What We Learned About IoT Security from the Dyn Attack
November 30, 2016
"Is the internet down?" One day in late October, this question was being asked all along the East Coast, as many of the most popular websites - includ...
“Is the internet down?”
One day in late October, this question was being asked all along the East Coast, as many of the most popular websites – including PayPal, Twitter, Reddit, and Spotify – were slow to load or, in many cases, completely inaccessible. Over the course of several hours, customers couldn’t access their accounts, advertising revenues were lost, and IT teams scrambled to figure out the problem.
The problem turned out to be a large-scale DDoS attack on Dyn, a New Hampshire-based Internet infrastructure company. Hackers were able to swamp the company’s servers with a huge number of requests, effectively rendering it all but impossible for legitimate traffic to reach the individual servers of the companies they wanted to visit. While this was far from the first DDoS attack to take place, it was one of the largest – and it was unique, as it was the first major attack to have its roots in the Internet of Things (IoT). Investigators discovered that a number of video cameras had been configured to repeatedly send signals to Dyn’s network, effectively preventing all other traffic from accessing client websites.
The IoT, or more accurately, the security of the IoT, has been a growing concern as more connected devices flood the market. Security experts point out that while hackers can only take over so many computers in order to launch a DDoS attack, there is an almost unlimited number of physical objects that that have IP addresses and can be manipulated for nefarious purposes. And because most IoT devices don’t have a full operating system, and aren’t being monitored the same way that computers are, it’s much easier to manipulate them and essentially turn them into “zombies” that perform their primary functions, but in such a way that they are actually attacking another network.
Regardless of how the Dyn attack occurred, though, it served as a wakeup call for many who have underestimated the security risks of IoT devices. With that in mind, there are several important lessons that security professionals can learn from this incident.
1. IoT attacks are real
For quite some time now, security experts have warned of the possibility of an IoT-based attack, but until now, it hasn’t happened. And because most people don’t actually view their IoT devices as actual connected computers, they don’t usually take precautions to protect them. For example, the majority of people who install IoT devices never even change the default username and password. There has been, up until now, a false sense of security surrounding the IoT, but as the Dyn attack showed, the possibility of serious security breaches is very real.
2. Third parties may create vulnerabilities
In the case of the Dyn attack, the hackers’ targets weren’t the companies that were actually affected, but Dyn itself. This raises an important consideration: How much of your security or uptime is in the hands of a third party, and does that create more vulnerabilities? How much of your business depends on third parties, and can you withstand an attack on factors that are out of your control?
This is not to say that you shouldn’t rely on IaaS, SaaS, or other cloud services, but it does mean that you need to consider your vendors and service providers when developing your cybersecurity plans. You must have professionals on staff who have the skills to understand information security and the steps that must be taken to mitigate risk.
3. Constant monitoring is vital
One of the major challenges of working in a cloud environment is the lack of cohesive security policies among vendors, and the fact that different vendors have different priorities when it comes to identifying and addressing threats. Therefore, it’s up to your security team to remain vigilant and constantly monitor what is going on with the cloud services. For example, if a vendor installs an update to the system, the changes could create new vulnerabilities that need to be addressed. Staying abreast of what’s happening and being prepared to act is a key aspect of managing cloud security.
The IoT holds a lot of promise, but it also holds a great deal of danger. Cybercriminals are always looking for new and creative ways to disrupt business as usual, and the IoT represents a new means of doing so. As the Dyn attack shows, businesses can no longer afford to sit back and “wait and see” what happens with the IoT. They must gather the knowledge and hire the talent to deal with the threats now or pay the price later.