How Bad Is It? Assertion #2: There is More Attack Surface
I’m lazy and I’m looking for low-hanging fruit here with this post. To that end, I’m going to tackle Assertion #2 in my four-part, no-award-winning screed about the current state of Information Security. As my millions of bots, err, readers will undoubtedly recall, one of my claims was that we were worse off for three distinct reasons. One of them was that there was simply more attack surface. This is fairly easy to show.
My position is this: IoT devices (cameras, locks, thermostats, etc), the proliferation of mobile applications, web applications, and connected devices have led to a wide attack surface.
When I was starting my career, one of our senior fellows talked about refrigerators and toasters being “smart” and “connected.” This was in 1999. I think it’s fair to say that day is here. A vast array of devices for the home and the enterprise are now connected. They run a variety of operating systems and they are updated and supported in a variety of ways. By and large, they’re developed, deployed, and managed in a highly insecure manner. That’s another part of this piece. There are billions of these devices out there that didn’t exist just a few years ago.
Next, we have mobile devices. In 2002, it was acceptable - barely - to not own a mobile phone. For some, it was acceptable to not have a pager. The thought of this gives me a cold sweat. Today there are as many devices as people. That number is increasing. Last year, Cisco Systems estimated a 1.5 devices per-capita global device count in the near future. Not only do these devices represent a staggering increase in attack surface, but the mobile applications that run on them almost double it. This is to say nothing of the increased server and laptop/corporate desktop count. Factor in cloud instances - both IaaS and PaaS - and you have a LOT of devices. Devices and their data with supporting infrastructure equal attack surface.
Finally, I would draw the reader’s attention to the number of sites connected to the internet. Pointing to this number in an effort to make my point is a bit simplistic but it gives us a good idea of what the increase of connectedness looks like. Let me explain.
We’re getting close to a trillion sites online right now. In 1991 there was one site. In 1999 there were about 3.1 million sites. Sites serve up content, process connections, and transactions, and are (mis)managed by individuals or groups. There are more sites today and those sites and their relative rapid increase are closely representative of the rise of general connectedness.
I think I’ve shown something very obvious with this post. There is a staggering amount of attack surface. In a few posts, I’m going to tackle the sidebar topic of the security around the security of that attack surface.