RSA Conference 2017 will take on the threat posed by the internet of things, something that was demonstrated last fall by the DDoS attacks that took down Dyn data centers and many of the high-profile Web sites it supports.
Those attacks, generating peak traffic of 1TByte or more, raise the question of how best to secure these devices, and sessions at the Feb.13-17 conference in San Francisco try to answer it.
The offensive potential is great for compromised IoT devices such as home routers and surveillance cameras because they can readily be hijacked into bot armies that launch these high-volume attacks. The onslaughts are difficult to stem because they come from a wide range IP addresses broadly distributed around the globe.
Akamai, one of the service providers that helped mitigate the first of the large IoT DDoS attacks linked to Mirai malware, is sending Or Katz, one of its researchers to the conference to send a warning. "Once upon a time, the Internet of Things held unimaginable promise," is how he describes the problem. "Then came Mirai ... and all the associated attacks, and suddenly the promise seems more like a threat."
Attackers can extort money from potential victims by threatening DDoS attacks and demanding payment to call them off. Or they might use the attacks to exact revenge against companies for perceived wrongdoing.
But DDoS attacks are just one of the uses to which adversaries can put IoT machines. They can compromise devices that are essential to manufacturing or even human health, where the well-timed attacks on a relatively few devices can damage other equipment, tie up production lines or compromise patients' well-being.
IoT gear doesn't exist in isolation, so attackers will seek ways to compromise other devices that they interact with in an effort to affect their usefulness, according to Anthony Gambacorta, the vice president of operations at Synack, who is speaking at the conference. He'll present specific examples to look out for including products such as IoT's relationships with cloud servers and mobile applications.
Using data that IoT devices gather as legal evidence poses its own set of problems, which include preserving the data and its integrity, and analyzing it for incident investigations and to present as evidence in court. The nuances of these emerging needs will be examined by attorney Erik Laykin of Duff & Phelps LLC.
Security luminary Bruce Schneier will offer up two sessions about regulating IoT devices, which are woefully insecure, some say because they are not held to any set of security standards. But Schneier says we'd better get ready for them. "Licenses, certifications, approvals and liabilities are all coming," is how he introduces one of his sessions. "We need to think about smart regulations now, before a disaster, or stupid regulations will be foisted on us."
Sign up for CIO Asia eNewsletters.