November was a scary month in California. After four years of drought, the forests and towns in the northern part of the state exploded into wildfires, displacing thousands of residents and destroying millions of dollars of property. The foul air in San Francisco and the surrounding areas was a sordid reminder of the ordeal and a warning that once adverse conditions exist disaster can strike at any point.
We can’t help but draw parallels between the adverse fire conditions in California and the adverse risk conditions in the digital world. There are many unaddressed risks out there that make the possibility of a big security disaster in the coming months very real.
There are new, widely relied upon technologies that do not have established proven security practices attached to them yet. These are
- API security
Few security tools can provide API protection that can understand protocols such as REST, JSON, SOAP and XML, adjust for the application’s context, and be smart enough to not block the API calls that are legitimate and essential to the operation of the applications themselves. We have covered the key API security considerations in another blog post.
- IOT security
IOT devices have received broad adoption in home, business, and industrial settings. At the same time, the market is very immature, which often means that the software running on these devices is buggy. To add insult to the injury, IOT devices are notoriously hard to upgrade when there is a problem. In many cases, an upgrade requires swapping a device equipped with the old hardware for a device with the new one. In a recent audit conducted by the Commonwealth of Massachusetts, 46 percent of respondents felt that IOT security risks cannot be managed effectively.
- Mobile endpoint security
Mobile phones and tablets carry so much information these days that it feels our entire life, both personal and professional, is in them. Work email, your mother-in-law’s phone number, signed documents, credit cards for Apple Pay — it’s all in there. While Apple, Samsung, and Google do pay attention to the security of their devices, it is no surprise, given how complex the devices are, that there are still vulnerabilities. For example, a couple of weeks back in a hacking competition in Tokyo, both Apple’s and Samsung’s newer flagship devices were compromised by the white hat hackers; this included attacks to the baseband — the tech that connects the devices to the cell towers.
- Container security
To keep up with fast changing requirements and make their offerings more scalable, most businesses now deploy their applications in the form of containers, such as by using Dockers, and scale each of the application functions individually. While a solid approach, this new deployment model requires a new generation of security tools: those that can natively deploy on Kubernetes, monitor APIs, and work with fast-changing application contexts. We covered Kubernetes security in an earlier blog.
While the new technologies create new threats, the old risks remain. Vulnerabilities still exist in third-party platforms, like WordPress & Joomla. Because of poor user practices and the long window between the actual compromise and the discovery of the problem, the danger of these vulnerabilities being exploited still looms over most online businesses.
On top of that, the attackers are getting smarter. It’s an old truth that to protect, you need to protect everything, but to attack, you need only to find a single vulnerable point of entry. The new generation of attackers uses two strategies: broad scanning for accessible entry points and highly targeted spear-phishing attacks. In both cases, the attacks are frequently enhanced by AI/ML tools that generate daisy-chained exploits on the fly. In his recent Forbes article, Ivan Novikov describes how attackers use AI technologies today and what we can expect in the near future.
With these high-level threats, it’s surprising that security incidents have not been worse. It’s up to us to stay prepared, be ready to discover and recover, and try to compartmentalize and minimize risks.
While all we can do for California fire victims to send them our prayers and DONATIONS (Select California Wild Fires from the drop down) to help them rebuild, we still have time to audit our systems for security and make sure that we are protected and any damage there may be is contained.