The Dyn DDoS Attack: Two Key Lessons for Cyber Security
Satyamoorthy Kabilan
Senior Executive Partner at Gartner | Strategic Advisor & Network Builder | Innovation & Transformation Leader | Security & Resilience Expert |
Over the course of several hours on October 21st, 2016, access to a number of major internet sites were disrupted for several hours, including Twitter, Paypal and Spotify. This was the result of a massive Distributed Denial of Service (DDoS) attack on Dyn, an Internet infrastructure company in New Hampshire. Dyn offers Domain Name System (DNS) services, essentially acting as an address book for the Internet.The DDoS attack blunted the ability of the DNS address book to work by swamping it with massive numbers of requests, resulting in the inability of users to connect with the servers of the companies which utilized Dyn's DNS services.
The motivation and identity of those responsible for this attack is being investigated and there will certainly be a lot to learn from this event. For me, there are two immediate lessons that stand out when it comes to cyber security today:
1. Cyber security needs to be embedded into the IoT.
One very interesting fact to emerge from this attack was that it seemed to have used hijacked devices such as webcams, as the basis for creating a massive botnet. Essentially, the attackers hijacked poorly secured Internet of Things (IoT) devices and turned them into a potent DDoS weapon. While individual IoT devices may not have much power or capability on their own, bringing together a large number of them changes the picture significantly as this attack seems to have proven. A lot has been said about the need to secure the IoT and much of the debate tends to be centered around protecting the owners of these devices from breaches and other attacks. But there is a bigger problem here as unsecured IoT devices can have a large impact when they are hijacked and used as a massive botnet. This is yet another reason that we need to ensure that cyber security is not an afterthought when it comes to the IoT and connected devices of the future. It's not just about our own cyber security, it's about everyone's cyber security.
2. Your biggest cyber security vulnerability may be your dependencies.
Organizations can end up spending significant amounts on cyber security and on ensuring that customers are able to access their on-line services reliably. But what happens when your organization is dependent on a third party to ensure that the connection to your customers works? It means that no matter how much you spend on your security, a key potential area of vulnerability will remain out of your control. This DDoS attack was targeted at Dyn, not at any of the organizations that suffered an outage as a result of the attack. When we look at our cyber security posture and vulnerabilities, are we considering the impact from third parties outside our control that play a critical role in connecting us with our customers? Any provider which we are dependent on to provide a reliable service needs to be part of our cyber security considerations.
October happens to be Cyber Security Awareness Month in a number of countries across the world and these are certainly two timely lessons that we need to learn now. We can no longer think of IoT security as someone else's problem because it can affect us all. And we need to factor in our dependencies, especially those outside of our control, when we assess the risk to our systems from a cyber attack. Unfortunately, I am certain that there will be more lessons for us to learn in this rapidly evolving landscape in the coming months and years.
Transaction Quality, Process Design and Reengineering, Business Excellence, Training and People Development
7yI'm currently reviewing online material on Cyber Security as part of the modules I would like my staff to take next year. This is very informative, especially for us working in the service industry. Currently, I'm basing my material on online resources with curriculum on Cyber Security basics like those in Career Academy http://bit.ly/2f9m48l and some other materials. Adding this to my resources should cover a lot more ground on what I wanted them to learn. Thanks for the resource!
Advisor | Chief Revenue Officer (CRO) | Chief Visionary Officer (CVO) | Pioneer of Managed Security Assurance Provider (MSAP) | Channels & Alliances
7yLicensing IoT creates other challenges, if it is connected to the internet it has a IP Address and a digital license can be dropped on it to increase functionality, subscriptions to update firmware or to patch the device. CEO, Zodiac Business Licensing Entitlement Cloud
Advisor | Chief Revenue Officer (CRO) | Chief Visionary Officer (CVO) | Pioneer of Managed Security Assurance Provider (MSAP) | Channels & Alliances
7yIoT certainly will bring about challenges for security of the device but more so the transmission of information and how it is delivered. CEO, eMailGPS, Inc. Security Awareness
Director of Customer Sustaining at Readymode
7yIf it takes conscious effort to secure software functions, it will almost always take a back seat to functionality and price. We in the world of developer software must take on the burden to ease security enablement within software created using our tools.
Advanced B2B content marketing writer and journalist in the cybersecurity niche | I understand technology. | research skills | independent contractor | You want a voice with decision-makers, and I speak cyber. © ™
7yUnfortunately, there is no simple solution. Most businesses trying to get a new product off the ground must first be concerned with usability, time-to-market, and price in order to make the product a success. No one wants to take the time and spend the money to secure a product, potentially limiting its usability when these are the very things that may kill it before it can take hold. The coming deregulation will only make it more likely that companies won't secure IoT.