The DDoS That Came Through IoT: A New Era For Cyber Crime

A New Era for Cyber Crime

Last September, the website of a well-known security journalist was hit by a massive DDoS attack. The site’s host stated it was the largest attack of that type they had ever seen. Rather than originating at an identifiable location, the attack seemed to come from everywhere, and it seemed to have been driven through a botnet that included IoT-connected devices like digital cameras. This was something special and unusual, and a stark warning about the future of cyber warfare.

The attack was so large and relentless that the journalist’s site had to be taken down temporarily. The exercise of fending off the attack and then repairing and rebuilding was extremely expensive. Given that the target was a writer and expert on online security and cybercrime, the attack was not only highly destructive but also symbolic: a warning to security specialists everywhere that the war has changed.

Chris Sellards, a Texas-based Certified Cloud Security Professional (CCSP) agrees. He points to the sheer volume of IoT connected devices – a number that is growing exponentially, with Gartner forecasting 6.4 billion devices to be connected this year.

PC users have become a little more sophisticated with regard to security in recent years,” Sellards says. “They used to be the prime target when creating a botnet and launching DDoS attacks because they rarely patched their systems and browser configuration settings were lax by default. However, with automatic upgrades and an increased use of personal firewalls and security apps, PCs have become a little more of a challenge to penetrate. Attackers almost always take the path of least resistance.”

Consequently, IoT devices have become the new playground. They are the new generation of connected machines that use default passwords, hard coded passwords, and inadequate patching. The rush to make everything IoT compatible and affordable leaves little time or incentive for manufacturers to build in sophisticated security layers. In addition, there is an innocence factor at play. Who would ever suspect their digital camera, fitness tracker or smart thermostat of being an accomplice to cybercrime?

future-iot

Sellards points out that one of the most interesting aspects of the attack was that GRE (Generic Routing Encapsulation protocol) was used instead of the normal amplification techniques used in most DDoS attacks. This represents a change in tactic specifically designed to take advantage of the high bandwidth internet connections that IP based video cameras use.

These developments have experts like Sellards worried, given the huge – and growing – number of IoT devices that form part of the nation’s critical infrastructure. “”If default and hardcoded passwords can be compromised to install Malware that launches DDoS attacks, they can also be compromised to launch more nefarious attacks with significantly higher consequences,” he says. It shows IoT installs are insecure and not hardened. They are exposed to the Internet without firewall filtering. “All best business practices we’ve spent decades developing have gone right out the window.” 

IoT in general represents a fascinating new chapter in convenience and communication for businesses and consumers alike. But as all security experts already know, the bad guys never rest. The way in which they discovered and exploited both the weaknesses and the built-in features of IoT shows a creativity and dedication that must never be ignored. Thus the value of a CCSP having a seat at the Executive table has just increased exponentially.

For more on the CCSP certification from (ISC)2, please visit their website. Sponsored by (ISC)2.

By Steve Prentice

Kevin Julian

Patients Increasingly are embracing technology, and so must the pharmaceutical industry

Patients Increasingly Embracing Technology COVID-19 has driven home the need to use digital solutions more broadly, which means C-Suites may be turning to their CTOs for advice As lockdown restrictions went into effect due to ...
Sangeeta Chhabra

Why ‘Cloud’ Should Be A Skill In This Age of Automation

The Age of Automation It is astonishing how the world around us is changing rapidly. More and more companies are now planning their move to the cloud and revamping their business models. Cloud computing has ...
Jeremy Cioara

Demand for Cloud and AI Skills Continues To Increase

Demand for Cloud Skills Increases Thinking about adding more cloud skills to your repertoire? Stop thinking. The time to do it is now. For IT professionals, cloud computing skills are becoming an essential resume item.  ...
Juan Pablo Perez Etchegoyen

7 Security and Compliance Considerations for Cloud-Based Business Applications  

Security and Compliance Considerations There’s no doubt on-premises deployments of mission-critical business applications provide more control over data as it resides within the four walls of an organization’s network infrastructure. However, businesses can no longer ...
The Top 20 Machine Learning Startups To Watch In 2021

The Top 20 Machine Learning Startups To Watch In 2021

Machine Learning Startups There are a record number of 9,977 machine learning startups and companies in Crunchbase today, an 8.2% increase over the 9,216 startups listed in 2020 and a 14.6% increase over the 8,705 ...