What Michael Caine and Cayla teach us about Information Security today

Our most recent blog on Information Security suggested Information Security is no longer boring… well I am here to argue that it has never been boring! It has been the subject of many a good film for starters - remember the Italian Job and the scenes when they hacked the Turin traffic system to cause chaos and memorable scenes with the iconic Mini Cooper? As we look forward, technology will be limited by the way in which you can secure it: think about the things like the emergence of nanosensors – “a doctor inside the body” that look for specific patterns, events, conditions and then report via radio frequency to an external computer to help diagnose. It's potential sounds fantastic, an incredible tool, but how do you make sure it is secure? How can you make sure someone isn’t monitoring it? Or worse still, “adjusting” what is being reported!

Which leads us nicely onto the IoT threat: we don't need to look as far as cutting edge sci-fi sounding technology, we already face risks today. For example, we've seen the talking doll named Cayla banned by German authorities because the software inside her could be hacked, posing a security risk and allowing personal data to be revealed. The Federal Network Agency recommended that parents who bought the doll for their children destroy it.

But the threat isn’t just in our private lives. At a recent Confederation of British Industry (CBI) conference there was a live hacking event that showed just how easy it was to hack Building Management (BM) systems, and by using tools like Shodan to find out where certain BM systems are on the internet and then very easily create a login/password to get into the system - and from there laterally move around the network! Not just Building Management systems but also door access controls, CCTV, “connected” or “intelligent” drinks machines, Smart TVs etc, all were designed with functionality and cost in mind and often at the expense of security, leaving them wide open to be exploited. And therefore leaving businesses exposed.

If we now look at today’s landscape we’re starting to see an overall slow down in new Malware but an increase in more sophisticated Malware, a decrease of ransomware cases but a large increase in Cryptojacking (with groups like Lazarus becoming active again).

The Information industry is littered with stats, the - now slightly dated, but still relevant - one that resonates the most is from Ponemon: it states that on average it takes a financial organisation 98 days to identify an advanced threat and 197 days for the retail industry. So whilst we absolutely need to be aware of the emerging threat from AI/Machine Learning and Quantum computing we still need to focus on the here and now:

  • be aware and on top of the IoT threat
  • be ready to deal with the continued threat from sophisticated Malware both to our laptops and desktops as well as our mobile devices
  • back-up regularly to avoid ransomware
  • look for coin miner and cryptojacking Malware which saps the computing power of your organisation
  • deploy a threat hunting capability so that your digital assets are not left hanging over a virtual cliff and hearing Michael Caine saying “Hang on a minute Lads, I’ve got a great idea!”.