Much has been said about the DDoS attacks on Dyn and the subsequent security issues surrounding IoT devices. In late 2016, hackers exploited hundreds of thousands of IoT devices, such as security cameras and DVRs, to cause massive internet outages over a prolonged period of time.
While this attack has resulted in an uproar of conversation about how we can enhance IoT security, the truth of the matter is that there are fundamental security issues that simply cannot be fixed with the industry’s current approach. DDoS attacks and the like are really just a symptom of the larger issues we are facing as an industry when it comes to botnets and securing IoT devices.
The fact is, focusing on securing an endless amount of endpoints is almost impossible to do effectively. You can’t rely on the devices to be secure and you can’t rely on the consumers to secure their devices themselves. The more we can focus on the network level, the better. Stopping these issues in the network will be the only way that we can truly prevent widespread attacks.
The current approach towards preventing botnets and securing IoT devices has serious limitations. As we saw with the Dyn attack, many IoT devices in the market are inherently insecure. Why? Simple business priorities. The margins on these consumer devices are very small and many of the smaller manufacturers who produce these devices are unable or unwilling to invest enough in security. Simple security fixes like not relying on default passwords may seem like an obvious mitigation, but many smaller companies struggle to implement it.
Even when devices do integrate some form of security, consumers rarely act on these capabilities. Many consumers are either unaware that there are measures they have to take to secure their devices – such as changing the default password or performing software updates – or, they are unwilling to apply these measures. This also adds to the perpetual issue of insecure devices being able to be used for botnets.
There is also the challenge of patching all of these non-traditional endpoints. Imagine the challenge for a CISO when managing patching for a wide range of IoT devices in the enterprise, all with different ad hoc and unique patching methods. The result is likely to be inconsistent patching, which leaves systems vulnerable if the network isn’t properly segmented and protected.
These examples indicate that there is no perfect solution currently being implemented that enables truly secure IoT. Instead of putting the onus on the devices, consumers or cloud providers, these attacks need to be stopped at the network level – any further out and they become almost impossible to contain. Every attack, no matter where it originates or where it is headed, has to traverse the network at one point or another. Stopping these attacks and bad traffic at the network level, by placing enforcement points in more parts of the network, directly addresses the problem without relying on the endpoints themselves to be secure.
For enterprises, this means ensuring you have a fully secure network, with security capabilities woven throughout the network to stop attacks at any point. For example, say you have smart light fixtures in your building that are network connected to allow for scheduled control of your lighting environment. Under normal conditions, these devices send “call home beacons” to track energy utilization and ensure the lighting system is running properly. At some point, one of the light controllers starts bursting traffic and downloading data at an abnormally high rate or for an abnormally sustained length of time. The network could create a new security policy based on the correct volume of traffic flow for a smart light and distribute it to all policy enforcement points on the network, including switches, routers and firewalls. By doing so, it’s possible to stop an IoT threat close to the source so it is unable to jump to other parts of the network.
For consumers, this shifts the responsibility away from these other parties and directly onto those who have the best ability to fix the issue: the service providers. Service providers have always faced a certain level of liability when it comes to keeping their customers up and running. They have service level agreements (SLAs) for availability, so why not have SLAs for security? As a matter of fact, the aggregation of IoT devices is what allowed the DDoS to overwhelm Dyn. What if you could have stopped it earlier in the network before it built up momentum at an aggregation point? This is valid not only from a liability perspective, but also because SPs have a real opportunity to provide a necessary service to their customers. If SPs cut off the infected traffic at the source, before it ever gets a chance to run rampant through various connected devices, these large-scale attacks could be stopped in their tracks.
Protecting the internet is everyone’s responsibility. It is important for device manufacturers to implement security measures on their products, for consumers to update and secure their devices to the best of their ability, and for cloud protection organizations to assist those who are under attack. But all of these measures are insufficient when compared to the much greater opportunity service providers have to truly decimate these attacks before they can build up momentum to overwhelm the next victim.