“Security company Trustwave issued a warning about potential bathroom breaches of luxury Satis smart toilets from Lixil. The toilets can be controlled using an Android app…”
According to Trustwave, “Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.”
Pretty funny, right? I’m sure the user is distressed—but not as much as JC penny, Visa, and Nasdaq, who recently found themselves on a list of the victims of one of the biggest hacking events ever. These companies were under attack for three or four years and didn’t know it.
It’s not really all that funny.
If you’ve been around IT for any time at all, you’ve seen security threats evolve from mischievous annoyances to deadly serious business-threatening assaults.
Back when personal computing was just getting started, hacking attacks were essentially pranks by young programmers who just wanted to show what they could do with code. They took the form primarily of boot viruses that attacked individual computers.
But it didn’t take long for hackers to start getting serious, and to start targeting corporate IT infrastructures. New techniques included worms, Trojan horses, flood attacks, limited-target hacking, and denial-of-service (DoS) attacks.
We watched hacking become a business, and security threats reached industrial strength—distributed denial of service (DDoS) attacks and attacks that combined multiple techniques. And the advanced persistent threat (APT) reared its ugly head.
Now enterprise computing infrastructures are under attack from organized criminal groups, rogue governments, and extreme activists with political axes to grind. Companies are fighting to keep their operations running, their revenues coming in, and their reputations intact—and at the same time protect the identities, personal information, and bank and credit-card accounts of their customers.
It’s an ongoing battle between good and evil.
You can’t help but think of star wars. It’s not much of an exaggeration to call it a full-scale war between good and evil, a conflict with the dark side of the IT force. As criminals refine and perfect their attacks, technology vendors develop new weapons to defend against them. And as defenses get stronger, attackers step up their assaults.
So in the ‘80s, firewalls and antivirus software were enough. By the ‘90s, we were deploying deep packet inspection, intrusion-prevention systems, web filtering, and data-loss prevention systems. By 2000, unified threat management and web application firewalls were raising the walls higher against the rising flood of threats. And today we’re deploying defense-in-depth and security information and event management solutions to detect APTs and prevent DDoS attacks.
What makes it all so challenging?
Why is it, then, that even with multilayered, state-of-the-art security technology in place, the bad guys still win with alarming regularity? Why do we keep seeing statistics like “855 successful breaches, 174 million records compromised, remediation costs of $5.4 million in the United States and $4.8 million in Germany”?
Because nothing is simple in the IT world, and there are a lot of important things—like preserving legacy investments, keeping costs down, optimizing performance, and taking advantage of new technologies—that can either interfere with security efforts or take precedence over them.
And because current approaches aren’t keeping pace with new attack techniques. With more than 74 percent of DDoS traffic arriving as infrastructure attacks, organizations are still hardening, securing, and updating servers—but not infrastructure devices such as routers and switches. With DNS showing up as the #2 attack vector protocol behind HTTP, most IT organizations still manage DNS on highly vulnerable commodity servers.
And what are we going to do about it?
So in the continually escalating battle, where do we go next? Stay tuned to this blog, and we’ll try to come up with some answers for you.