to it,” said Young.
“It is only through multiple actions by government, device makers and security companies, in addition to educating consumers, that there will be any impact on the threat.”
Target becomes the weapon
But all of these things will not be enough because the target is becoming the weapon, said Young.
“The game has changed on us yet again. For years we have been focused on data exfiltration, but now we have to turn our attention to data being manipulated, weaponised and used against us. And in the home we have to change our focus from compromised devices to weaponised devices,” he said.
Ironically, said Young, by connecting homes with smarter, faster devices and by using big data analytics to co-ordinate much of what we do in society, consumers and businesses have given attackers all the scale they could want.
To tackle the fact that everything the security industry knew about protecting data is changing, information security companies need to start by recognising that none of them can succeed on their own, he said.
“We must work together, but this is not easy to do because the devil is in the detail of who is going to play what role,” said Young.
The way forward, he said, is for every information security company to focus on the broader goal and to be content with being a small part of a larger effort, in much the same way as Olympic goal medallist teams do.
“As an industry, we each need to play our part as a member of a team and come together to deliver a bigger outcome,” said Young. .............................................................................. ..................................................................................