Last Friday’s attacks on the foundations of the internet demonstrate that security continues to be a war with new and ongoing battles, not just a one-click solution.
Global DNS provider Dyn was attacked several times this week, bringing down Amazon, Twitter, and Spotify for several hours at a time. While temporary outages of major sites and services are not unheard of, they’re usually a result of backup failures or misconfigurations and only affect a small subset of users. Compared to these uncommon mishaps, these recent attacks are different in several ways.
First, these attacks are not state-sponsored. This demonstrates that anyone with the appropriate technical knowledge – not just large government security organizations – could be responsible and may even continue unleashing attacks like this in the future.
Second, these attacks target an essential core piece of the internet backbone, DNS. DNS translates human-friendly web addresses such as www.amazon.com or www.google.com to locations computers understand. Unless you want to memorize a frequently changing series of numeric codes for each website or service you use, DNS is essential for using the web.
Finally, and perhaps most significant, these attacks exploited already well-known flaws, such as hardcoded passwords in IoT (“Internet of Things”) devices. Tens of millions of DVD players, printers, televisions, smart home utilities and other appliances were used to attack Dyn. An attacker could sniff random IP addresses for open or vulnerable devices across the entire internet, load malicious software or instructions onto them, and continue to move around the globe even as efforts are put forth to stop the attacks.
This brings up serious concerns for the future of IoT and highlights the need for following best security practices even when developing new and forward-thinking technological solutions. Many services from Fortune 500 companies and general consumer websites went offline several times during the several day attack period. Security mindfulness in an ever-changing tech climate isn’t just a want, it’s a need.
So what can we do to stop this from happening? How can a company be innovative while mitigating such frightening risks? Turns out that while many public services and Fortune 500 company websites were affected by the Dyn attack, there were many services and networks which weren’t… let’s talk about how:
- Keep in mind that these attacks affected public internet sites only. Services that utilized internal and private networks (intranets), rather than the public internet, would not have their services disrupted. Hosting your services on-site, requiring VPN authentication or keys to access, and formalizing user groups and controls are all ways of preventing mass exploitation being possible at all. Basically, if you are not a member of an organization, you can’t get in the network to disrupt it, or even know it exists.
- Data remains king. With custom software, you can see exactly how software is being used. A large-scale IoT solution on a secure network would ideally be able to shut down an attack as soon as it begins. Assuming you had the right data available, you could see where the exploits are originating from and respond much more quickly than if you rely on pre-existing public services.
- Custom-tailored solutions, rather than repeatedly using hard-coded keys and well-known (and exploited) methods to build and secure applications, allow for technologies that can not only cater themselves to the overall vision of an organization, but will also require specialized knowledge in order to exploit. You get more of the good and less of the bad, as well as full control over the solution’s future.
Of course, regardless of the technology path a business chooses, these recent attacks highlight the significance of having a team that follows best security practices and the need for custom and internally driven solutions. The internet might have gone down, but the intranet and custom applications remained up and running. In fact, they didn’t even break the news.