IoT and Biometry: From Identity Theft to Heart Attack
The informational security field raises more questions than answers. But do specialists have enough time to respond to the rapidly growing number of cyber threats, which are also improving in their sophistication due to the machine learning?
What we need to prepare for?
The companies are ready to spend any money to protect their data from cyber attacks in view of the sensational scandals, as well as rapid growth of the digital industry. Cyber attacks are becoming more and more inventive, and each time there are more advanced methods of hacking used. Experts identify three types of threats: accessibility threats, integrity threats and privacy threats.
The first type refers to unintentional errors including users and systems failures as well as existing infrastructure mistakes. The second type - the integrity threats, which include all possible cyber attacks to steal or change information. Accordingly, the third is a threat to privacy. It implies any lack of protection for a confidential information, both private or corporate, and the ability to make it public.
IoT as a threat
IoT devices today, unfortunately, do not have sufficient protection, which confuses the suppliers of goods and services. It's hard to give up such a convenient and effective know-how, but semi-professional cyber criminals enter the arena by offering their “services” to corporations.
In 2017, the number of cyberattacks of IoT-devices has been more than doubled. Companies that have been happy to rush to the IoT, faced with another problem - the difficulty to track what data is transmitted to external sources. Thus, corporations risk immediately for the three types of threats described above and lose control over the information that have been transferred to suppliers. As for users, they also face a lot of troubles. "Smart" devices put all the personal data at risk - from accounts in social networks to passport data and credit card information. Cybercriminals have an arsenal of methods for extraction personal information: from malware and ransomware to programs that provide identity theft.
Fahad ALRUWAILY, PhD, Senior Consultant in CyberSecurity from Saudi Arabia, said in an exclusive interview for Bitnewstoday.ru: “Privacy and PII (Personal Identification Information) are at greater risk when introducing IoT technologies and enable them in managing our day-to-day activities. Minimizing such risks entails having a stronger procedure and embedded controls into any IoT enabled device, gadget, appliance, application, etc. Further, a new and adaptive Secure IoT framework has to be devised to provide extra layer of security and protection”.
Steven WEISMAN, the college professor at Bentley University and one of the leading cybersecurity experts in the United States, also considers the danger of using of IoT devices: “Anything that is connected to the Internet potentially could be hacked resulting in control of the device, which could be even life threatening as in the case of a medical device or could be a way for hackers to access data from the device or other devices that are a part of the person's network”.
In an exclusive interview for Bitnewstoday.ru Steven tells about his vision of the problem: “The solution is multi-pronged and includes better built in security during the development phase of these technologies which is not done enough, educating consumers about the risks and explaining how to protect themselves with strong passwords and other security measures, constant updating by consumers of necessary security software and making consumers aware of privacy settings they can use”.
Knowledge as a defense
Fahad ALRUWAILY, turning to his professional experience, believes that people are the weakest link in the whole security chain. Lack of awareness and the basic protection skillset is sometimes the biggest threat for the security of companies.
“Most attacks are employing sophisticated social engineering methods to obtain classified information such as user credential i.e. access ID/password, via phishing emails. Other threats range in degree from top management support to InfoSec initiatives, no adequate controls or impractical adoption of security detection and prevention measures, undiscovered and unpatched software/application/system vulnerabilities, insiders abuse of privileges, data breaches, lack of data classification, etc.”
How we can be protected
And now the main issue that concerns the entire digital society is what cybersecurity technologies should be developed. Tokenization technology is recognized as one of the advanced methods of data protection. Voice biometrics and facial recognition technologies have both become habitual. However, the absolute reliability of this technology, according to cybersecurity experts, will only come with the use of so-called “closed data” - a heart pulse, a picture of the blood vessels of the retina and DNA particles of the user. Biometric authentication system is developing towards the implantation of individual readout devices directly into the human body.
“Biometrics have proven to be a very efficient and cost effective technology, but nothing is perfect. Fingerprints can be lifted and duplicated, masks can be created to manipulate a facial recognition system and videos can be used to trick an iris-pattern matching. A number of companies including Google are using AI to dramatically increase the reliability of facial recognition by neural networks,” says Steven WEISMAN.
Another unique method of cybersecurity that he named was the technology of a moving target. “Moving target technologies offers are becoming increasingly popular. As evident by its name, the theory is that it is harder to hit a moving target. In this case, actions such as fragmenting and encrypting data and moving it throughout a particular infrastructure or changing your password or network connection make it more difficult for a hacker. One problem is that the Moving Target Technology itself must keep track of the constant changes being made through middleware which can present a new vulnerability point”.
Cryptographic encryption
This technology is divided into two types - symmetrical and asymmetric. The first type allows you to encrypt and decrypt data with one key, while the second uses two keys - one for encoding, the second one - for decryption.
The next level of cryptography opens up the possibilities of quantum cryptography. The method is so unique that it promises almost absolute protection of encrypted information. The key for encoding and decoding is generated by a photon that moves at quantum speed. When trying to break the photon changes the direction of motion according to the laws of quantum physics, making errors and distorting information. It sounds very futuristic, but this technology is already being actively developed by IBM, GAP-Optique, Mitsubishi, Toshiba, the national laboratory in Los Alamos, the California Institute of technology, as well as the QinetiQ holding, supported by the British Ministry of defense.
Steven WEISMAN, says on quantum cryptography the following: “Quantum cryptography offers great promise, but it is certainly not a panacea as it is still in the relatively early stages. While its promise is great there are a number of concerns including error rates and technical difficulties producing single photons necessary for quantum encryption. Quantum encryption also requires broadband fiber for the entire connection which is a practical issue. Additionally there is some research such as that of Jonathan Jogenfors of Linkoping University who identified vulnerabilities that could be exploited to hack quantum cryptography. Quantum encryption is intriguing and may be of significant benefit in the future, but much work remains to be done”.
And, of course, the systems managed by AI are the obvious next level in the cybersecurity measures hierarchy. The opportunities and threats of the AI in cybersecurity will be discussed in the next article.