There’s an IT security school of thought that suggests endpoint security doesn’t matter anymore. No matter what an IT organization does, end users either through duplicity or oversight are going to allow an endpoint to become infected with malware. Rather than fight that battle this new school of thought suggests that IT security resources should be redirected towards, for example, encrypting data.
Obviously, the massive distributed denial of service (DDoS) attacks launched against Dyn, a provider of domain name system (DNS) services, that effectively crippled Web sites around the world, highlighted how dangerous an infected endpoint can still be. The botnet employed to launch those attacks made use of over 100,000 malicious endpoints. As it turned out, most of those endpoints were consumer products attached to the Internet.
In the wake of those attacks a lot more attention is now naturally being paid to many of the inherent security issues associated with the so-called Internet of Things (IoT). By 2020 it’s now estimated there will be about 30 billion endpoints connected to the Internet; a three-fold increase from estimates suggesting there are somewhere fewer than 10 billion devices connected at the moment. That would mean that one of the largest DDoS attacks ever launched didn’t even involve one percent of all the devices connected to the Internet.One of the largest DDoS attacks ever launched didn't even involve one percent of all the devices connected to the Internet. via @mvizardClick To Tweet
Of course, IoT security should be an exercise in mutual defense. Internet service providers, for example, should be able to recognize when a device has been hijacked and then respond accordingly. Managed service providers (MSPs) also have an important role to play.
In the meantime, the attack on Dyn does at least serve to put a spotlight on security. U.S. Senator Mark Warner (D-Va.), a member of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus, has already asked three Federal agencies to make recommendations on how to improve IoT security.
Obviously, there’s a lot insecure endpoints connected to the Internet that either need to be update or simply eliminated. Hangzhou Xiongmai set the example by recalling web cameras that included components that were identified as making up a good portion of the devices involved in the latest DDoS attacks. Unfortunately, there hasn’t been much else in the way of similar recalls. Many manufacturers are apparently waiting for another round of attacks to see if any of the devices they made are also vulnerable. Most of the manufacturers are naturally hesitant given the costs involved. At the same time, however, it’s not like they haven’t been made aware of the potential problem. Fines imposed by governments and other regulatory bodies are likely to exponentially increase the longer a manufacturer waits to address the core security issue.
Unfortunately, things may get a whole lot worse before they get better. Santa and his elves have already distributed millions of Internet-enabled devices of uncertain security provenance. Those devices are sitting in a warehouse or being loaded on to container ships right now. Chances are high that many of those devices will be enlisted to launch even more waves of DDoS attacks that will get progressively larger over time. In fact, for the IT security professionals those devices may wind up being the proverbial gift that keeps on giving for many years to come.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.