October 21, 2016 is not yet a famous date, but even if you don’t remember exactly what day it was, you probably remember what happened. This was the day the Mirai botnet was used to launch the most crippling cyberattack on backbone DNS servers ever seen. In layman’s terms, cyber criminals 'broke the internet.'
And it wasn’t just a little broken. The attack was effective enough to knock out major online businesses with considerable redundancy measures in place. Amazon, Twitter and Netflix were just a few of the many services that went down in a demonstration of just how powerful the Internet of Things (IoT) can be when used with malicious intent.
Pwnie Express, an investigative organization focused on
cyberthreats, recently published their third-annual Internet of Evil Things
Report, a deep-dive into how IoT devices are becoming increasingly difficult to
secure and the outcomes we’ll see as a result of it. At the center of the
report were next-generation threats like Mirai and speculation about how, or
if, we can mitigate them. Consider these four statistics.
84% of IT Security Professionals Said Mirai Changed Their Perceptions About IoT Device Threats
In the wake of October’s attack, which left huge swaths of the United States with little to no online services for the better part of 24 hours, investigators quickly identified the means of attack as a botnet named Mirai.
Mirai means 'future' in Japanese. It’s a malicious network into which devices are forcibly conscripted using infectious code. Unlike older botnets, Mirai is comprised entirely of IoT devices such as webcams, and because the botnet is so difficult to dismantle, the future will likely see more attacks of this type.
66% Said They Hadn’t Checked or Didn’t Know How to Check Their Devices for Mirai
Of course, the major challenge in bringing down an operation like Mirai is identifying the threat so it can be removed, but as the report clearly points out, most IT people don’t know how to check devices for Mirai.
As the reality of not just one but multiple IoT botnets of this type sets in, it will be crucial for information security (Infosec) professionals to understand how to check devices for these types of threats. Being protected could mean waiting for vendors to build security measures into their devices, as Entrepreneur reports that 70% of IoT devices on the market today are vulnerable out of the box.
66% Aren’t Sure How Many Devices Are Even in Their Environment
Consider a modern office with 100 employees. In the bring-your-own-device (BYOD) model that’s become popular with enterprises in the last five years, that assumes a minimum of 100 unique smart devices tethered to company data. That’s probably a gross understatement, since we’re assuming one device per person.
These devices are alert at all times, collecting pieces of information that may or may not be sensitive. They record small snippets of the world around them in order to search for their wake-up phrase, but as for where the rest of that information goes, should we be concerned?
Have you ever seen your smartphone light up in the middle of a conversation because it thinks you triggered a voice command? If so, you’ve witnessed this dynamic. Without a handle on each and every device looped into their network, administrators are leaving their businesses vulnerable.
90% Report That Connected Devices Will Be a Major Security Issue This Year
This may seem like the no-brainer of the report, but the problem is that while IT professionals make this observation, the general public has not. Cyber-criminals rely on this ignorance to open doors, and until people become more educated, they’ll continue to exploit it.
A majority of Americans believe the government has sufficient measures in place to protect them from a cyberattack, even while 64% report being affected by a breach in a given year. The obvious conclusion is that better education is needed about how to protect one’s sensitive information.
As the surface area for these types of attacks increases due to our expanding Internet of Things, criminals gain attack vectors ever-closer to our most sensitive data. Healthcare information, financial records, identity data, you name it. The targets remain the same, but keeping them safe means continually evolving the way we protect them.
We’re Still Living in the Dark Ages of the Internet
The fact is, cyber-criminals will have every advantage in a world where proactive measures to deter cybercrime in real-time don’t exist. There are no badges and no police on the internet, and while efforts to shut down operations like Mirai have become priority items for the government, progress is slow, whereas breaches happen fast and can ruin lives.
Keeping our information safe means taking a proactive approach. IT professionals must raise the standard of security within their organizations to make the IoT safe for business use, or avoid using it altogether. And that’s simply not an option in a world that’s become dependent on constant contact.