Endpoint

11/9/2016
10:00 AM
Nathaniel Gleicher,
Nathaniel Gleicher,
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Big Lesson We Must Learn From The Dyn DDoS Attack

The vulnerabilities that make IoT devices susceptible to being used in a botnet also make them the perfect avenue into our data centers and clouds.

The recent distributed denial-of-service (DDoS) attack against DNS service provider Dyn, built of Internet-connected DVRs, video cameras, and other embedded systems, has focused the minds of security experts on the huge threat posed by Internet of Things (IoT) devices. It's the second recent massive DDoS attack, and it's the perfect lesson to make the "IoT threat" discussion concrete.

But the lesson isn't really about DDoS. Today's debate is dominated by the huge attack platform created by compromised IoT devices; chain together hundreds of thousands of connected cameras, and you can generate the largest DDoS attack the world has ever seen. But systemic IoT security flaws leave us vulnerable to many kinds of attacks. DDoS may be the least of our worries.

The same vulnerabilities that make IoT devices susceptible to being leashed into a botnet also make them the perfect points of entry into our data centers and clouds. To understand the scope of this threat, consider the range of embedded systems in use today — industrial and personal equipment that is now being connected to networks to make them smarter, more convenient, and more efficient. From GPS trackers to point-of-sale systems, connected light bulbs, manufacturing robots, and connected power supplies, more and more devices within organizations are exposed to the Internet. This exponentially increases the attack surface of organizations.

This threat isn't new. The hackers that breached Target back in 2013 got in through the firm managing Target's HVAC systems, then moved laterally to the point-of-sale system that they exploited to capture customer credit cards. And researchers at Black Hat have demonstrated vulnerabilities in the SCADA systems used to control oil rigs.

Despite this history, we're still seeing embedded systems produced with glaring security flaws. Case in point: October's massive DDoS attack was enabled in part by hundreds of thousands of connected video cameras shipped with default passwords. Why aren't we getting the message?

Part of the problem is that we've been building these devices (light bulbs, HVACs) for years,and we’ve never had to design them for this kind of security before. But even worse, these devices aren’t designed to be updated — who thinks of updating light bulbs? This means that even when a vulnerability becomes known, it can be incredibly difficult to patch because the systems aren't designed to be patched.

Those connected cameras that powered the recent DDoS? Well, even if users wanted to update that weak default password, the only way to do it would be to update their camera’s firmware, which requires a manufacturer update. And there's no established mechanism to do this.

It’s not as if we’re about to simply stop using connected systems to solve this problem — the efficiencies created by these devices are simply too great.

Defending our Systems
Instead, we need to begin defending IoT devices just like every other processor connected to our networks. You have to assume that attackers will get in at some point, monitor your IoT devices for compromises, and work to segment those IoT devices away from the rest of your network.

First, we've already seen intruders use IoT devices to move laterally through a data center to reach their real target. We can make this much harder if we use microsegmentation to shut down unnecessary connections between those IoT devices and the rest of the network. By limiting attacker movement, we greatly reduce the value of IoT devices as attack vectors, even if they could still be compromised.

Second, stopping the spread of diseases from our IoT patient zeros isn't enough. If you can't rely on these devices to remain secure by themselves, you can use security policy to create a new kind of visibility. By defining devices' legitimate operations, we can increase our ability to detect and respond when an attacker uses them in a way that breaks that policy.

Taking these steps is particularly challenging for embedded systems because they often run on stripped-down operating systems designed for maximum speed and minimum functionality. Unfortunately, this isn’t likely to change, because IoT consumers demand inexpensive solutions (remember, connected light bulbs must compete on price with normal light bulbs).

If directly monitoring embedded systems themselves will be challenging, we can still protect our networks by focusing on the devices to which they are connected. This won't eliminate intrusions, but it would help us respond and contain intrusions quickly and minimize the damage they cause. 

Ultimately, we must develop more secure IoT platforms, and customers can have some influence on this by choosing secure products and holding developers to account. But these are both long-term efforts. In the meantime, segmentation and visibility — both on IoT devices and on the devices they connect to — are our best tools for managing the threats created by the expanding attack surface of IoT devices. This will help prevent our devices from being subverted into criminal botnets and help intruders seeking to use them as a launchpad into our most sensitive systems.

Related Content:

Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path. 

As head of cybersecurity strategy, Nathaniel is responsible for thought leadership, public engagement, and overseeing Illumio's security technology strategy. Nathaniel is a regular speaker at leading industry events, and his writing has appeared in industry publications, the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
CVE-2019-8424
PUBLISHED: 2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
CVE-2019-8425
PUBLISHED: 2019-02-18
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
CVE-2019-8426
PUBLISHED: 2019-02-18
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
CVE-2019-8427
PUBLISHED: 2019-02-18
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.