The cause of last week’s DDoS attack: Lazy security
Survey reveals two-thirds of respondents trade off security for quicker time to market.
What happens when companies cut corners on security to get product out the door quickly? The October 21, 2016 massive denial of service attack against DNS-provider Dyn, which rendered numerous popular services like Twitter and Netflix inaccessible for parts of the day.
Denial of service attacks are nothing new. But what made this special was the fact it went after a critical piece of the Internet’s infrastructure instead of targeting a specific site and it used the Internet of Things. It was powered by a massive botnet built on millions of hacked IoT devices such as DVRs and network-connected security cameras.
How did the perpetrators get access to so many devices? Poor security in the devices when they left the factory loading dock. Some reports say the devices in question had a root password hard-coded into the firmware, which means even if Joe Consumer was smart enough to change the default admin passwords, hackers still could get access via old-school Telnet.
In 2016, one would think we’re all pretty sharp when it comes to cybersecurity in our products. No so much. A recent survey of 1,770 senior business and IT executives, including more than 100 CSOs and CISOs, underscores the issue by revealing that 68 percent of respondents admit to trade-offs on security to get apps to market more quickly.
Using messaging slang as a reaction: WTF.
Security is never going to be perfect, but admittedly taking short cuts is inexcusable, particularly when it comes to IoT devices. Software on computers and smartphones can be updated pretty quickly and usually painlessly. But unless the hardware device has automatic over-the-air updating, it most likely will never be patched if a flaw is uncovered.
The company that made the devices used in the botnet attack has issued a recall, but how many consumers are actually going to a) know they have that model b) actually return it or c) update it?
I had two previous Wi-Fi routers in my house for years and never updated them because it wasn’t easy and I consider myself somewhat tech-savvy. What are everyday consumers supposed to do?
Yes, consumers do need to get more security savvy as they bring more connect devices into their homes and small businesses. But hardware and software makers cannot take shortcuts on the security just to get the products out the door a little quicker. It’s imperative to bake security into the development process from the beginning. If not more devices are available to hackers to launch more attacks against critical parts of our infrastructure.
Not being able to access Netflix or Twitter for a couple of hours isn’t necessarily the worst thing in the world, but what if your VoIP phone didn’t work because of such an attack and you couldn’t summon help in an emergency? Hopefully it doesn’t get to such a situation for vendors to get serious about security.