Cyber House of Horrors: The Access Control Zombie Apocalypse

Given the well-publicized distributed denial of service (DDoS) attack on Internet service provider Dyn that recently took down dozens of popular sites including Twitter, Netflix, and reddit, you might think this next installment of the Cyber House of Horrors would be on the topic of DDoS attacks.

DDoS attacks are frightening to be sure, and will likely be the subject of a future blog post. But there’s an aspect of the Dyn DDoS story that’s even scarier.

zombiesAs with most large-scale DDoS attacks, the hackers leveraged a botnet of tens of millions of compromised endpoints. However, the new twist to this story: large numbers of those endpoints were household devices.

Security cameras. Thermostats. Fitness monitoring devices. Home routers. The list goes on and on.

Yes, that Fitbit on your wrist may look innocuous, but for all you know, it’s an evil zombie bot in some clandestine botnet, looking for its next DDoS victim.

How, then, did the attackers compromise so many devices? Simple: they tried the factory default usernames and passwords. In other cases, devices were running older firmware with known vulnerabilities – vulnerabilities that criminals can purchase by the dozen on the Dark Web.

Tell the truth: when you bought that last Internet-connected device, whether it be your car, refrigerator, or phone-controlled light switch, did you update the firmware? Did you change the password? What about your neighbors? I thought not.

Now you understand why ‘zombie apocalypse’ is such an apt metaphor.

Enterprise Lessons from the Dyn DDoS Attack

For large companies building out their Internet of Things (IoT) strategies, the lessons from the Dyn attack are clear. But there is a more important lesson that applies to every enterprise, regardless of whether the IoT figures in their plans.

Fundamentally, every endpoint must look out for itself – not only thermostats and refrigerators, but mobile devices, PCs, network equipment, and any other network-connected device you might find in a typical office building, from videoconferencing equipment to office telephones.

The now-obsolete idea that you can or should trust such devices and other elements of the IT infrastructure is simply wrong. Furthermore, you can’t trust the network perimeter, either. Firewalls may be necessary, but they are by no means sufficient for preventing the compromise of endpoints in your organization.

Instead, security should focus on people and the applications they use. To reduce the enterprise attack surface, the security team should control which users can access which applications given the context of those interactions – what device, what geographic location, and the nature of the interaction, for example.

Manufacturers of consumer devices for the home may not have the luxury of knowing who their users are, but in the enterprise context, that knowledge isn’t a luxury – it’s mandatory.

Only when the security focus shifts from the endpoints to users and their behavior will enterprises finally make progress with their cybersecurity initiatives.

The Intellyx Take: How to Survive the Zombie Apocalypse

Many zombie shows strain credulity, as it’s obvious who the zombies are and they move slowly, so running away is a simple way to stay safe.

Not so with enterprise cybersecurity. In the all-too-real world, compromises are usually invisible and hackers move stealthily throughout your network – often for months without detection.

As a result, you must assume that every endpoint and every user is at risk of compromise from hackers. That malware has already found its way onto your internal networks. That attackers already have the run of your organization.

This frightening reality is why breach containment should be an essential part of your cybersecurity strategy – and why vendors like Certes Networks are doing such important work, helping enterprises segment their networks at the application level.

Even Certes, unfortunately, cannot completely save you from the zombie apocalypse. They can only help you minimize the damage. Given how simple the Dyn DDoS attack was to mount, however, minimizing damage is the key to survival.

Join our Webinar, The Cyber House of Horrors: Securing the Expanding Enterprise Attack Surface, with Certes Networks on October 31, 8:00 PDT / 11:00 EDT / 15:00 GMT.

Copyright © Intellyx LLC. Certes Networks is an Intellyx client. None of the other companies mentioned are Intellyx clients. Intellyx retains full editorial control over the content of this paper. Image source: Björn Söderqvist .

SHARE THIS:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.