LAST month a vast distributed denial of service attack was launched by a group that marshalled 500,000 network-connected devices, including IP cameras and DVRs, using Mirai malware. The first stage of the attack was the creation of an army of botnets which subsequently flooded popular websites, including twitter, with DDoS traffic and volumes that crashed servers.
Particular products with basic default passwords have been called out for their involvement but there’s a much larger issue here – it’s the clear vulnerability of all network-connected devices to attack. Running parallel with this trend is a tidal trend to drive security solutions of all types of security systems using mobile devices – a trend that’s driven by changes in the way we all consume information and interact with layers of system functionality.
There are a number of responses we might see in the future as a result of these attacks – the worst of which will be an increase in the siloing of electronic security solutions in subnets. The creation of networks that are not connected to the internet is relatively common in very high security government applications but there are vulnerabilities here, too, given such systems are assumed to be immune to back-dooring and may be policed less vigorously. In the wider market, turning away from WAN-based control of security systems denies users the full power and flexibility of remote management of solutions.
Instead what’s needed is remote management of systems that have been commissioned using the most capable security settings possible. This includes encryption of VLANs, as well as ensuring the security settings of mobile devices are maximised. Something else that needs to be taken into account is the need for ongoing security with established solutions. Passwords need to be maintained, suspicious traffic investigated and white hat attempts to breach systems must be employed to uncover weaknesses as they develop in the face of new software.
Last month, the former head of the Australian Security Intelligence Organisation, David Irvine said he wanted to see a much stronger national cyber security industry. According to Irvine, “"when you put cyber on top of (terrorism), it takes a bit of time off your sleep at night. The 2 issues have grown exponentially within a couple of decades and while the nature of the threats is the same, the vector has changed. And cyber is a new and very potent vector."
Amplifying the threat are reports that some Australian government departments are failing to test their network security measures regularly, while at the same time, the operational functionality of organisations has become more dependent on networked resources, a fundamental that increasingly extends to their self-defence. Less is known about private sector cyber security preparedness but it’s a fair bet there’s considerable inconsistency. IT departments are increasingly starved of funds and time consuming security upgrades that are sure to fall victim to the lassitude of over-extension.
The challenge for security managers, consultants and manufacturers of networked security solutions large and small, is working together to create a symbiotic ecosystem in which ongoing collaboration ensures the fastest response to threats. A key part of this is engendering a culture of not only sharing, but security awareness – and by this I mean an extension of the threat profile security professionals take into account instinctively, from physical spaces into cyber spaces.
Something that’s heartening is the fact the IT security industry has been recognising and responding to cyber security threats for decades and in many cases, the defensive tools required to make systems safer and to detect attempted breaches already exist. What does not exist widely, however, is the awareness and will to ensure networked security solutions are secure from end-to-end. This needs to change, and fast. ♦
By John Adams