ISIS is a growing cyber threat, but don’t get too concerned about attacks on the Internet of Things just yet, according to business threat intelligence consultancy Flashpoint
“Pro-ISIS hackers have emerged in the past two years with the intent to launch cyber-attacks on critical Western targets, and their numbers are growing,” said Flashpoint co-founder Laith Alkhouri, also the firm’s director of research and analysis for the Middle East and North Africa.
See also: Rise in IoT push government agencies to rethink security
He points out that in the summer of 2014, a hacker group with outspoken support for ISIS – called the Cyber Caliphate – overran the Twitter account of U.S. Central Command (CENTCOM), the unit with overall responsibility for military operations.
At the time, he said, media outlets were abuzz with the story, and “questions regarding ISIS’s capabilities to hack into the government’s secrets fed the frenzy.”
Relax, it was a Twitter account.
“The matter of fact is (they were) able to obtain the credentials to a Twitter account, not top secrets,” Alkhouri said. “Frameworks for such hacking attacks are available, and many online hacking forums have courses for anyone who is interested.”
A lot of ISIS cyber-attacks mirror their real-life counterparts – small businesses with less-than-stellar data security that wind up with client personal information being hacked and exposed.
Or, as security agencies would say in the real world: soft targets.
Alkhouri pointed out that at one point, ISIS hackers made threats against big tech companies like Google, Twitter and Facebook, even claiming to have disrupted Twitter for two hours in one instance.
“There is no substance to the claim, and evidence suggests that they are far from nearing such accomplishment,” he said. “They are under-sophisticated, and apparently under-funded.”
So IoT is safe….for now
So hacking a far more complex network of devices and systems, like the Internet of Things, disrupting major networks, or overrunning critical systems “are not feasible today,” he said.
Recent breathless media reports suggesting ISIS was developing a “Google-style” driverless vehicle for attacks are fanciful at best.
“If this (plan) was so (potentially) successful, or even exists in the first place, why keep sending suicide bombers to launch attacks then?” Alkhouri asked.
He added that ISIS has claimed to have launched attacks by mobilizing unmanned explosive vehicles and target security sites. “But the number of claims of credit for this sort of attack are negligible when compared the overall number of attacks ISIS claims responsibility for,” he said.
But it doesn’t mean we should get complacent.
“Operationally they seem to be on an upward trajectory,” Alkhouri said. “They have increased the volume of cyber attacks, the (ISIS hackers) have grown in number, and they have received significant online support.”
We may not be under imminent threat, but he pointed out “their cyber capabilities are not expected to stay underwhelming.”
But as in real life, it often takes the worst to force action from the public and private sector.
ISIS will continue to exploit vulnerabilities
David Miller, chief security officer at IoT and cloud security firm Covisint, said similar motivations, balancing advances and privacy against security, will likely mean an ISIS-hacked self-driving car will have done its worst before we do something about it.
“(It’ll) be like what we’ve seen with the internet. It’ll take until someone actually dies in an autonomous vehicle due to a hack,” Miller told ReadWrite previously. “That doesn’t mean people aren’t thinking about security, but usually, there needs to be an actual event before you solve them — unless there’s a government agency that comes in and says ‘We’re going to regulate exactly what you can and cannot do.’”
As cybersecurity experts keep watch, “companies and governments must beware of this looming threat and take proactive measures against it,” Alkhouri said. His firm recently identified a common vulnerability across multiple hacked websites; in this case, an outdated php script
“Identifying certain vulnerabilities that the groups previously exploited” will be key, he added.