Last fall, a distributed denial of service (DDoS) attack against internet infrastructure provider Dyn took down a large portion of the U.S. internet, shutting down such major sites as Twitter, Spotify, Facebook, PayPal, Reddit and Airbnb. The perpetrators inundated Dyn with data requests from an army of hacked devices. It was only the latest in a series of attacks, against which even the most secure systems are all too vulnerable.
The situation has become direr with the growth of the Internet of Things, the network of linked devices that reaches into virtually every corner of the I.T.-driven world. The recently emerged malware known as Mirai specifically targets IoT devices and turns them into “zombies” that can be centrally controlled and directed to any targeted site.
It’s looking for devices that are weakly secured, says Adam K. Levin, chairman and founder of internet security company IDT911, and the author of Swiped: How to Protect Yourself in a World of Scammers, Phishers and Identity Thieves. He says the failure of internet users to adequately protect themselves “puts us all at risk.”
Any device connected to the internet — cameras, digital video recorders, security systems, navigation tools, home appliances, to name a few — are likely targets, and their numbers are growing exponentially. The first line of defense is a strong password, which is shockingly absent in even the most sophisticated devices.
Part of the problem stems from the continued use of older and outdated devices, which can be difficult to reconfigure in line with modern-day security standards. In addition, many users fail to change the manufacturer’s default password, which tends to be easily breakable.
Many websites routinely advise on the strength of a user’s chosen password, even if their input is ignored. But additional steps need to be taken. Levin floats the idea of a new device that won’t function unless its password is first changed by the user. “Perhaps in the process of changing it from default to unique,” says Levin, “manufacturers would be able to not necessarily recommend passwords, but indicate to you which is stronger.”
The user, of course, is free to choose a password that’s even easier to crack than the one that came with the device. “It can cut both ways,” says Levin. “A lot of people think that ‘no one’s going to care about me.’ Please understand that when it comes to a hacker or automated system, each and every one of us is essentially Kim Kardashian. We’ve got what they [hackers] want.”
Manufacturers could also build into their devices the capability to update protections when security flaws or vulnerabilities are found. Users, too, must share responsibility for keeping devices safe by updating the software on a regular basis.
Public Wi-Fi is a definite hazard and should be avoided wherever possible, says Levin. (With the expansion of Wi-Fi access in cities and across the country, that warning will become increasingly difficult to heed.) It’s an easy access point for hackers to steal data and install malware that could lie dormant for extended periods of time before initiating an attack.
Businesses should consider purchasing cyber liability insurance. Levin believes it likely that insurance providers will become more demanding about strict adherence to security measures, especially for corporate policy holders whose devices run into the millions.
There’s also the risk of employees infecting systems, inadvertently or not, by plugging their own devices into the employer’s network. Levin says companies should prohibit any such connections unless the devices in question have the same level of security that’s being maintained internally. At the very least, I.T. departments need to vet employees’ devices and monitor their use on the job.
Experience has shown that even the strongest password isn’t always enough to prevent successful attacks. Levin says I.T. systems need to implement two-factor authentication, whereby users are required to supply multiple evidence of their identities.
Today’s cyber thief will painstakingly customize an attack to the target, based on a perceived weakness in the system or lax behavior by its users. Especially vulnerable are corporate networks that are regularly accessed by outside vendors. Such was the case when thieves stole the data from up to 40 million credit and payment cards from Target Corp., by using the credentials of a heating and air conditioning company that was serving the retailer.
Government has a role to play in securing the internet for companies and individuals. Levin would like to see tax credits for businesses that are “doing right in terms of cybersecurity.” Keeping up with the latest security techniques can be expensive, especially for small businesses, which tend to be “the feeding ground for hackers and scammers these days.”
Additional preventive tactics include paying close attention to any “probing” by would-be hackers of a business network, and working with third parties to carry out penetration tests. Employees should be so well-trained in cybersecurity, Levin says, that their response to a threat is almost automatic. He likens the acquired skill to that of “muscle memory exhibited on nuclear submarines, where there’s almost nonstop training of the sailors.”
Nevertheless, successful cyberattacks are a certainty. “It is inevitable that every organization will suffer some form of compromise,” says Levin. “Every consumer at some point will be a victim of identity theft. Unless you come up with a foolproof way of identification, you’re always going to have somebody in the organization make a mistake.”
Extreme vigilance is the only defense. “You need really good people keeping an eye on it,” says Levin. “In I.T. departments, the most dangerous words in the English language are ‘Don’t worry — I’ve got it.’”