Government and industry could help prevent dangerous botnet attacks simply by using tools that already exist, according to a draft report headed to the White House.
Instead, IT officials often ignore those tools because they’re too expensive, too difficult or for other reasons, a recent report from the National Telecommunications and Information Administration said.
“The tools, processes and practices required to significantly enhance the resilience of the internet and communications ecosystem are widely available, if imperfect, and are routinely applied in selected market sectors,” the report said.
“However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.”
Botnets are responsible for a variety of hacking campaigns, including perpetuating Distributed Denial of Service attacks, which hit a particular network or device with so much traffic that the system is unable to work under the strain. One such program, known as Mirai, was responsible for the massive October 2016 Dyn DDoS attack, which shut down major websites such as Twitter and Netflix. The hackers took advantage of vulnerable, internet-connected DVR boxes, which had only minimal manufacturer security, and turned them into “bots.”
“This attack also highlighted the growing insecurities in — and threats from — consumer-grade [internet of things] devices. As a new technology, IoT devices are often built and deployed without important security features and practices in place,” the report said.
The report noted that the proliferation of internet of things devices that are either entirely unsecured, using pirated software or no longer supported by their developer increases the danger of botnets.
“Often, devices were not designed with security in mind. Developers are either unaware of good security design practices, assume that the device will be inaccessible (e.g., on a local network air gapped from the Internet), or want to avoid security solutions that impose additional cost or increase time to market. The resulting design choices, such as hard-coded administrative passwords, create inherently insecure devices,” the report said.
“Insecure devices are not a result of limitations in the underlying technology. Applied properly, the current best practices are fairly effective, if imperfect, and result in devices that are reasonably secure upon delivery, and include tools to maintain that level of security throughout the device’s life cycle.”
The report established six goals for improving defense against botnets:
- Identify a clear pathway toward an adaptable, sustainable and secure technology marketplace;
- Promote innovation in the infrastructure for dynamic adaptation to evolving threats;
- Promote innovation at the edge of the network to prevent, detect and mitigate bad behavior;
- Build coalitions between the security, infrastructure and operational technology communities domestically and around the world, and;
- Increase awareness and education across the ecosystem.
“No single actor or sector is responsible for single-handedly addressing these risks, and no single entity can simply say that these risks are all someone else’s problem,” the report said.
“While the information technology and communications sectors do actively work to understand security risks, sectors often are unable to coordinate well with other sectors. Even though some entities coordinate domestically or regionally, there are few global mechanisms to share information about threats, solutions and their adoption and efficacy.”
Jessie Bur covers federal IT and management.