Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.
The large scale DDoS attack on DYN last week interrupted access to many major web sites, and while the specifics of the attack have been widely analyzed, here are the important lessons learned:
* DDoS attacks are alive and well: A few years ago DDoS attacks were hot news, but reports died down as the focus shifted to news about social engineering attacks, large scale data breachs and insider trading schemes. DDoS attacks seemed like yesterday’s risk but they are very much alive and well. In fact, they are back and stronger than ever.
Consider that the average size DDoS attack used to hover around 5Gbps. In the past month alone, aside from the attack on DYN, there have been two attacks over 500Gbps. An attack on hosting provider OVH was estimated at 1Tbps, while another against Krebs On Security was estimated at 620Gbps.
This attack also demonstrates the tools available to bad actors. The Mirai source code, which appears to have been used in the DNY attack, is actually publicly available and fairly easy to obtain.
* The IOT bots are against us! We’ve all seen the movies where the robots turn against us. In the movies they are out to kill us, but this hack demonstrated they can, at the very least, be corrupted to kill our Internet. The DYN attack weaponized IOT devices such as cameras and routers with weak passwords. The general population, it turns out, fails to view IOT devices as “connected computers” and never considers changing the default credentials of their connected devices, making the devices vulnerable.
We as purchasers, need to start viewing these devices as computers themselves, both for our own protection and the protection of the Internet. In fact, this attack may serve as the trigger for new standard setting and government imposed regulation regarding required security measures for IOT devices.
* Infrastructure may be more vulnerable than we assumed. While there has been a lot of security research surrounding the protection of our government’s infrastructure, the infrastructure of the internet itself has flown relatively under the radar. The recent attacks against hosting provider OVH and DYN, demonstrate where the hackers are looking, and prove just how efficient attacks against such companies can be. As a result, security experts may need to take a wider view when addressing the security of our infrastructure.
* Lost income is a real possibility. As was just demonstrated, sophisticated hacks can cripple the internet. Luckily in this case it was for a relatively short period of time. But large organizations stand to lose hundreds of thousands in lost income for an interruption lasting just a few hours.
One of the primary insuring agreements within a cyber insurance policy, is coverage for lost income. That coverage can vary. While this may not be an obvious takeaway from the recent string of events, it’s important to note the following: Many purchasers of cyber policies may assume that lost income from such an event would be covered, however in most cases that assumption would be false.
Policies generally require 1) that such an attack affect a direct business service provider for which a contract agreement exists, and 2) that a “time deductible” be elapsed. In most cases that deductible is 24-72 hours. So organizations purchasing coverage with the hopes of affording themselves some level of protection against attacks such as the DYN attack will likely be out of luck.
Unless you are a company such as DYN looking for coverage for yourself, or your contracted business provider is affected for a prolonged period, insurance coverage is likely not a sufficient tool for risk mitigation. Cyber policies are still a wise investment, but purchasers should understand their limits. In order to protect themselves, organizations should take other precautious, such as implementing continuity plans for attacks which cripple a particular supplier/partner. Just as manufacturers have backup suppliers, companies that are heavily reliant on their tech providers should also have backup plans in place.
This story, "Lessons learned from the DYN attack" was originally published by Network World.