In light of the recent KRACK attack, National Cyber Security Awareness Month, and it being the year anniversary month of the crazy Dyn attack – I figured discussing the Internet of Things and the security around them would be a great topic for the official launch of TriciaKicksSaaS! Woohoo! Thanks for stopping by.
Those of you who know me (which is probably all of you reading this) know that one of the things I evangelize most is security awareness, not only at the corporate level, but also the personal level. This blog is definitely geared toward the “non-techies” because most of us already have our own awareness policies but I hope the serious professionals can at least get a chuckle out of my strange analogies.
IoT has taken the world by storm, understandably. It takes items you use every day and uses the internet to make them ultra convenient. Super cool stuff, especially the lighting bits – I mean you can actually set your levels for your house from your phone. Your smart TV? Yeah that’s IoT. Like I said, super cool and convenient stuff. It’s a huge jump for us and has offered a ton of potential innovation even beyond IoT itself… but as is the case with any sort of amazing technological innovation, there is a massive cyber security risk with these bad boys. Add in the KRACK WPA2 vulnerability and now you’re talking some serious no-nos.
As I mentioned in the opening, last October there was a very large DDoS attack on Dyn DNS, and it took down some of the largest internet powerhouses we know and love. (Amazon, Twitter, Netflix, among a few others just to name drop.) Now – there were a lot of techy jargon words in there, and for someone who doesn’t live in this world it probably sounded a bit like Klingon. I’ll summarize in the best way I can.
- DDoS – Distributed Denial of Service Attack
- DNS – Domain Name System
- Dyn DNS – One of two major DNS Security Vendors (other being OpenDNS – Now a part of Cisco.)
Computers speak in numbers, and people speak in letters. So when you want to go to your favorite website, you type in the language version of where you want to go, but that would be complete gibberish to a computer. So, DNS is like the internet’s translator, the go-between for humans and machines. If you work in international business, you might actually have bi/trilingual people whose job is strictly to bridge that language gap – so think of DNS as that translator.
DDos is an up and coming attack that basically overloads a machine so it can’t work anymore. It’s like going to the DMV or the bank at lunch. Wayyyy too many people go in at once and sometimes it takes so long you have to leave before you can even get to the front desk. Way too much work all at once. It shuts the machine down and makes that site or machine lose service.
So here’s what happened in the big Dyn attack. Dyn DNS is one of the two major players in DNS security on the market. They support some of the biggest internet powerhouses (Netflix, Twitter, etc) to ensure that that translator is in good health and safe. They’re like the Translator’s secret service team. Because without that translator, they’re losing out on a lot of business.
This might get a little graphic here. Let’s visualize. I’m a huge Star Wars fan, so we’ll use their imagery.
Remember us talking about IoT? All those cool little thermostats and T.V’s and refrigerators and stuff? Think of them as dummy droids. The basic type droids, the ones that do household chores. No weapons, just regular old simple droids. They are there as a convenience but not viewed as a threat.
The big Dyn attack is the real life equivalent of taking those basic droids and having the Death Star turning them into Storm troopers and going full force onto all of the secret service for the translators. It was an online Attack of the Clones. Absolute massacre. Those Internet big shots I spoke of earlier, their translators all dead, people not being able to speak to their fearless internet leaders.
Yes, it’s quite a dramatic way to say people couldn’t access Netflix and Twitter, but it gets the point across.
This was a big deal in our community. It was one of the first MAJOR IoT breaches and it definitely made a statement. Clearly, here we are a year later and still talking about it like it happened yesterday.
Alright, I think we’re all basically up to speed on the backstory and what some of these acronyms that are being thrown around mean.
There have been several articles of other IoT Stormtrooper attacks happening (on a much smaller scale, like only attacking Tattooine). A bunch of respected security individuals are comment on these articles and usually condemn the manufacturers of the devices.
For the record, I absolutely agree that they should be held accountable, but we can’t lay blame entirely on them. It is crucial that EVERYONE is putting their best foot forward in this fight against hackers – that includes both the manu’s and the consumers (yes, that’s you.) This is why we have #NCSAM17, to avoid these harrowing attacks.
A very common sentiment in the security world is something to the tune of “we can’t put the public in charge of this, blah blah blah. It’s the responsibility of the professionals, blizzity blah blah.” The points made are valid, but I simply disagree with it.
Now, I realize the earlier Star Wars reference might be a tad obscure for some people, so since I really want to drive this point home, I’ll use a car analogy. Get it? Drive? Yeah.. I know that was bad. But, in all seriousness, Everyone has some sort of exposure to automobiles, so it (hopefully) makes sense.
Let’s talk about car safety. When you were a little kid, I would be willing to bet that one of the first things you learned about car safety was putting on your seatbelt. It’s a very basic idea, and yet it has saved a ton of lives. That two second task could stop you from being even more seriously hurt than you would if you wear it. It doesn’t take an auto mechanic to know that.
Fast forward a few years, you’re a teenager learning to drive. You’re learning street signs, how to be safe around other drivers, etc. With the exception of the nuances (and the actual motor skills) you know most of this natively because you’ve grown up with it. It’s basically ingrained in you.
Cyber Security Awareness is no different than putting on a seatbelt.
These professionals, the car manufacturers in this analogy, have spent years coming up with safety features, all the way from airbags to even spacial awareness to help keep you safe. But no matter how far the innovation goes, you can still die if you don’t do that simple, menial task. You don’t need to know how to build an engine, just know how to put on a seatbelt.
Awareness leads to education, and education leads to protection.
I say all of that to say this: Everyone can a fighter against cyber crime. If you aren’t fighting it, you can accidentally be an accomplice – and the worst part is you might not even know it.
Thank you all for reading! Drop a comment, find me on social, let’s chat!