Following the denial of service attack on OVH in early October, Dyn was the next to suffer a massive attack. Both attacks have a number of points in common. First, the type of target: major internet infrastructures and services players. Second, the type of attack: distributed denial of service. Third, the attack vector used: connected objects that were hacked and used inside botnets to coordinate the attacks.
What holes did the attackers take advantage of? A legendary Advanced Persistent Threat (APT)? A James Bond-style break-in in OVH or Dyn’s data centres? A submarine provided by a multinational organised crime syndicate to cut an optical fibre lying on the ground of the ocean?
Nope. Just a simple default password set by connected objects suppliers. A default password printed in the supplier’s documentation.
We’ve been applying some very basic computer rules for over 20 years, including this one: always change the default password! So, how is it that when it comes to the Internet of Objects, we’ve suddenly lost our memories? And what about industrial information systems like SCADA or ICS?
Have we fallen victim to Time to Market? Does this law say that marketing and sales are always right and that digital folks are always one step behind the technological revolution?
I don't think so. In fact, we’re victims of a lack of maturity, and a lack of communication within organisations. Let’s face it: a CISO or a digital risk manager – or whatever you want to call him – wants only to ensure that his company goes digital, that it releases innovations and products at the right time (good ole Time to Market), but most of all, that his company doesn’t unnecessarily expose itself to risks, some of which are so easy to avoid. And even very easy to avoid. The CISO’s holy grail is helping his organisation take risks.
So, how does he go about doing this? By integrating security in innovation projects right from the very start. The CISO goes along with the craziest ideas, identifying risks and proposing solutions. Sometimes, innovation is so-ground breaking that new security measures have to be invented. Sometimes we can’t even suggest security measures, so the residual risk has to be shared and accepted; the executive assumes his role, puts on his big-boy trousers and launches an innovative product or service, well aware of the risk he’s taking. Knowing your weaknesses means you can be ready when someone manages to exploit them. Because somebody always will.
So, why are we all at fault? We, CISOs, are at fault because we haven't yet completed the transformation. We haven’t yet learned to behave like top-level managers in our organisations, capable of accepting the economic and competitive consequences of our actions. You, executive committee members, because you still haven’t understood the impact of digital technologies on your products and services, on your fellow citizens’ lives, and because you haven’t taken advantage of your CISO’s skills. You, IS directors and CIOs, because digitisation isn’t your enemy but a fantastic opportunity that you need to grab hold of with both hands. Your CISOs are here to help you transform your organisations. And we, ordinary citizens, who don’t realise that we’re the product when a service is free, who don't think to ask about the security level of the latest baby monitor we buy or the latest connected toy our children are begging for.
Come on now, is this really as bad as all that?
Well, this is what I think. You make up your own mind.
The aim of the first attacks on office systems was to reveal the systems and applications’ fallibility. The attackers, that we called “hackers” at the time, wanted to prove that systems and applications had flaws. This was a healthy emulation between researchers in a brave new field.
Then, some decided they could make a living off of these discoveries, get paid for them and even exploit vulnerabilities in order to destroy data (the first viruses), infrastructures (the first service denials), steal sensitive data like banking info, digital identities, commercial information, etc. Organised crime swooped into the arena and industrialised this chunk of the underground economy. Hackers, crackers and other fun new words were born of this movement.
All of this took about 20 years for office systems, but today it’s become child’s play.
Today’s bad guys are taking the same route for the first attacks on industrial systems, using viruses to infiltrate them and destroy production assets (stuxnet, shamoon, etc.).
And, it’s the same story for IoT, with vulnerabilities in connected objects infrastructures being exploited to shut down services (OVH, Dyn).
But there’s no reason we, too, shouldn’t follow the same path we took 20 years ago for office systems. In the very near future, powerful IoT networks are going to be used to steal digital identities, banking info, sensitive corporate or national data, infiltrate connected systems that control our lives (want to go for a ride in a hacked driverless car or hyper-connected plane? And what about our home automation systems we control from our smartphones?).
Now, I’m no bearded Old Testament prophet preaching doom and gloom. And I don’t want to cry wolf with everyone else. Still, we just have to look at recent history to anticipate the probable next level in these attacks. And if we don’t do that today, we’re all going to be responsible!
History also teaches us that we know what we need to do in order to drastically reduce the number of successful attacks. We’ll obviously always be vulnerable to advanced, carefully planned attacks that exploit our organisations’ vulnerabilities and weaknesses. There’s no such thing as total security. But, we can reduce basic attacks today. So, let’s do it and then focus on figuring out how to detect and respond quickly to more advanced ones.
Applying basic cybersecurity hygiene rules and getting cybersecurity experts on board your projects will ensure you avoid a lot of attacks, and probably even save lives.
By Stéphane Joguet, member of CESIN Board of Directors
Member of the editorial committee of Le Cercle and Les Assises de la Sécurité