October is National Cyber Security Awareness Month. This week’s theme is “Our Continuously Connected Lives: What’s Your ‘Apptitude’?,” so we’ll be looking at the critical steps organizations can and should take to keep their connected devices secure and protect their data.
Have you heard of the Internet of Things? If you haven’t yet, you’re about to. The ever-widening network of connected devices, collectively known as IoT, may be responsible for enabling some of the biggest DDoS attacks ever seen.
In September, the security website KrebsOnSecurity.com suffered a massive Distributed Denial of Service (DDoS) attack. Reporting on the incident, site owner Brian Krebs noted two key things: 1) that attack was one of the largest DDoS attacks ever; and 2) it was probably executed using a botnet system designed to exploit insecure IoT devices. Says Krebs, “[For] now it seems likely that we can expect such monster attacks to soon become the new norm.”
Just weeks later, his prediction was proven correct.
On Friday, October 21, another DDoS attack occurred, preventing access to dozens of major websites. This DDoS assault targeted a specific service provider, DYN, which counts Spotify, Netflix, Reddit, Twitter and other big names among its clients. The attack affected all of those sites – and more – causing functionality issues across the web.
Recode provides an excellent concise explanation of what happened – and why security vulnerabilities among the Internet of Things was probably at fault:
Dyn’s service disruption was yet another demonstration of how attacks on various critical points on the Internet can impact millions of users, and how vulnerable those points may currently be. In this case, DNS (the “domain name system”) isn’t something that most users think about, but the entire internet depends on it. DNS translates human-readable names, like “twitter.com,” into machine-readable names, like “22.214.171.124.” That number, called an IP address, is what actually connects your computer to Twitter. The DNS services provided by Dyn to sites like Twitter were targeted by a DDoS attack, preventing users from being able to reach the websites of Dyn’s customers.
DDoS attacks have been around for many years, but they’ve gotten a lot worse recently. A big driver is the growth of the Internet of Things (IoT). In simple terms, there are now billions of Internet-connected devices that attackers can hijack and organize into botnets. Today’s IoT devices (such as security cameras and routers) — are effectively computers, except with a lot less security in many cases. That makes the attacker’s job of building botnets easier than ever.
That a single attack can cripple one of the backbone companies of the Internet is a troubling reminder of the constant threat that cybercrime presents.
During last year’s NCSAM, we explained some of the ways the Internet of Things opens new doors for hackers and other cyber crooks. As one might expect with the breakneck pace of technological advances in technology, the issues we explored then have only become more pronounced since then. Concerns about connected devices’ security vulnerabilities are more relevant now than ever.
Why It Is So Easy for Cyber Crooks to Commandeer Devices on the Internet of Things – And Why That’s Bad for Businesses
You might wonder exactly what security weaknesses allowed these devices to be compromised. It’s a great question, although not the most important one (I’ll get to that in a little while). But it is important to understand why these proliferating connected devices are so easy to infiltrate.
The simple truth is that the manufacturers of products and devices that make up the IoT haven’t paid much attention to security.
In many cases, they have hard-coded passwords for those devices that can often be found via a simple Internet search. Likewise, owners of these devices, not knowing the security risks posed by connecting these products to their environment, often don’t bother to change default passwords (if they’re even able to).
Once these devices are connected to your network, they can be taken over by cybercriminals to gain access to sensitive information or be used in attacks like those described above.
In the age of BYOD (“bring your own device”), and with every gadget from coffee machines to copiers wifi-enabled, it is extremely important that business leaders consider the security implications of unsecured devices on their corporate networks.
How to Limit Your Organization’s Cyber Security Exposure from Connected Devices
So how do you know if your company’s networked devices – both company-owned and employee-owned – are potential entryways for cyber crooks and other bad actors?
Here are the most important questions to ask:
- Do you know what types of devices are connected to your network?
- Are all of these devices patched and up-to-date with current software releases?
- Are you certain that default passwords have been changed?
If your answer to these questions is anything but a full-throated “yes, absolutely,” then you’re at risk. And that means any sensitive information on that organization’s network is at also risk.
In a recent awareness newsletter, SANS offers a few things to do to protect both your organization and yourself. These steps are both simple and important, so we are sharing SANS’ advice directly here:
Connect only what you need:
The simplest way to secure an IoT device is to not connect it to the Internet. If you don’t need your device to be online, don’t connect it to your Wi-Fi network.
Create a separate Wi-Fi network:
If you need IoT devices to be online, consider creating a separate Wi-Fi network just for them. Many Wi-Fi access points have the ability to create additional networks, such as a guest network. Another option is to purchase an additional Wi-Fi access point solely for IoT devices. This keeps your devices on an isolated network, where they cannot be used to harm or attack any computer or mobile devices connected to your primary home or organizational network (which are still the main interests of cyber criminals).
Update when possible:
Just like your PC and mobile devices, keep your devices up-to-date. If your device has the option to automatically update, enable that.
Use strong passwords – or, better yet, passphrases:
Change any passwords on your devices to a unique, strong passphrase only you know. Passphrases are both easier to remember and tougher for hackers to crack.
Turn on privacy options:
If your devices allow you to configure privacy options, limit the amount of information they share. One option is to simply disable any information sharing capabilities.
At some point, you may want to replace a device when your existing one has too many known vulnerabilities that cannot be fixed, or there are newer devices with more security and privacy built into them.
Finally, as is the case with all security issues, don’t underestimate the value of cyber security awareness at all levels of your organization. Make sure that your security training and education programs inform users at all levels of the risks associated with connecting ANY and ALL devices to your networks and IT environment.
After all, none of us want to be the case study that’s reviewed next year during National Cyber Security Awareness Month.
Keep Up with NCSAM Coverage for More Cyber Security Best Practices & Ideas
- Learn more about NCSAM
- Use our NCSAM tag to find all of our articles
- Join the conversation on Twitter: #CyberAware
About the Author: Don Nelson
Don is a principal with Infinitive Insight, the enterprise risk management practice at Infinitive. He has 35 years’ experience in data and information security.
Download this free data loss prevention checklist for insights from our Enterprise Risk Management experts.