On October 21st 2016 Dyn, the company that controls much of the internet’s domain name infrastructure, fell victim to one of the largest DDoS attacks ever seen. Reaching an estimated 1.2 Terabytes per second at its height, the attack resulted in bringing down large sections of the internet in the US and Europe including Twitter, Netflix and CNN, for most of the day.
DDoS has been an effective weapon of choice for state hacktivists and organized cyber-criminals operating on an industrial scale for well over a decade; with botnets and all manner of malware now available to buy or rent from the Dark Web equivalent of eBay at knock down prices, virtually anyone can become a hacker for just a few Bitcoins. What makes this particular attack stand out is the “Mirai” botnet that was used involved thousands of compromised security cameras and other IOT devices that are now widely deployed in our homes.
While the consequences of the attack were bad enough, some of the obvious questions that we need to ask are: if it is so easy for hackers to control our CCTV cameras in this way, how secure are the rest of our internet-connected devices, and could they also be used to threaten our cybersecurity, particularly our personal and financial data when online at home?
The short answers are not very and definitely yes. As the recent WikiLeaks revelations have shown, if a device is connected to the internet it can be easily hijacked for multiple nefarious activities including spying and eaves-dropping on our everyday lives or as a backdoor to access our personal and business data on our laptops and tablets – and that’s just what we know about!
Nevertheless, IoT is forecast to be one of the fastest growth markets over the next few years as we all rush to be the first with the latest Internet connected fridge and smart TV. According to a 2017 Juniper report there will be 46 billion IOT devices deployed globally by 2021. This means that if we are not careful we could be sleep-walking into a potential security nightmare scenario unless we all start to apply the same cyber-protection controls at home that most businesses consider essential for their corporate networks.
A good start would be to ensure that whenever we are installing the latest connected ‘gizmo’ that we at least remember to change the manufacturer’s default password before it is activated. I am sure that this could be made mandatory without too much difficulty even for the least tech-savvy among us.
However, while this may provide a barrier for some hackers, for the more determined it is unlikely to be more than a minor inconvenience. With price pressures making it unlikely that the manufacturers will want to add security costs to their devices it will be down to users to ensure they are not leaving the door wide open to anyone with a laptop and the latest, widely available attack tools.
To make it more of a challenge, what is needed is more granular, industry-strength control over the general internet traffic coming into our homes at the point of access. While we probably have anti-virus software and some basic firewall functionality running on our laptops and tablets, it is unlikely that our routers are doing much more than acting as a wireless hub for all the family’s other connected devices.
In the corporate network environment, any traffic to and from the internet and cloud services will, hopefully in most cases, be subject to deep packet inspection at least at the network edge, and likely at various subnet layers as well, to check for and block the latest malware attacks. So why do we accept less protection for our home networks?
The problem for the home user is that these next-gen firewalls and IDS/IPS systems are not only expensive but require specialist knowledge and skills to keep them up to date. With new vulnerabilities being discovered almost on a daily basis, managing these systems is a full-time task even for the most skilled enterprise IT security managers.
Up until now the major security vendors have largely ignored the home market, presumably on the basis that there is not enough appetite amongst consumers for this level of security and that the prices would need to be significantly reduced to generate sustainable volumes.
While there are welcome signs that things are moving in the right direction, there are some uncertainty around how these devices will be kept up-to-date with the rules and policies needed to keep pace with the hacker community’s ability to produce new exploits and malware.
So far so good, but to be truly effective the next stage is to ensure that the management and maintenance issue is addressed on a 24/7/365 basis so that the typical home user can be sure that their cyber-protection is fully optimized.