Global communication service providers (CSPs), who are expected to provide customers with continuous, uninterrupted service, are struggling to deal with an increasing number of distributed denial of service (DDoS) attacks.
DDoS attacks involve flooding a network with more traffic than it can handle, which makes the network inaccessible to legitimate users.
According to A10 Networks’ The State of DDoS Attacks against Communication Service Providers report, which quizzed 325 IT and security professionals working for internet service providers, 85% of CSPs believe that there will be an increase or no reduction in the amount of DDoS attacks launched against them in the near future.
Despite the threat increasing, just 39% were confident that their organisation could detect a DDoS attack. Fewer respondents, 34%, were confident that their organisation could prevent an attack.
Respondents said that a lack of actionable intelligence was the top barrier to preventing DDoS attacks. Insufficient talent and expertise, and inadequate technologies were also viewed as significant barriers.
Stopping the botnet
Preventing attacks can be costly for businesses, according to cybersecurity expert Jake Moore, security specialist at ESET, but regulating the internet of things (IoT) space could help to prevent a large number of DDoS attacks before they are launched.
“DDoS attacks have always featured in cyber-attacks and there’s usually not much companies can do to protect their websites other than to attempt to divert as much traffic as possible, but this can be costly,” Moore explained. “The real solution lies in the early production of the internet of things and smart devices, where they are continually created with simple or no security at all.”
According to GlobalData’s recent smart home report, spending on internet-connected smart home devices climbed to $23bn in 2018. The market is expected to grow to $25bn by 2025 as consumers continue to automate their homes using smart speakers, thermostats, lighting and security products.
However, various studies have highlighted how easy it is to hack many of these devices.
This is being exploited by cybercriminals to build botnets, a number of compromised internet-connected devices that are used to carry out automated cybercriminal activities such as DDoS attacks or spam delivery.
The Mirai botnet discovered in 2016, for example, had amassed 380,000 devices by scanning the internet for IoT devices and testing commonly-used default username and password combinations to break into a device.
“Once such devices are taken over by a threat actor, they are simply diverted on mass to targeted sites to crash them,” Moore explained.
Introducing IoT regulation that forces manufacturers to consider these security risks – by using less common default login credentials, for example – would help to stop botnets from increasing their numbers as the IoT industry grows.
“With proper rules in place on smart devices around the home, we could see a huge reduction in DDoS attacks around the world,” Moore said.
Regulation is on the horizon
Governments are beginning to wake up to the threats that unsecured smart devices pose.
The United Kingdom published a voluntary code of practice in October 2018 that detailed how IoT manufacturers can protect their devices from exploitation from cybercriminals. The code of practice covers data storage, software updates, password complexity, device resets and vulnerability disclosure policies.
While companies such as HP, Hive, Geo and Panasonic agreed to follow the code, there are many companies that do not, and many consumers that choose to purchase from cheaper, less reputable brands.
“I’m really hoping we’ll see regulation in the UK for the next year, to drive behaviour of manufacturers and security for devices,” Ken Munro of Pen Test Partners said during an Infosecurity Europe session on ‘Regulating the IoT‘ this week. “The problem is, it’s not getting better, in fact it’s getting worse. That’s why I think we’re going to need regulation.”
California is set to become the first authority to make building security features into IoT devices law. The proposed California Senate Bill 327 will require manufacturers to provide “reasonable security feature or features” in their devices.
This will become law on January 1, 2020, and could set a precedent for government regulation of IoT devices, similar to the increase government focus on data privacy following the implementation of the European Union’s General Data Protection Regulation (GDPR).