The past few days have once again pushed that cybersecurity staple the DDoS attack (yawn) into the spotlight. First Brian Krebs suffered what was widely trailed as the ‘biggest attack ever’, topping out around 620Gbps, and then a French hoster claimed it was submerged by an attack topping 1Tbps. The interesting point of the second attack is that it’s said to have been carried out by an IoT botnet.
What does this mean for organisations across the globe? You’d better start budgeting for extra spending on DDoS mitigation services. I spoke to Arbor Networks principal engineer, Roland Dobbins, to find out more.
IoT botnets are nothing new, he claimed. In fact, they’ve been used to launch not only DDoS but send spam, launch MitM attacks and more for several years. Even as recently as August, experts reported an IoT botnet used to try and take organisations affiliated with the Rio Olympics offline prior to the Summer Games. Other examples include cyber extortionists trying to take gaming networks offline.
So exactly why are these embedded computing devices so attractive to cybercriminals?
“Because so many of these devices are shipped with insecure defaults, including default administrative credentials, open access to management systems via the internet-facing interfaces on these devices, and shipping with insecure, remotely exploitable code,” Dobbins told me by email.
“A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities – indeed, many vendors of such devices do not provide security updates at all.”
Another problem is that IoT devices – which can range from webcams and DVRs to set-top boxes – aren’t typically things a user spends much time in front of, so it might not be obvious they’re being exploited, he said.
“There are tens of millions of vulnerable IoT devices, and their numbers are growing daily; they’re generally always turned on; they reside on networks which aren’t monitored for either incoming or outgoing attack traffic; and their networks where they’re deployed often are high-speed connections, which allows for a relatively high amount of DDoS attack traffic volume per compromised device,” explained Dobbins.
So what can be done to mitigate the risk to businesses?
Best practice includes hardening network infrastructure, improving visibility into traffic and having adequate DDoS mitigation capabilities – none of which is going to be cheap, unless you’re lucky like Krebs and get protected by Google’s Project Shield.
“In particular, ISP and MSSP network operators should ensure that they participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks, as well as request assistance as circumstances warrant,” Dobbins told me.
It’s also important for operators to measure DDoS attack volumes against their baseline for normal traffic so as not to over or underestimate attacks.
“This is vital when determining which DDoS defence mechanisms and methodologies to employ during a given attack, as well as in providing accurate information to other network operators in the global operational community,” he concluded.
Stopping the attacks as they are fired out is all very well, but how about trying to shore up those pesky IoT devices which have become such a boon to cybercriminals? A new architectural approach has been proposed by a non-profit group known as the prpl Foundation. It suggests that a hardware-led approach is key to securing embedded computing devices. Its guidance document is a must-read for anyone interested in IoT security.
It sets out four key elements that are needed to improve IoT security:
Open source software which will improve the quality of code and increase the likelihood of timely security updates.
Interoperable standards to help to drive up the quality of engineering, especially in the connectivity layer which has frequently been exposed by researchers such as Miller and Valasek.
Secure boot based on a root of trust anchored in the silicon to prevent hackers from reflashing the firmware. This could have helped prevent the Ukrainian power outages of 2015 and potentially also SYNful Knock.
SoC virtualisation to containerise each software element running on the chip, keeping critical components safe, secure and isolated from the rest.
The prpl Foundation has already released its own hypervisor and other elements to make its Security Framework proposal a reality. But will the industry go for it?
Up until now the common perception has been that users prioritise usability and low cost over security. But according to a new report on the smart home by prpl, this isn’t the case. It polled 1,200 consumers across the globe and found that 60% thought the user should take control of securing the smart home. What’s more, a plurality (42%) claimed they would pay a premium for more secure devices.
So there it is IoT industry. Over to you.
Well, the initial brief was based on the web giant missing analyst expectations for Q4 2014. Which it didn’t do by a long way, but there you go. Although it has since bounced back with a storming start to 2015, there’s still enough latitude to ask where the firm might be headed over the next decade. Where are its core strengths, and how it will cope with the slow down in ad spend, increasing competition from the likes of Facebook and the move of more ad dollars into mobile, etc etc.
Google is in a lot of ways a company of two parts: the shiny, innovative, envelope-pushing start up putting huge amounts of cash into cutting edge technology projects that could transform the world in years to come; and the cash-hungry advertising behemoth. The problem it has is that the former relies on revenue from the latter to continue, although this is declining. The key I think will be Google’s ability to pull in more revenue from new streams going forward.
One of these will be video.
“I think for Google YouTube will remain a key strategic play and over the long term a strong source of revenues. YouTube combines two major digital advertising channels into a single location – search and video,” Ovum analyst James McDavid told me.
“Ovum’s forecast data shows that search is still the single largest segment of digital advertising spending but video is the fastest growing. Google having market leading plays in both sectors bodes pretty well for their future.”
Another key area is likely to be mobile, and Android is well placed with a market leading share. Google has a great opportunity to increase sales of services, ads, licenses and devices as well as peeling off a healthy cut of app sales. Only the huge market of China, where Play is locked out, and the potential fragmentation of the OS, threaten it here.
Quocirca founder Clive Longbottom agreed that Android represents Google’s best opportunity platform wise going forward.
“Chromebooks have been a bit of a disaster: a hell of a lot of work is required to make Chrome into an OS that works effectively and brings all the other Google services together in a way that really works,” he told me.
“Android, however, has been a runaway success – it is probably better for Google to concentrate on Android as the OS with a Chrome layer on top in a looser way than it has tried to date.”
I’ve only just had time to scratch the surface here; there’s also a great opportunity in cloud services, IoT and wearables and more for Google. It’ll just be interesting to see how it gets there – and whether any others can realistically challenge the Mountain View giant over such a wide sweep of product and service areas in the future.