What Businesses Can Learn From the Mirai Botnet DDoS Attack
Sitting in a cybersecurity conference days after a massive cyberattack is a surreal feeling. In the midst of Cyber Security Awareness Month, the whole world is now looking with eyes wide open at Internet of Things (IoT) security after the historic distributed denial of service (DDoS) attack perpetrated by the Mirai botnet targeted these insecure gadgets.
Connected IoT devices from tens of millions of IP addresses worldwide flooded domain name system (DNS) provider Dyn with traffic last Friday, taking down a large swath of the Internet including sites like Twitter, Spotify, Airbnb, Netflix, Reddit, GitHub, and many others.
The connected devices turned out to be everything from smart home devices and routers to hacked DVRs and connected cameras, many of which were swept into the botnet because hard-coded or default passwords on the devices were never changed.
During the National Cyber Security Alliance's (NCSA) Cybersecurity Summit at the Nasdaq headquarters in Times Square on Monday, IoT security was top of mind.
"Friday showed us that the genie is well out of the bottle. This should be the big wakeup call to manufacturers and users to say we need to start securing IoT properly," said Andrew Lee, CEO of endpoint security provider ESET North America. "Personal info and business info are becoming more and more integrated, and people are starting to think about the implication an attack like this can have not only on their own lives but how it will affect businesses."
ESET and the NCSA released a joint survey on consumer IoT trends (key findings in the infographic below) breaking down the millions of IoT devices collecting and transmitting huge volumes of data to other devices. For businesses, talk at the summit focused on understanding why the DDoS attack happened and what organizations from small to midsize businesses up to enterprises should be thinking about when it comes to IoT security.
Click infographic for full view. Credit: ESET and National Cyber Security Alliance
How Businesses Should Tackle IoT SecurityAt the summit, I spoke with security experts from the NCSA, the Computing Technology Industry Association (CompTIA), Cisco, and identity management provider LifeLock, about the Mirai botnet DDoS and the modern challenges of IoT security. Each organization offered some hands-on recommendations and strategies for how businesses can identity, protect, respond to, and recover from IoT security threats and related cyberattacks.
Michael Kaiser, Executive Director of the NCSA: Kaiser, who moderated the summit's morning panels, said the surface of IoT attacks is only expanding. The cost of entry in creating an IoT device is very low, and as such he explained that connected devices are proliferating at rapid speed without regular updates and patches. One big takeaway: we're beyond "set it and forget it" mode, he said.
"When you buy something like a refrigerator, or a government makes a capital investment in a light pole or an electric meter, that's going to be there for 10-15 years. It's a different kind of environment," said Kaiser. "If you move into an old house and you don't know when the doorbell was installed, but as long as it works you don't need to think about it. When you start putting in a video doorbell and smart locks, all of a sudden you're taking on the responsibility for keeping these connected devices secure over time."
The NCSA recommends businesses start with the basics to mitigate these kinds of risks; Kaiser and many other speakers at the summit highlighted the NIST Cybersecurity Framework as a great resource. As part of Cyber Security Awareness Month, the NCSA also sprearheaded the Lock Down Your Login campaign in partnership with the White House to improve awareness and basic security around credentials.
Kaiser said what worries him most is escalation in these kinds of IoT attacks. He gave the example of a potential botnet mixed with ransomware that could attack something like all the connected traffic lights in a midsize city. If hackers turn off every traffic light during rush hour and demand a $5 million bitcoin ransom, how would the city respond? That's why Kaiser said cybersecurity needs to be built into business processes the same way organizations treat physical safety regulations.
"Every store has a fire alarm system and emergency exits. That's risk reduction. There are safety cultures all over the workplace. We all do fire drills and have emergency plans in the workplace. You put on a hard hat before you enter a room under construction," said Kaiser. "We're not quite there yet in cybersecurity, but more and more businesses are starting to do things like phishing training. If you're on the coast of Florida, you're thinking about hurricanes. If you're in Kansas, you're thinking about tornadoes. Everyone needs to be thinking about cybersecurity."
