"What's past is prologue"
Networks, personal computers and servers have long been under fire from hackers and criminals leading to headline grabbing data breaches world wide and spurring massive investments in security technology. And cyberattacks are expected to increase further as devices from phones to appliances to cars become connected to the Internet.
Global cybersecurity investments in 2014 year reached $2.5 billion according to data firm CB Insights. And driven by demand from banks, retailers, government agencies and hospitals, worldwide spending on information security technology is expected to grow from about $77 billion this year to $108 billion in 2019, according to research firm Gartner.
Many of the companies receiving investments and much of the money being spent by governments and corporations is oriented towards network security focused on traditional computing platforms such as personal computers and servers, with an increasing emphasis on mobile devices.
Hackers are targeting overlooked soft targets
Because network security efforts are receiving the bulk of the attention and are improving, hackers are increasingly looking for “easier” targets. As developers produce more and more software to power new IoT products, they introduce new risks and bring to market devices vulnerable to security attacks. Cutting-edge hackers are acutely aware that many of the security procedures and applications in use today have been designed to defend against attacks on personal computers and network servers, not mobile and embedded systems.
Embedded systems and connected devices are already deeply woven into the fabric of our lives. They help to fly our planes, dispense life-saving drugs to our loved ones, steer our automobiles, and operate ‘smart homes.’ The only problem is they’re not secure. And in this environment that doesn’t result in data breaches and monetary losses. It could result in physical theft and mean actual loss of life
Among the recent examples, one involves researchers who hacked into two cars and wirelessly disabled the brakes, turned the lights off and switched the brakes full on—all beyond the control of the driver. “Smart home” controls have been found to be vulnerable, allowing attackers to tamper with heating, lighting, power and door locks, other cases involve industrial control systems being hacked via their wireless network and sensors.
Why attack the traditional network when there are other routes? Hospitals for example represent easy targets – Medical devices far outnumber PC's in a hospital network, and lack firewalls, malware protection, strong encryption, or even recent security patches or operating system updates. Embedded applications in medical devices are increasingly being developed for use on platforms that enable them to more easily interface with a large variety of software applications, databases and communications networks. But in the rush to establish common platforms and network these devices, security concerns have been poorly addressed.
Applying what we know about network security
While there are hundreds of products and a variety of approaches to network security, the most basic defense is to protect against software exploits. The most famous example of this was the Heartbleed Bug, a serious bug that left applications vulnerable and allowed attackers to steal data and impersonate users. At the time of its disclosure, it was estimated that about 17 percent (around 500,000) of the world’s secure web servers were vulnerable to Heartbleed exploits. Due to its prevalence, many consider Heartbleed the worst vulnerability ever discovered.
This bug shows the importance of application security since Heartbleed was due to the most common flaw in C code, the buffer overflow and is preventable using better coding techniques and performing source code analysis. This has raised the profile of application security and there are many resources such the OWASP [Open Web Application Security Project] Top 10 Web Vulnerabilities, that track coding defects, so that developers can make sure applications aren’t vulnerable to common attacks.
Changing The Course of History
As more and more devices are put into use manufacturers and developers should follow the lead and heed the lessons learned from network security. Security needs to be built in, as the foundation of IoT systems, with strong authentication, and encrypted communications and data. At the application level, software development organizations need to be better at writing code that is reliable meets safety critical requirements and is secure, with better code development standards, training, threat analysis and testing.
"Those who do not learn history are doomed to repeat it."
For more information on how to improve code security check out the white paper ADDRESSING SECURITY VULNERABILITIES IN EMBEDDED APPLICATIONS USING BEST PRACTICE SOFTWARE DEVELOPMENT PROCESSES AND STANDARDS and start protecting your applications