This past week we have seen what looks to be the opening salvo of a new cybersecurity weapon. Hackers have been creating botnets for years, usually by harvesting PC's through malware or using stolen credit card information to create Amazon Web Services (AWS) based, Low Orbiting Ion Cannon's. This past week, that weapon, like a musket, was rendered obsolete. The DYN attack will go down in the books as a first - when IoT was not only compromised (that happened already, Target, Home Depot etc.) but was weaponized.
There are still questions about who actioned the attack and what the true purpose was - was this a metamorphic shot across the bow, a warning to the west about the vulnerability of our unprotected infrastructure and the insecurity of our hyper connected lives? What we do know is that it was a masterclass in automation. The team that put this together could only do so through automation; hacking groups, even government sponsored ones, are hamstrung by budget and resources. Like us, they rely on automation.
This attack was caused by manipulation of a mass produced sub motherboard - a generic piece of technology used in a myriad of personal CCTV systems. With either common username and password, or an easily compromised configuration, these devices were harnessed and focused on making spurious requests to DYN DNS. In doing so, this swarm slowed or in some cases cloaked the availability of such sites as CNN, eBay, and applications such as Twitter. In addition, our most modern of invisible infrastructure, AWS was wounded. This attack is already changing the thinking in the highest reaches of government, intelligence and defense. But what is the effect and lessons for Hewlett Packard Enterprise and Aruba's more typical clients?
You may not have been a target of this attack, but you could have been an unwitting accomplice. If you have an IoT device, or even a few hundred, you should consider the effects of both security and liability. We have for years discussed the lack of a central IoT management platform - FYI, we make one, called HPE Edgeline, a converged IoT platform. But in the absence of a management platform, we need a security framework, a policy solution that dictates what any connected device can and cannot do. From a security point of view, that's consistent with Aruba's thinking and even the principles of IoT security as prescribed by OWASP. But now consider the liability issues. What if it's your IoT device that is breached, harnessed and used to attack others. What is your responsibility?
In my next blog I'll cover some of the policy changes customers are making to protect themselves from this new threat, but in the meantime, I would humbly suggest you take a look at Aruba ClearPass, and ask your local representative for a 30 minute WebEx on its ability to both protect your infrastructure from unsecured IoT but also stop IoT from being weaponized from within your infrastructure and turned on others.
