06/18/2019 | Press release | Distributed by Public on 06/18/2019 05:15
The famous KrebsOnSecurity blog site was taken offline in September of 2016, following a record 620 Gpbs attack launched by a Mirai botnet. This is a milestone in cyber threats in at least three aspects:
The KrebsOnSecurity attack was soon followed by the second biggest DDoS attack ever (>1Tbps). It was directed at Dyn, a major American DNS provider, in October of 2016. This attack was devastating and created disruption for many major sites, including AirBnB, Netflix, PayPal, Visa, Amazon, The New York Times, Reddit, and GitHub. According to security ratings provider, BitSight, Dyn lost around 8% of their customers after the attack and one can only speculate how much the affected customers lost business during the outage.
So, how was this even possible?
Let's have a look on Mirai (Japanese: 未来, lit. 'future') first. The botnet malware surfaced online in August 2016. Mirai creates a botnet out of compromised Internet of Things (IoT) devices such as cameras, smart TVs, radios, printers, and even baby monitors. To create the attack traffic, these compromised devices are all programmed to send requests to a single victim. The malware spreads to vulnerable devices by continuously scanning the internet for IoT systems protected by factory default usernames and passwords. It is estimated that there can be even millions of IoT devices in a single botnet.
What makes IoT devices so interesting to online criminals?
According to a Radware blog, there are a number of reasons:
The number of IoT devices is growing rapidly and the problem is getting bigger at the same rate. Gartner estimates that the number of installed device units will grow from 11B in 2018 to 125B in 2030. Consumer devices count to more than 60% of all devices - devices which are traditionally more vulnerable.
Enter the Cyber Security Act
To protect the citizens of EU from cyber threats, the European Commission crafted the Cyber Security Act. It was originally proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks and to build strong cyber security in the EU. And since December 2018, it is now a permanent mandate.
In addition, the Cyber Security Act creates a framework for European Cybersecurity Certificates for products, processes and services that will be valid throughout the EU. This is a groundbreaking development as it is the first internal market law that takes up the challenge of enhancing the security of connected products, Internet of Things devices as well as critical infrastructure through such certificates. For the time being, the act is still optional, but could be made mandatory, if the situation does not change for better.
ENISA has also published baseline security recommendations for IoT, which aims to set the scene for IoT security in the EU.
What is the impact of the act?
The benefits are easy to tell. I can think of three topics, where we will see (hopefully) a change for the better:
But I have also some concerns:
If the devices are imported from outside of the EU, how can you tell the certificate is truly valid? What if a manufacturer, which produces the devices outside of the EU decides to fake the certificate and avoid paying for the certification fee? Who will control the imported devices, and can there be sanctions for faking them? Is it even possible to sanction companies outside of the EU? Or is it the company, which imports the devices, who is responsible for making sure the certificates are valid and face sanctions if they are not.
I find it reassuring, that not only the EU is stepping up and improving the situation, but also in many other countries and market areas there are improvements ahead. For example, California passed an IoT cyber security lawin 2018 and it will be in effect the 1st of Jan 2020. And I'm certain others will follow.
Another impressive initiative to improve the current situation came from Microsoft, when they introduced Azure Sphere. Sphere offers a platform to build your IoT solution, with end-to-end protection built in. Microsoft even promises to keep your devices, built on the platform, to receive (security) updates for years to come.
As 451 Research puts it: 'Azure Sphere is the most significant push by a large technology vendor to holistically improve IoT security'.
Innofactor offers many services which help customer organizations in succeeding in IoT projects and making them profitable. With the proven 'IoT journey' methodology, we can help customers in all phases of the project, starting from assessing the skills and abilities of personnel, to validating business models and helping with finding the right IoT strategy. We can help establish processes and secure a path to production-ready services.