JD Supra: Understanding the DNS Attacks: Convenience v Security

Understanding the DNS Attacks: Convenience v Security

by K2 Integrity

K2 Intelligence - Investigations · Compliance Solutions · Cyber Defense

What Is Dyn and What Does It Do?
Dyn, a cloud-based internet performance management company, monitors, controls, and optimizes applications and infrastructure in order to get web traffic delivered faster, more safely, and more reliably. Among other things, it provides DNS (Domain Name Systems) services to thousands of websites rerouting internet traffic to the correct destination. Dyn provides high-caliber services to mega-sized companies active on the global internet stage, like a Twitter or a PayPal. Last week it fell victim to a series of denial-of-service-attacks, or DDoS, which occur when hackers flood the servers that run a target’s site with internet traffic until it stumbles or collapses under the load. The attacks did not affect the websites themselves, although they did block or slow down user access to those sites. What resulted was disgruntled consumers, retailers unable to process PayPal payments, and Twitter users unable to easily complain about it.

How Did This Attack Happen?
While the attack is still under investigation, initial reports indicate that it was part of a genre of DDoS that infects Internet of Things (IoT) devices, such as webcams, DVRs, routers, smart TVs, tiny cameras, and even smart refrigerators, with malware. The malware turned those IoT devices into part of a botnet army, driving malicious traffic toward a given target, in this instance Dyn’s servers. Since these specific types of attacks, up to now, have been relatively infrequent, the management of such risk has not been deemed to be a priority investment. But while these types of attacks are common, there is evidence that they are becoming more powerful, more sophisticated, and increasingly aimed at core internet infrastructure providers. Equally important, however, is the great unevenness in how companies address security, both internally and in connection with third-party relationships. Until this changes, we cannot begin to effectively mitigate the third-party risk highlighted in the Dyn attacks. To compete today, the modern company increasingly relies on third parties and their systems in order to operate more efficiently. How much time and energy does your firm spend “trusting but verifying” the security practices of the third parties you rely on?

Wasn’t There a Way to Flag and Stop the Illegitimate Traffic?
Not easily. With so many IoT devices, it is extremely difficult to correctly flag illegitimate traffic without incurring frustration among real consumers. Yet the need for anomaly detection and stronger authentication methods does exist. Specifically, authentication models such as the challenge-response authentication used by air traffic control have existed for years and have been proven to mitigate risk. Stronger cryptographic protected networking protocols and authentication, secure development regulations for IoT devices, and even emphasizing the need to simply change the default factory-installed password on your smart watch, are also steps that can be taken. But these are difficult to deploy on a large scale—adoption takes time and varies from person to person, and country to country, around the world.

Is the Internet of Things to Blame?
Our continued desire for convenience afforded by the IoT certainly is a contributor and may be overshadowing our security needs. We are all living in a digital age where consumers and companies alike all want these devices. The here-and-now, out-of-the-box, ease-of-use they afford at times results in numbness and complacency when it comes to understanding that these are computers. And the same protocols one follows with a computer—such as proper password management—need to be followed on your IoT devices. Particularly for lower-priced options produced within countries known for their cyber crime expertise.

So, Can This Happen Again? What Can We Do Now?
Yes, this can and probably will happen again. Truth is, this attack type is not new. What was new was the scale of the attack. So what should we do?

Understand what your online digital footprint looks like. This is just as important for an individual as for a company. Knowing this can help to prevent others from exploiting you.
Understand how you look in the eyes of the hacker, and diminish or secure your assets. In last week’s attack, private citizens were used in the attack chain. The accessibility of our assets directly impacts infrastructure exploitation. If we protect our assets, we are less vulnerable.
Preparedness is the best predictor of how quickly and effectively a person or a company will recover from an attack. Sadly, cyber hygiene, prior to an incident, is overlooked and under-budgeted. How long does it take to change a password?
Consider having a third party conduct quarterly and annual security assessments to see how many sensitive applications you have and how much of your data is exposed. Then verify the resiliency of your company by simulating attacks.
Develop strong ‘Bring Your Own Device/IoT’ security protocols for your workplace. Doing so will minimize your enterprise risk.
Evaluate all third-party providers and partners connected to your company for their security both at the outset and on an ongoing basis to mitigate the risk of attack, breach, or business interruption.

Security is a business enabler. A dollar spent before an attack prevents you from spending thousands of dollars in response to an attack.