The Dynamic Network Services (Dyn) DDoS attack is the first to widely exploit the Internet of Things (IoT) and puts an exclamation point on the need to fundamentally rethink how we secure IP-based services, applications and infrastructure.
Dyn is a domain name system (DNS) provider. They provide DNS services for some of the largest Web-based companies such as Netflix, eBay, Twitter, Sony and PayPal. In the case of Dyn, hackers used a malicious software called Mirai, a botnet code that takes control of Internet connected devices like Webcams, appliances, security cameras, DVRs, smart TVs, routers, and more.
The Botnet exploited poorly configured IoT devices and a flawed DNS system that enabled these devices to essentially be hijacked and initiate massive numbers of queries that ended up clogging and disabling access to Dyn’s DNS internet infrastructure. DDoS was already one of the most popular attacks for hackers and the IoT is now undoubtedly attracting bad guys as the ultimate delivery vehicle for it.
Some critics point to the need to address inherent security vulnerabilities of IoT e devices while others are advocating the need to improve a flawed DNS system. The reality is in the short term we need to do both. We need to quickly agree on standards for configuration of IoT devices to be more secure and we need to advocate (mandate) use of the more modern DNS Sec to authenticate connection to DNS servers making them more secure.
But ultimately it is the way we approach IT security today that is the reason we are not secure. Without getting too technical, currently in our IP-based, DNS-centric framework, we operate in an environment where every device is given access to a service before it is required to authenticate. The reality is we need to change the paradigm to develop solutions that authenticate first before being given access to the service.
While everyone agrees that IT security is broken, and there is a growing interest in in digital risk management, there already exists a proven solution for protecting IP-based services and is in use today by companies such as Coca Cola and Google, large government agencies such as the DHS, and others.
Software Defined Perimeters (SDPs) employ an authenticate-first approach by securing every connection to a service, application or critical infrastructure. It is relatively simple with each solution engineered specifically to protect a predefined service, application and/or IT environment, and has been proven as 100% effective.
Check this blog next week for an expansion on this idea of authenticate first and changing the security paradigm.