In these attacks, thousands of computers are turned into an arsenal converging on a single network, overwhelming it with traffic. Today, any electronic device connected to the internet can be used in a DDoS attack — smart refrigerators, thermostats, home security and lighting systems, even baby monitors.It’s a strange picture — commandeering a legion of smart devices to do battle as botnets against a target organization’s network and systems. But this is exactly the scenario that recently took down an internet services company that routes and manages internet traffic.
Army Of Invaders
Like humans turned into zombie-like White Walkers on “Game of Thrones,” 100,000 internet-connected devices were infected with malware and ordered to attack. The result prevented millions of internet users from accessing the websites of more than 70 online companies for about two hours.
Such assaults can be devastating for businesses that generate income through online customer-facing services. The Ponemon Institute pegs the average cost of a DDoS attack for a company at $1.7 million. The bulk of this expense ($517,599) comes from lost services. Other costs include technical support ($414,128), lost productivity ($229,071), disruption to normal operations ($346,062) and damage or theft of IT assets and infrastructure ($199,201).
Hackers’ motives in launching cybersecurity attacks are evolving. They include shutting down networks and reaping illegal financial gains. Hackers are cognizant of the time it takes for IT security to battle the attack, leaving the door temporarily open to corporate data.
Turning smart devices into DDoS botnets is the latest scourge. Unlike corporate computer networks and systems with sophisticated firewalls and flow analytics tools that redirect traffic in response to an attack, connected devices such as baby monitors and washing machines generally have poor security, their endpoints protected by little more than inexpensive, off-the-shelf Wi-Fi routers.
Hackers are well aware of the vulnerabilities, not to mention the opportunity presented. As the number of connected devices rapidly increases from roughly 23 billion to an estimated 50 billion by 2020, the number of potential weapons for a DDoS attack more than doubles.
A multipronged defense strategy is needed to combat DDoS attacks. Vendors of the semiconductors, sensors and other components used in connected devices must upgrade security, according to Broadband Internet Technical Advisory Group. And companies that embed these devices must commit to buying only the most secure ones.
Endpoints on the IoT must be protected by next-generation firewalls with enterprise-level protections as the data flows into the internet. The use of a separate network segmented from the current one will add an extra layer of protection if the device is breached. The U.S. Justice Department also recommends that device users create complex passwords and keep the software current, implementing upgrades and patches the instant they’re issued.
As for limiting network losses from a DDoS attack, security experts recommend geographically dispersing systems so as to reduce the surface attack area. The idea is to put servers in different data centers located on different networks, making it tougher to topple the entire network.
Over time, IoT-related cyber threats will continue to evolve. But the positive results that business and society gain from the use of any new technology can outweigh the bad.
“Growth is being driven by the potential to increase efficiency and improve business outcomes by collecting better data about things in the workplace,” said Larry Ponemon, founder and CEO of the Ponemon Institute. “To ensure that security risks do not outweigh the benefits, new strategies that holistically consider risks in the organization’s entire IoT ecosystem are needed.”