The massive botnet attack that disrupted internet access service across the United States and Europe last October paralyzed Dyn, one of the backbones of the internet that controls much of the domain name system infrastructure. But the method of attack also left security researchers fretting that one of their worst-case predictions was coming true: the weaponization of IoT devices to launch botnets.
Botnet use has sharply grown since 2004 with many attacks featuring increasingly complex code. Hackers frequently choose botnets to launch distributed denial-of-service (DDoS) attacks that bombard servers with traffic until they collapse under the strain.
The attack against Dyn last fall also demonstrated a new-found ability on the part of malicious actors to make use of known passwords in Internet of Things (IoT) devices such as digital cameras and DVR players. Attackers can now reap the processing power of these devices by organizing them into a formidable collective force in the Mirai botnet as the primary source of malicious attack traffic. Another reason for concern: The Mirai botnet code is freely available and requires little skill to use.
Trouble ahead, trouble behind
As outlined in The CEO’s Guide to Data Security report from AT&T, this security problem harks back to a longstanding problem with much IoT design. Many devices aren’t conceived with security in mind. Instead, they get shipped to customers with default usernames and passwords that hackers can sniff out by using automated scripts. Also, IoT devices often lack automatic security updates that would otherwise remedy known flaws.
Research house IDC expects that about two-thirds of enterprises will experience some sort of IoT-related security breach by 2018, spotlighting the concern that valuable corporate data will get exposed to third-party devices built with less-than-stringent controls.
Upping your game
IoT is going to be a permanent feature of contemporary business and so are IoT-powered botnets. That means the onus will be on organizations to up their game and develop proactive approaches aligned with their larger cybersecurity strategies. In practice, that involves taking a closer look at how their IoT devices fit into the organization and make regular risk assessments to mitigate potential risks.
IT should update all IoT devices with security patches as soon as they become available, as well as routinely run antivirus software to help detect known bot threats.
- Because hackers can easily search the internet for the default usernames and passwords shipped with most IoT devices, changing all default passwords to strong passwords is key.
Organizations can avoid headaches later on by choosing to buy IoT devices only from companies with reputations for providing highly secure devices.
Perimeter firewalls should block unsolicited inbound traffic. That provides a double dose of security that helps prevent the attackers from communicating with any compromised devices on the network.
Given the morphing nature of botnets, there’s obviously no one size-fits-all approach. But a cybersecurity posture that is sufficiently nimble and innovative should be able to bat away most threats before they have an opportunity to inflict major damage.
Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.