Various cyber security reports released this month show just how bad the threat landscape is. The good news: AI might fix that.
The Internet of Whatever is a very dangerous place. And security solution firms worldwide have a ton of studies and reports to prove it. In the past few weeks alone, several cyber security firms and other internet players have issued reports and surveys showing just how bad the threat landscape is for both IoT and the internet in general, particularly in the Asia-Pacific.
The short version: very bad.
Just this week in Hong Kong, F5 Networks unveiled a report reassuringly titled ‘The Growth and Evolution of Thingbots Ensures Chaos’.
The F5 report says that 44% of IoT attack traffic originated from China between July to December 2017. And of the top 50 IP addresses involved in IoT attacks, 36 were based in China, which leads the world in total attack volume. (The US is second, followed by Russia.) Meanwhile, Southeast Asia is currently the largest nest of Mirai bots in the world.
Meanwhile, last week Microsoft released the 23rd volume of its Security Intelligence Report (SIR), covering threat data from February 2017 to January 2018. The big threats: botnets, ransomware and good old fashioned phishing. Microsoft says Asia-Pacific “has the greatest number of ransomware encounters” of any other region, with Myanmar and Bangladesh being particularly problematic.
Not to be outdone, Trend Micro’s 2017 Annual Security Roundup report (also released last week) pointed to APAC as the region most affected not only by ransomware (contributing 40% of all threats globally), but almost every threat Trend Micro has a category for.
Earlier in the month, Fortinet issued its latest Global Threat Landscape Report, with similarly grim findings: attacks per firm increased over the previous quarter, and the sophistication of swarm-like attacks targeting organizations is accelerating at an unprecedented rate.
The list goes on.
The good news is that this is not news – we all know cyber security is a huge issue and that we need to take it seriously, and everyone has a plan, right?
Not so fast, says IBM Security, which weighed in last week with a global study conducted by Ponemon Institute and sponsored by IBM Resilient that asked businesses about their formal cyber security incident response plan (CSIRP). Turns out 77% of respondents don’t have one – or at least not one that’s applied consistently across their organization. Nearly half of respondents said their incident response plan is either informal/ad hoc or completely non-existent. And 69% report said they don’t have enough funding for cyber resiliency anyway.
Amusingly (or not), the report found that 72% of organizations said they actually feel more confident about their ‘cyber resiliency’ today than they did last year – thanks mainly to having hired people with cyber security skillsets. However, says IBM, that confidence seems misplaced when 57% said the time to resolve an incident has increased, while 65% reported the severity of the attacks is getting worse.
So perhaps the takeaway here is that the weakest link in security is still humans – whether it’s the humans who get social-engineered by phishing attacks or the humans who don’t take security seriously enough, or aren’t willing to fund it, although the latter may change – analyst firm Gartner said this week that worldwide spending on IoT security will reach $1.5 billion this year, up 28% from 2017. However:
Gartner predicts that through 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritization and implementation of security best practices and tools in IoT initiative planning. This will hamper the potential spend on IoT security by 80%.
On the bright side, one day artificial intelligence will take humans partly out of the security equation – or at least mitigate their involvement in it.
That’s not as bad as it may sound. In a recent blog post, security expert Bruce Schneier pointed out that while it’s hard to know exactly how AI development will pan out in the next decade (or even the next few years), AI has the potential to do certain security-related things better and faster than humans, from discovering new vulnerabilities and reacting/adapting to an adversary’s actions to abstracting lessons from each incident and identifying strategic and tactical trends from large datasets.
Certainly bad actors will also be harnessing AI to make their attacks even more automated and sophisticated, but Schneier says that since the good guys also have AI, the attack/defense balance could tip in favor of defense:
… [D]efense is currently in a worse position than offense precisely because of the human components. Present-day attacks pit the relative advantages of computers and humans against the relative weaknesses of computers and humans. Computers moving into what are traditionally human areas will rebalance that equation.
That said, a human still has to make the decision to implement an AI-powered security solution (and do it properly). And while AI is expected to replace a lot of jobs in the future, the CSO is not one of them. Probably.
Now the CEO, on the other hand …