Earlier this fall, attackers deployed a Distributed Denial of Service attack to knock out access to Dyn, a Domain Name Service provider used by many big websites.
The attack also demonstrated the vulnerability of cloud-based businesses in a world that’s now populated by billions of smart endpoints.
Thousands of hijacked devices formed into a botnet. As many as 100,000 consumer devices infected with the Mirai botnet flooded Dyn’s services with traffic and disrupted internet service for millions of people throughout the United States.
The incident took down a significant chunk of the DNS, the internet's address directory, disrupting operations for businesses that rely on cloud solutions, such as software as a service. Security experts have long worried about the vulnerability of the Internet of Things and the Dyn attack demonstrated that their fears were not unfounded. It’s also a likely harbinger of more trouble in 2017 given that hackers tend to stick with methods that have worked in the past.
Hackers no longer need much technical sophistication to launch DDoS attacks. The know-how has been democratized. Even relative novices can now get into the game just by purchasing DDoS-as-a-Service kits that are available on underground markets. They’re also getting more creative. In denial of service for ransom incidents, for instance, perpetrators use DDoS attacks to hold cloud based organizations hostage until they pay to reestablish their connections.
They are also likely to start using DDoS attacks to distract security practitioners.
With incident response teams understandably focused on dealing with the more immediate emergency triggered by DDoS attacks, hackers can hide quietly in the background and bide their time. If a company’s network gets overwhelmed one day with floods of traffic and data, for example, it’s easy to overlook a SQL injection. Once they’re inside the security perimeter, malicious actors can steal data while nobody is paying attention.
Winter is Coming
When they describe this scenario, managed service providers may hear clients discount the risk of what’s still a largely theoretical threat to their cloud. But while the worst-case scenarios have not yet materialized, the clock is ticking. Many IoT devices lack fundamental security controls. In fact, some devices still use the ADMIN password, effectively turning them into sitting ducks for anyone who wants to use the devices to launch DNS queries, a very effective DDOS approach.
Organizations that incorporate IoT devices in their operations shouldn’t expect much security help from device makers. Security often gets short shrift in the design process. What’s more, the industry is still struggling to rally around common standards and protocols that would foster greater security. Despite some progress recently, it’s a slow process characterized by fits and starts.
This was never going to be a smooth transition as security has failed to keep up with innovation. Many IoT devices were never intended to be connected to the internet and that puts the onus on organizations to add more stringent controls based on device function. They also need to ensure regular patching and firmware updates and vulnerability management strategies to mitigate the device’s risk to botnet attacks. At the same time, IT can take care of the basics, such as configuring their cloud services to require all employees to have both unique user IDs and complex passwords. (You can find a checklist of strategic principles to follow here.)
In the end, it becomes a numbers game. The more that organizations can reduce possible points of entry, the more security they can architect into their clouds. It’s worth their time and attention because hackers are finding new and clever ways to exploit the IoT to steal data from the cloud. Make no mistake about it, winter is coming.
This content is underwritten by VMware -- and is editorially independent. It is produced in accordance with conventional standards of business journalism.
Charles Cooper is an award-winning freelance author who writes about business and technology. During his 30-plus year career, he has worked as an executive editor at several leading tech publications including CNET, ZDNet, PC Week and Computer Shopper.