On Thursday, I wrote a post about the Mirai IoT malware infecting IoT devices, turning them into botnets that create DDoS attacks. I knew that this was going to become a serious problem but at that moment, it hadn’t become a mainstream issue.
That certainly changed quickly, didn’t it? On Friday, I was leaving my office when my phone chirped with a breaking news story – Homeland Security was investigating a major DDoS attack against Dyn. A quick check of Facebook told me all I needed to know: My friends were wondering why they couldn’t access so many of their favorite websites all of a sudden. Now everyone is asking questions about not only IoT security but DDoS attacks. It’s good that people are now aware; I wish we could be aware proactively rather than reactively.
But where does this proactive behavior begin? For this type of attack, it is a two-pronged issue. First, we have to do a better job addressing IoT security. A new survey from ESET found that 40 percent of us are not confident that our smart devices are secure enough, and as Tech Crunch added:
A huge 88 percent have considered that IoT devices and any data they transmit via their wireless networks could be potentially accessible to hackers, but all that awareness and unease isn’t necessarily leading to preventative or curative action.
Eve Maler, VP Innovation and Emerging Technology with ForgeRock, agreed that IoT security is a serious problem, telling me in an email comment:
IoT needs identity-centric security controls built into the devices so they're secure from the get-go. We need to know how to authenticate and authorize not only those who use and interact with devices, such as homeowners, but also the devices themselves — down to the sensor level. Being aware of whether device associations with people/users have been built up appropriately is essential for keeping the IoT secure. This technology for managing device security and avoid attacks exists today.
However, as we are just at the beginning of figuring out how to navigate IoT security, we should have a better handle on DDoS attacks, which have been a problem for years. But we don’t, as Mike Ahmadi, director of critical systems security for Synopsys, explained to me in an email comment:
Despite decades of facing outages due to malformed traffic and data flooding, websites remain highly vulnerable to legacy attack vectors. Website providers need to constantly test their implementations with rigor in order to ensure that they can remain viable in an increasingly hostile environment. The avalanche of IoT devices has created an environment where software and implementation flaws can be exploit at previously unseen levels, effectively turning them into widely distributed information weapons. What may have been adequate robustness in the past no longer holds true.
It’s clear that something needs to be done to take control of the dual security concern, as Chris Sullivan, general manager of Intelligence/Analytics at Core Security, told me:
In the wake of these new high-profile events, it’s likely to be mandated by new laws. What is required now is the deployment of systems that don’t try to control the IoT devices but rather watch and learn how they behave so that we can identify malicious activity and isolate them when necessary.
In my next post, I’ll talk a bit about how cloud security fits into this emerging security issue.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.