Once the domain of hacktivists that blocked access to government websites to serve political agendas, distributed denial of service (DDoS) attacks have become headline news since they hit the eCensus last year and were subsequently supercharged by a game-changing technology that exploited the runaway growth of the Internet of Things (IoT).
That technology emerged as ‘Mirai’ of late 2016 – a name that, perhaps ominously, means ‘the future’ in Japanese – sought out and compromised connected devices whose default passwords had never been changed. These were conscripted into a global ‘botnet’ of nearly 500,000 zombie devices, which launched co-ordinated traffic storms against targets including US Internet infrastructure provider Dyn – which, in turn, took down major Internet services including Netflix, Reddit, and CNN.
Mirai exploited an uncomfortable truth about IoT devices: they are generally being built for function over security, then pushed into an unsuspecting market without any way to fix subsequently-discovered security holes. This is less than ideal given the importance of IoT in governments that are increasingly turning to process automation and smart cities based on massive fleets of smart meters, inspection drones, traffic monitors, parking sensors, and more.
With Gartner predicting 8.4 billion connected ‘things’ will be in use this year – up 31 percent from last year and expected to grow to 20.4 billion by 2020 – the explosion of insecure IoT devices represents a clear and present danger to the security of government data and services.
With ‘DDoS as a service’ offerings allowing the launch of massive attacks for around $US20 ($A26) per hour, such attacks offer stunning ROI for hackers that extort businesses against the threat of a DDoS, or just want to cause problems in a 21st-century homage to Guy Fawkes.
A Mirai-scale attack on an Australian government department could be catastrophic – which is why the Department of Finance has this year stepped up its search for DDoS protection. Yet DDoS attacks aren’t the only potential abuse of IoT: they can, for example, be used to distribute malware or run ‘account checking’ attacks that use massive dictionaries to guess online service passwords.
This poses a conundrum for government agencies that have been pushed towards digitisation and IoT by ballooning customer expectations and the Turnbull government’s efficiency agenda – but find themselves vulnerable to a whole host of new and potentially process-killing security vulnerabilities. It is therefore incumbent on government administrators and technologists to develop clear strategies for defending themselves against potential service interruptions from an IoT-driven attack.
Protection is easier said than done. Security standards for IoT devices are still immature and fragmented, with vendors tentatively backing efforts including the OWASP Internet of Things Project, Open Trust Protocol (OTrP), Open Connectivity Foundation, and the local IoT Alliance Australia.
Each of these groups has its own agenda and is still in the early stages. For now, this means that government departments looking for a way to secure their IoT investments are basically on their own.
This is uncharted territory for agencies that, by design or habit, favour governance and predictability over uncertainty and gut feel. Digital-transformation advocates have long pointed out the need for agencies to play a long game when it comes to security, and IoT has brought that challenge to a head.
Treat IoT as a threat
Technologists see effective protection from IoT as requiring a combination of technological controls and outcomes-based risk assessments. Both are based on the idea that, for now, the IoT endpoint is a lost cause.
“There is a rush by vendors to add features and delete cost – and the byproduct is that a lot of IoT devices have been released without any meaningful security controls,” explains Nick Rieniets, senior security specialist for Asia Pacific and Japan with infrastructure provider Akamai Technologies. “So if you’ve got a security camera on your network and you can’t change the password to that camera, it’s going to get infected.”
This means that government agencies must treat all IoT devices as hostile – and must enforce security on the network and applications that interface with those devices. Most agencies have some form of authentication in place, but ageing systems must be updated to recognise the plurality of identities that IoT devices introduce.
The Australian Signals Directorate’s Essential Eight is a good place to start: use application whitelisting and administrative privilege restrictions, for example, to ensure that only vetted applications and users to pass through. Implement and enforce strict access controls to control which devices can access which applications and data.
Technological solutions must also address the DDoS risk. The dominance of overseas sources for DDoS attacks used to mean that such attacks could mostly be blocked by ignoring overseas data requests. However, the post-Mirai era has seen a growing percentage of DDoS attacks coming from within ‘island Australia’ – which means that government agencies need new strategies for keeping potential DDoS attacks as far from their own networks as possible.
This need is being addressed by cloud-based DDoS remediation services that block the flood of traffic before it gets into the country whilst also detecting and mitigating domestic attack traffic.
It also requires introducing traffic-monitoring systems capable of trawling through mountains of network data to catch botnets ‘phoning home’ to command-and-control servers for new instructions.
“We need to be using cloud platforms that can mitigate attack traffic without needing to centralise and concentrate it on a single point within Australia or globally,” Rieniets says.
Rieniets argues it is essential to provide both domestic and global protections to achieve a security outcome that does not impact the end user experience. Domestic mitigation is important because it removes network latency which preserves the end user experience, a high priority for operators. But so too is global mitigation, because it deals with the problem far away from our networks
Overhaul your risk assessments
Risk assessment is hardly new to government, but departments and agencies embracing IoT need to revisit their risk evaluations to account for the potential threats it poses. Administrators must avoid trying to demonstrate cybersecurity compliance with tick-the-box assessments – something against which prime ministerial cybersecurity advisor Alistair MacGibbon has repeatedly advised – and which is technologically impossible anyway due to the current lack of IoT security standards.
For now, this makes IoT cybersecurity something of a Wild West – which is not somewhere that most administrators like to be. This means risk reassessments must focus less on technology standards and more on weighing up potential risk to key online services. This may manifest as financial losses, service interruption, and citizen inconvenience, or other consequences of losing that activity.
This also includes factoring in the potential business interruption from loss of access to IoT devices – which is likely to be largely unknown at this point given the technology’s early stages. Nonetheless, government organisations must be ready to deal with major service interruptions from attacks by IoT devices, or on IoT devices.
“There is enough evidence now that risk needs to be registered as ‘likely to occur’ to different departments,” Rieniets says. “All online services have critical times when an attack will be most disruptive and have the most impact on their business. Agencies need to understand that when they start delivering services online, they need to mature drastically in their view of what kinds of risks might interrupt that.”
The long game
In the long term, reassessing that exposure and shaping attack-remediation plans will be critical to survival in the IoT era. And agencies must not only familiarise themselves with the technology they’re buying, but potentially consider modifying procurement criteria. Future contracts may well see agencies forcing vendors to demonstrate mature IoT security capabilities such as compliance with eventual standards, and the ability to remotely patch and update devices to close security vulnerabilities as they’re identified.
Agencies that fail to meet the IoT threat head-on, will fast find themselves drawing particular attention from cybercriminals that see them as exposed – or as entry points to move laterally into other, less secure agencies. “The issue that [less-secure] agencies have is that they become the path of least resistance,” Rieniets explains.
“It takes less effort for an attacker to take them down than it does to take down the department next door; they’ll be launching probing attacks to work out whether there’s a vulnerability in their infrastructure. You have to understand that everything is up for grabs when an attacker does their surveillance.”
Special Event: Cyber leadership briefing
Public sector executives are invited to join The Mandarin publisher Tom Burton and Nic Rieniets, Akamai, Senior Security Specialist, Asia Pacific & Japan for a government only executive breakfast briefing and update on the latest emerging security tactics, vulnerabilities, and trends and discussion on how agencies can integrate intelligence, performance and security into their digital infrastructure and operations. There is not cost for attendees of the event however RSVPs are essential and required soon as possible.
When: 8.00am – 10.00am 27 April at Kurrajong room, The Kurrajong Hotel, 8 National Circuit, Barton ACT 2600.
RSVP: Nicklas Wikblad at [email protected]