A perfect storm is definitely brewing. Severe and hazardous internet weather warnings have been out there for some time now, and last week’s DDoS downpour on Dyn, along with the escalating events leading up to it, may prove to be a mere shower compared to what is yet to come. Let’s start by considering another type of forecast, that of the projected numbers for the Internet of Things (IoT). We are currently told there will be 20 billion ‘things’ connected to the internet worth a speculative $1.9 trillion dollars of economic value by 2020. By 2025, it will apparently become 100 billion things! How accurate these figures are and how many of these claims are ‘me too’ self-perpetuating hype remain to be seen. One thing is for certain, however: as time progresses, there will not only be more ‘things’ online to be attacked, but there will also be more ‘things’ online than ever before for to attack us with. Combine that thought with the evolving consumerisation model for DDoS. Whilst the fragile foundations of the internet have always made denial of service relatively ‘easy’ (from crude ping floods to smurf and Xmas tree attacks), they used to require at least some degree of technical knowledge and effort. Now they can simply be bought and rented as a service. Which brings such attack vectors within the reach of anyone who wishes to pay for them. Those services must cost a lot, right? Not so! The price of admission is getting lower all the time. As little as $5.00 these days could get you started. Those wanting a little more bang for their buck need not look far on the dark web, either. Within days of the Mirai source code (upon which recent high-profile DDoS attacks have been built) going public, several powerful botnets emerged and are now being offered for hire. Now combine that with the insatiable drive to further digitise, analyse and automate each and every aspect of our lives, including health and other public services. It is one thing not being able to Tweet or game on the PlayStation network for a few hours, but not being able to access a critical public service may be more than just an inconvenience. As IoT meets AI, the notion of ‘smart cities’ and other concepts for direct digital interaction with the physical world make for an even greater reliance on internet availability. Finally combine all of that with the rampant rise in online extortion as a cybercrime growth model, and we have a potential hurricane on the move. To prevent that storm from making landfall, we need to start making some very different and sometimes difficult security choices. But enough with the apocalyptic doom-mongering already. I for one am no Luddite, and I am actually still of a view that as the arena of smart things and smarter analytics matures, it will eventually yield many genuine and diverse benefits for all of us. To do so, it all has to develop a sense of standardisation, discretion, ethics, and just some plain old common sense. Simply giving any inane object an IP address, some cheap circuitry, and a poorly coded app does not of itself make it in any way ‘smart.’ In fact, quite the opposite is true. As Mirai has more than effectively demonstrated, it actually makes it pretty dumb and ‘en masse’ an abject menace. There are also very many entities that do not have any good reason whatsoever to ever be connected to the web. Not only for serious, scary, security reasons, either. Sometimes just for purely aesthetic, human ones. The virtuosity of well-crafted tourbillon mechanics or coaxial escapement in ‘real’ watches, for example, will always in my humble view make them an infinitely smarter item than any overpriced but ultimately disposable ‘wearable.’ Much is starting to be discussed about Government intervention and regulation, and whilst there are certain industries that can and must start to bring enforceable standards into play, the complexities of trying to create and enforce laws in such a rapidly changing, worldwide arena cannot be underestimated. Oh, and the EU has suggested putting stickers on devices. We’ll see how that one works out! So whilst the bigger picture evolves, there are at least some smaller things we can start to do as security-minded people. Firstly, we need to build better resilience wherever we can. Yet another lesson from the DYN attack was that some services weathered the DDoS storm better than others because they used multiple rather than a single DNS provider. Alerts to unusual traffic spikes should always raise concern, but there are plenty variations on DDoS attacks that are not so noisy and obvious to detect at an early stage. ‘Low and slow’ attacks (Slowpost or Slowloris, for example) may be silently eating away at your service undetected right up until the final catastrophic failure occurs. There are many specialist and sophisticated protection services and solutions out there now, however. So if you or your customers/citizens have a critical dependency on the online services you provide, make sure you do not underestimate the Availability part of the C-I-A triad and consider investing in better resilience accordingly. Secondly, wherever possible, we should attempt to harden the devices within our control and urge others to do the same so we do not at least contribute further to the problem. The code for Mirai, for example, tries using default telnet credentials including "admin – password," "admin – admin," and "root – 123456" among a list of 62 other howlers. This highlights just how poorly secured its target devices are out of the box. Thirdly, we as users should vote with our collective wallets. From consumers to corporate budget holders, we can choose to boycott ‘named and shamed’ negligent manufacturers flooding the market with dangerously insecure products, and we can favor more responsible ones in this area as much as any other. Mass recalls and sales slumps following bad publicity will eventually start to force the hand and shape behavior. Finally, we need to get some security-aware developers and architects involved in IoT initiatives from the outset so that we can start to influence the right types of choices. The internet-connected genie is well and truly out of the bottle, so we must adapt to learning new ways of thinking about and applying security accordingly. Or, to conclude with a quote from Vincent Van Gogh:
"The fishermen know that the sea is dangerous and the storm terrible, but they have never found these dangers sufficient reason for remaining ashore."
About the Author: Angus Macrae is a Certified Information Systems Security Professional (CISSP) in good standing. He has more recently been awarded the CESG Certified Professional – IT Security Officer (ITSO ) role at Senior Practitioner level. He is currently lucky enough to live in and publicly serve the beautiful county of Cornwall in the UK. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
