In late October of 2016, a domain name service (DNS), host and Internet management company for 80+ major websites experienced several bouts of distributed denial of service (DDoS) attacks by botnets (short for “robot network”). The end devices were being controlled by a Control Server (CNC Server) not unlike the Droid Control Ships controlling the Droid Armies in Star Wars. The FBI has stated that they do not have any confirmation of a specific group or groups claiming responsibility in the hacker community, but they believe the machines were infected with a variation of the Mirai malware.
This latest attack was a variant of a botnet released online for the hacking community to view and modify the code for personal DDoS attacks and use. This new malware variant targeted Internet of Things (IoT) devices, that in the past consisted of end point devices, such as routers, desktop computers, laptops, and smartphones. More recently, end point devices include a growing number of IP-enabled coffee makers, dishwashers, automated plant watering devices, light bulbs, cameras, and nanny cams, most of which will have default passwords configured.
Since a lot of these devices are designed for the consumer market, their security capabilities and skill of the operators are usually inferior to devices designed for the enterprise. To give you an idea of the magnitude of this problem, in 2012, Cisco Systems was projecting over 50 billion connected devices by 2020. Their most recent projections are calling for 500 billion connected devices by the year 2030! That’s a 900% increase in 10 years! Imagine the number of possible exploits that will exist and the power that these combined devices will direct at disrupting commerce and even governments. But this isn’t the only security concern growning exponentially.
If you’ll allow me to geek out for a moment, let’s look at IPv4 versus IPv6 address space. Introduced in late 1970’s, IPv4 has a limitation of 4.3 billion IP addresses (2^32). This limitation directly contributed to the creation of IPv6 in the late 1990’s. IPv6 took IPv4 from 32 bits to 128 bits (2^128), 340 undecillionths (340,282,366,920,938,463,463,374,607,431,768,211,456). More accurately, the usable public address space is 2^125, since the IANA has only released a portion of all IPv6 available addresses. As the author of Future Crimes, Mark Goodman, put it, “To try and make sense of such a large number, there are only 10^19 grains of sand on all the beaches of the world. That means IPv6 will allow each grain of sand to have a trillion IP addresses.”
What does this massive influx of devices and enormous potential of IP address space availability mean to us in the IT industry tasked with securing the network? It is no longer going to be sufficient to think about securing the network with only a firewall coupled with point products. Security professionals must shift their thinking to consider a comprehensive security architecture that will help avoid any of the black holes that currently exist in today’s networks. Tomorrow’s data protection and network security solutions need to be tightly integrated and dynamically responsive.
It is going to be more and more important to increase the visibility of data, applications, and users on the network in order to identify malicious and nefarious actors and actions. While endpoint protection is important and has come a long way in the last couple of years, the ability to scan, dissect, identify, and enforce policy of traffic anywhere on the network in real time will be critical. And, since the current trend would indicate that the pace at which devices are brought online will outpace that at which security is implemented into IoT devices, we believe this problem will only get worse. Now, does anyone know how to write endpoint protection code for the new coffe machine? I’m getting one for Christmas.
About the author:
Derrick Whisel has worked in IT for over 20 years, with extensive experience in project engineering, management, scoping, budgeting and design. He began his career in the military, and after being honorably discharged as an IT2 Second Class Petty Officer, moved into the private sector where he now works as a Security Solutions Specialist for Internetwork Engineering. Connect with Derrick on LinkedIn.