I wrote recently about the changing face of cybersecurity—the expanding threat surface of the Internet of Things, mobility, BYOD and the cloud, and the different kind of attacks we’ve been seeing over the last several years in response to these changes. I emphasized the need for a more holistic approach to cybersecurity—protecting enterprise all the way down to the core to the Intelligent edge, and up into the cloud. Today I’d like to reinforce that a little with a deeper dive on a couple of the latest large-scale hacks, and what we can learn from them moving forward.
Dyn, Mirai, and DDoS in the IoT
Last October, we witnessed what is being regarded as the first major-scale cyber-attack attributed to the IoT—an DDoS (Distributed Denial of Service Attack) attack on Dyn, an internet infrastructure company by the Mirai bot. The Mirai bot, for those who don’t know, is a bot that scours the internet for and exploits IoT devices whose factory-default usernames and passwords were never changed. Experts believe that the Dyn attack originated from hacked IoT devices (possibly CCTV video cameras and digital video recorders) and out-of-date firmware—which were then transformed into a botnet that proceeded to flood traffic into Dyn. The hack disrupted a number of websites hosted by the DNS provider, including PayPal, Netflix, Twitter, Pinterest, and the Sony PlayStation Network.
Security is a rapidly changing and expanding landscape
While the lasting impact wasn’t gigantic, it certainly was an expensive headache for Dyn, and could easily be a harbinger for much worse attacks to come. In an increasingly connected world, one can imagine a worst-case scenario where cyber-terrorism could become real-world terrorism—crucial infrastructure on a commuter train, airplane, or self-driving car could be compromised.
The main takeaway from this hack is that cyber-criminals have caught on to the fact that firmware and hardware are much less protected than application software and operating systems, and they’re beginning to exploit that in a big way.
We can’t talk about cyber-attacks without mentioning the massive WannaCry ransomware attack that struck 200,000 victims in 150 different countries last week. Ransomware, for the uninitiated, is when a malicious piece of software locks up the victim’s files and demands payment in exchange for returning access. While it sounds a little primitive, it can be surprisingly effective—these attacks are increasingly targeting businesses with deeper pockets, who are sometimes desperate enough to keep operations normal that they’re willing to fork the money over in hopes of a quick resolution. This kind of cyber-attack has been on the rise as of late—which I actually wrote in my last blog on security several weeks ago.
WannaCry took advantage of a security flaw in the Microsoft Windows XP operating system that the NSA originally discovered and exploited—and was then subsequently leaked. There are a couple takeaways here. First, this brings up the issue of the federal government asking for so-called security “back-doors” to be built into devices, as they asked Apple for during the San Bernadino mass-shooting investigation. The problem with the government stockpiling vulnerabilities is that it really is only a matter of time before they leak out and fall into the wrong hands.
The other takeaway is that companies need to take security way more seriously on an organizational, executive level, and have an effective policy in place.
IT needs to make sure they are running modern operating systems, all of their software and anti-virus programs are up-to-date, they need to run routine penetration tests, and for crying out loud, they need to back up copies of their data. While the WannaCry attack targeted a more traditional threat surface—the operating system through an email payload—it’s just another example of why security must be holistic.
I don’t want to sound like a broken record, but every surface must be secured—from the edge, to the core, to the cloud, hardware and software.
Hardware is the newest vector for attackers
While it would be great to live in a world where we no longer face cyber-attacks, every breach offers a lot in terms of learning where we as an industry need to be focusing more attention to security. While the WannaCry attack was very significant in terms of magnitude, I think over the next 5-10 years we’re going to be seeing a significant ramping up of incidents that look more like the Dyn/Mirai attack. The more we connect, the more opportunities there will be for cyber-criminals to exploit. What we have to do now is focus on the basics—by all means, continue to protect software and operating systems, but we have to start building security into our hardware and firmware as well.