Is IoT device security the key to preventing more DDoS attacks?

Imagine you came into work one morning, turned on your computer, and wasn’t able to access your company’s network. You may think the wifi is down or there’s a blip in the Ethernet, but then you start getting flooded with phone calls from other employees: They can’t access anything on their mobile phones, tablets, laptops … anything that requires connectivity to your company’s network. No matter what your IT team does, you’re still locked out of your network, servers, and applications.

This isn’t just any outage – it’s a Distributed Denial of Service cyberattack (DDoS), and it’s happening more and more frequently. You need to make sure you’re ready for it – otherwise you could face a tremendous disruption in business, lose money, and have to rebuild trust with your employees, customers, and clients.

DDoS attacks use junk data, usually sent from compromised machines or devices, to render a network, server, or application unavailable to legitimate users.

How can this happen? Increasingly, unsecured Internet of Things (IoT) devices such as video cameras are the source of this attack data. The more devices that are reliant on an internet connection, the easier it is becoming for bad actors to use these types of attacks to penetrate your IT environment and exploit your data. IoT isn’t going away – a recent study by PricewaterhouseCoopers (PwC) finds 63 percent of companies are planning to deploy IoT devices in the next year. IoT devices are estimated to grow from 20 billion last year to 51 billion by 2023.

You may think the answer is simple – secure IoT devices. The same PwC study also found that two-thirds of companies surveyed have an IoT security strategy in place or currently are implementing one to address the emerging risks of these devices. However, it isn’t so simple. The security mechanisms on IoT devices often are disabled by default, and security patches for the systems often are unused, allowing attackers to compromise them and use their collective bandwidth to steal your data. The distributed supply chain in which IoT devices are created and sold adds to the problem. There are three major players in IoT device manufacturing and selling:

1. Specialized computer chip makers (e.g. Broadcom and Qualcomm)
2. System manufacturers (e.g. Original Device Manufacturers)
3. Brand-name companies selling to us (e.g. Fitbit and Apple)

Layer 1 is busy making the next chip, while Layer 2 is upgrading its product to work with the next chip. Maintaining older chips and products aren’t a priority. Even if you have a brand new smart watch, chances are the software components are four to five years old. The result is that hundreds of millions of devices are sitting on the Internet, unpatched and insecure. Hackers know this, and they’re working tirelessly to exploit this weakness and launch cyberattacks.

Despite the growing risk, the majority of attacks remain under the radar. Experts are finding that criminal DDoS attacks driven by extortion are coming to the fore once again. Hackers often contact businesses at a large scale and demand a bitcoin payment to prevent a DDoS. The majority of extortion attempts likely go unreported and uninvestigated. One trend fueling the rise of DDoS-extortion threats is the availability of DDoS-as-a-service. Cybercriminals rent their botnet to anyone willing to pay as little as a few dollars an hour, meaning no technical ability is required to launch attacks.

Lawmakers and regulators are trying to pressure companies to strengthen the IoT security. A bipartisan group of senators introduced a bill recently that would set security standards for IoT devices. In January, the Federal Trade Commission fined VTech Holdings Ltd. $650,000 for “failing to use reasonable and appropriate data measures” for an internet-connected toy.

As we’ve seen before, though, legislation and regulation take time to go into effect. Hackers aren’t waiting, and neither should you. How can you start to close the door on DDoS attacks on your enterprise?

First and foremost, you need to understand what’s critical to your business through a vulnerability assessment. Vulnerability assessments aren’t an opportunity to play the blame game. It’s an audit of what you have today in order to plan for a more secure tomorrow. Then, look for a managed security services provider like US Cloud which has endpoint security services that will ensure any device that is accessing your network won’t be susceptible to hackers trying to penetrate your enterprise’s defenses.

Using our next-generation anti-virus and activity recording for all your endpoints, US Cloud comprehensively monitors and protects your operating systems and infrastructure from cyberthreats. Contact US Cloud and get a quote today to ensure you’re not the next victim of a DDoS attack.