Neil Daswani, CISO at LifeLock: Daswani said last week's attack makes it clear that if we don't secure these IoT devices, they can take down large swaths of the Internet. A lot of sites have prepared for an influx of traffic, but this particular attack affected "effectively the Internet phone book," which Daswani said is a point of failure that infrastructure management needs to focus on going forward.
Daswani also pointed to guidelines from the Online Trust Alliance on how to secure IoT devices; most vulnerabilities within these gadgets are known and preventable. IoT defense is a shared responsibility, he said. Manufacturers should build in deeper security features and get rid of hard-coded passwords, while consumers need to be proactive, and Internet providers need to do more provisioning.
For businesses, Lifelock recommends keeping four factors in mind: prevention, protection, containment, and recovery. "You've got to do all four," said Daswani. "You want to prevent as much as you can; you want to have protection in place to identify an attack when it occurs; you want to have containment measures in place to minimize damage; and you want to have disaster recovery countermeasures in place."
Anthony Grieco, Senior Director of Cisco's Security and Trust Organization: Cisco is invested heavily in enterprise IoT across a variety of industries. The worst thing that happens in events like this is when enterprise leaders are surprised to find that their organization is dependent on affected third-party services, Grieco said.
"These events are going to happen. When they do, do you understand where your risk points are?" he said. "Have you mapped and do you have visibility into the services you're leveraging as an enterprise? Do you know you have a dependency on this cloud provider or that SaaS provider, or this infrastructure provider? Are you comfortable with those risks? Have you talked to the vendor about what they're doing around security?"
Cisco's advice came down to what Grieco explained as implicit versus explicit trust. Businesses can't deploy an application through a cloud provider or SaaS platform and natively have confidence that the vendor has taken care of security. Grieco believes businesses need to challenge that assumption with simple, explicit questions about what security measures are in place. You need a reason to trust the security of a service.
Beyond that, Grieco said businesses need to shift the idea of security away from being IT's responsibility alone. Cisco approaches security as an organizational mindset where employees are educated and held accountable, with the ultimate goal of baking security in as a way to enable business rather than inhibit it.
"Whether it's IT or finance or human resources, we try to teach employees about security, test their knowledge, and hold employees accountable for security as an organization. Everything from do you respond to a phishing email to how coders should prevent buffer overflows, to how salespeople should be protecting customer data," said Grieco. "It goes across job description and function. It's a part of everyone's job description, and it has to be."
Tim Herbert, Senior Vice President of Research & Market Intelligence at CompTIA: Herbert focused his advice largely on what SMBs can do to protect against IoT threats. SaaS platforms have made technology more accessible to small businesses than ever before, but Herbert explained that this may leave security understanding and best practices lagging behind. The answer, he explained, lies in tying driving that security value home for entrepreneurs in how it affects every aspect of their business.
"Small business owners are just trying to keep their business afloat. Relying on a technology partner is important, but I think there's a role for their accounting firm, their attorney, and even their digital marketing agency to play in helping an entrepreneur understand that once their reputation is damaged, it can be critical," said Herbert.
For technology purchases SMBs are considering around IoT, Herbert said step one is to avoid problems before they start. Resources like the Thingworx IoT Marketplace check factors like security protocols, firmware, and documentation for each IoT product listed. When it comes to existing technologies on your network, CompTIA recommends SMBs start by conducting an audit, which can map your business network for devices and things like unsecured apps employees have uploaded onto their systems. From there, tools like mobile device management solutions can better secure network data and apps.
"No one is immune to an attack, and often small businesses are a pretty soft target," said Herbert. "It's critical that we work to get the fundamentals right. In the future, there are a lot of ways things like machine learning and AI will be used to improve industry and productivity, but it's also going to be used by hackers to develop even more sophisticated bots and social engineering. If we don't get the fundamentals right today, we'll be in even worse shape years from now when some of these new technologies emerge to hurt business."
This article originally appeared on PCMag.com.