How to Fight IoT Botnets – From Policies to Process and People

We can all start to think about our own policies, processes, and people to recognize how we can strengthen our own cybersecurity strategies and become more resilient.

236
Dangerous IoT Botnets to your Security

Cybersecurity defenders are engaged in what can often feel like a never-ending battle, especially when faced with attacks manifested by IoT Botnets.

With the rise of IoT botnets, the challenge to protect the ever-expanding network is even more difficult because it is not a problem that technology alone can easily solve. That’s why policy makers are calling on industry leaders to join together in the fight against them.

A recent World Economic Forum report, the Cyber Resilience Playbook for Public-Private Collaboration, found that the increasing proliferation of IoT devices has served to fuel ever-larger IoT botnets whose network traffic can be redirected towards targets to overwhelm their ability to respond to network queries and denying legitimate users access to internet services.

Last month the National Telecommunications and Information Administration (NTIAdrafted a response to President Trump’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure that called for resilience against IoT botnets and other automated, distributed threats.

The report highlights several critical issues:

  1. Automated, distributed attacks are a global problem.
  2. Effective tools exist, but are not widely used.
  3. Products should be secured during all stages of the lifecycle. Devices that are vulnerable at time of deployment, lack facilities to patch vulnerabilities after discovery, or remain in service after vendor support ends make assembling automated, distributed threats far too easy.
  4. Education and awareness is needed. Knowledge gaps in home and enterprise customers, product developers, manufacturers, and infrastructure operators impede the deployment of the tools, processes, and practices that would make the ecosystem more resilient.
  5. Market incentives are misaligned.
  6. Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.

As part of that draft, NTIA wanted industry leaders to weigh in on how experts should approach these security issues. It was a “Where are we, and where should we go from here?” question they hoped stakeholders would respond to so that they could finalize the draft before submitting a final report to the President in May 2018. In short, lots of movement is happening, but many don’t know which direction to go in.

While we wait to see what insights they collected from academia to leaders in private industry and civil society, we can all start to think about our own policies, processes, and people to recognize how we can strengthen our own cybersecurity strategies and become more resilient, hence the call for regulators like the Federal Trade Commission and Food and Drug Administration, to take action.

Some argue that the free market isn’t capable of correcting the botnet issue on its own, so governing agencies must take actions against companies that fail to meet established security benchmarks or that falsely advertise that their products are more secure than they are.

There is another side to the coin, though. Yes, automated, distributed, IoT Botnet attacks are a global problem, and market incentives are misaligned as the NTIA report states. But, effective tools exist. The question is, how do they become more widely used?

Of the six themes listed in the report, there are two that should empower markets to self-correct. First is the recognition that automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.

Accepting this truth then requires that developers and defenders evaluate the tools, processes, and practices that are in place. Look at the imperfects and make security at all stages of the development lifecycle part of common practices for product development.

The second is that in order to strengthen defenses against IoT Botnet attacks, education and awareness is surely needed.

This theme cannot be overlooked.

The knowledge gaps in home and enterprise customers, product developers, manufacturers, and infrastructure operators can’t be ignored, lest they will continue to impede the deployment of the tools, processes, and practices that would make the ecosystem more resilient.

As security risks (such as the one IoT Botnets embody)  continue to grow, consumers and service providers would be wise not to wait for regulators (as we’ve noted before in our blog) but to demand that security mechanisms and procedures will be put in place today.

Written by Yotam Gutman, VP of Marketing at SecuriThings