I’m sure you’ve been following the news the recent distributed denial of service (DDoS) attack against Dyn, a company that hosts DNS zones for many companies. The DDoS attack used the Mirai botnet, which consists of thousands of compromised “Internet of Things” devices, including IP cameras and digital video recorders.
The DDoS attack sent enormous volumes of traffic—most of it not DNS—to Dyn’s name servers, overwhelming them and rendering them unable to respond to legitimate queries. The result was that many of Dyn’s customers were unreachable from the Internet, including high-profile companies such as Twitter, Amazon, Netflix and Reddit. Here’s what enterprises in UAE need to do to survive the next big cyber attack.
The Dyn attack is a wake-up call to the world – not just to DNS providers, but to all parties involved, including the DNS community, Internet of Things (IoT) device manufacturers, businesses and consumers. The sheer volume of traffic involved and huge number of web sites affected may make the Dyn attack seem overwhelming, but the truth is, by following some simple best practices, we can not only survive attacks like this, but also reduce their size and scope.
Get back to the basics: 3 best practices
1. Build in redundancy. Many companies rely on a single DNS provider like Dyn, leaving them vulnerable to attacks. Instead, businesses need to either deploy some on-premises appliances that can serve as external authoritative name servers – the servers that advertise their DNS data to the Internet – or bring in a second DNS provider. This is no different from ensuring that your company has redundant connections to the Internet. If one set of name servers goes down or is attacked, companies will still have name servers available. Making the external DNS infrastructure more heterogeneous ensures that companies are not putting all of their eggs in one basket.
2. Mix it up, manufacturers. IoT devices are here to stay, from cameras to thermostats to fitness trackers. And traffic from IoT devices will continue to grow. But many IoT devices are inherently insecure from the get-go. Why? Many manufacturers sell these devices with the same default administrator password, which consumers rarely change. Or even if they want to change it, sometimes they can’t figure out how to do it. Either way, attackers have access to a vast network of devices from which to launch DDoS attacks. Simply put, IoT devices cannot be sold to consumers without some basic security measures, starting with unique, randomly generated passwords for each device.
3. Lock it down, consumers. In general, we have a terrible track record when it comes to protecting our information with passwords. The majority of passwords consumers use are easily guessable. We have to try harder. The same goes with Internet-connected devices. Consumers must be savvier about changing the default passwords on everything including cameras, DVRs, routers and printers. And, device manufacturers, in addition to providing each device with a unique preset password, must prompt consumers to create more sophisticated passwords and make it more intuitive for people to be able to do it. Finally, an attack should be a reminder to consumers to check the security of their devices: to make sure passwords aren’t easily guessable, and that devices have been upgraded recently to versions of code without known vulnerabilities.
Take Action Now
Gartner projects there will be 26 billion IoT devices installed by 2020. That’s more than three devices for every person on the planet. A survey Infoblox conducted of 400 IT executives revealed that although 75% of businesses already have Internet-connected equipment on their networks, 35% say they’re not ready to support IoT yet. Even more eye-opening is that we found that nearly 60% of IT professionals say they’re not doing anything to prepare for the impact of IoT. Do we really want to be ruled by toaster and refrigerator overlords? The IoT threat isn’t even the future – it’s already happening, as demonstrated by the Dyn attack. Implementing best practices for IoT device security must be a top priority for all of us.
(Cricket Liu is one of the world’s leading experts on the Domain Name System (DNS), and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an Internet consulting and training company, Acme Byte & Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including “DNS and BIND,” one of the most widely used references in the field, now in its fifth edition. He is the owner/inventor of 10 DNS/IP address management patents within the US.)