Can standards help prevent DDOS attacks or – is it beyond industry’s control?
We have seen the increase in DDOS attacks and witnessed the damage they inflict on Internet performance and server accessibility, negatively affecting our business enterprises and our mission critical operations. One example from 2016 that had a major and far reaching impact, was the DDoS attack against Domain Name Service (DNS) service provider, Dyn. How did that incident occur and could it have been prevented? Would conformance to existing standards have helped?
First, how did the Dyn incident cause such a large impact, preventing access to major internet services like Amazon, Netflix and others? The Dyn attack took advantage of a large number – some sources cite 10s of millions of devices connected to the Internet. In this case the devices were primarily consumer devices - the type that make up the ever expanding “Internet of Things”- devices such as printers, surveillance cameras, routers and even baby monitors that had been vulnerable to infection by the Mirai malware. This widespread infection was used to create a botnet that carried out the largest DDOS attack to date.
The Mirai malware, which had been published by hactivists as open source shortly before the attack, scans for and infects vulnerable IoT devices using known and readily available passwords. Once a vulnerable device is found, the device is infected and becomes part of a Mirai “botnet”, which can then be used to launch DDoS attacks from millions of devices. Once activated the botnet then sent an estimated 1 terabytes / second to the Dyn’s DNS servers. Many major companies use Dyn for that translation, so when the botnet flooded Dyn with requests from infected devices, the legitimate requests to reach those companies were denied.
Would standards have helped mitigate this? Ultimately this attack was primarily a consequence of users not changing the default passwords on their devices once they were connected to the Internet. One might call this operator error – but it can also be tied to poor practices on the provider side by manufacturers not communicating the importance of changing default passwords. In other cases, manufacturers were shipping those devices with the well-known default passwords hardcoded in the firmware of the product. Consequently the operators could not change the password without getting a new product. In both cases, the devices were left vulnerable.
Could either of these causes have been prevented by conformance to security standards?
One standard that addresses these product integrity and supply chain security issues is the Open Trusted Technology Provider Standard (O-TTPS), recently approved as ISO/IEC 20243. It is a set of best practices to be applied throughout the product’s life cycle (design to disposal) – including supply chains – in order to reduce the risk of tainted (e.g. malware enabled or malware capable) and counterfeit components (hardware and software) from making their way into products that are connected to the Internet. This particular standard also has a conformance program that identifies Open Trusted Technology Providers who conform to the standard.
In the case of the Dyn incident, if the vendors of the IoT devices had followed O-TTPS’ requirements for vulnerability analysis and notification of newly discovered and exploitable product vulnerabilities, the vulnerability which allowed this massive botnet to be assembled would have been caught and the attack vector blocked.
So, can standards prevent DDoS attacks? We can’t prevent these attacks, but following standards for widely accepted standards and best practices for secure development and delivery can mitigate their effectiveness and limit the economic damage they cause.
Sally Long, director of consortia services, The Open Group
Dave Lounsbury, CTO, The Open Group
The January issue of Supply Chain Digital is live!
Follow @SupplyChainD on Twitter.
Pandora and IBM digitise jewellery supply chain
Pandora has overhauled its global supply chain in partnership with IBM amid an ecommerce sales boom for its hand-finished jewellery.
The company found international success offering customisable charm bracelets and other personalised jewellery though its chain of bricks and mortar retail destinations. But in 2020, as the COVID-19 outbreak forced physical stores to close, Pandora strengthened its omnichannel operations and doubled online sales.
A focus on customer experience included deploying IBM’s Sterling Order Management, increasing supply chain resiliency and safeguarding against disruption across the global value chain.
Pandora leverages IBM Sterling Order Management as the backbone it its omnichannel fulfilment, with Salesforce Commerce Cloud powering its ecommerce. Greater automation across its channels has boosted the jeweller’s sustainability credentials, IBM said, streamlining processes for more efficient delivery. It has also given in-store staff and virtual customer service representatives superior end-to-end visibility to better meet consumer needs.
Jim Cruickshank, VP of Digital Development & Retail Technology, Pandora, said the digital transformation journey has brought “digital and store technology closer together and closer to the customer”, highlighting how important the customer journey remains, even during unprecedented disruption.
"Our mission is about creating a personal experience and we've instituted massive platform changes with IBM Sterling and Salesforce to enable new digital-first capabilities that are much more individualised, localised and connected across channels and markets,” he added.
Pandora’s pivot to digital
The pandemic forced the doors closed at most of Pandora’s 2,700 retail locations. To remain competitive, it pivoted to online retail. Virtual queuing for stores and virtual product trials via augmented reality (AR) technology went someway to emulating the in-store experience and retail theatre that is the brand’s hallmark. Meanwhile digital investments in supply chain efficiency was central to delivering on consumer demand.
“Consumer behaviour has significantly shifted and will continue to evolve with businesses needing to quickly adapt to new preferences and needs,” said Kareem Yusuf, General Manager, AI Applications and Blockchain, IBM. “To address this shift, leading retailers like Pandora rely on innovation to increase their business agility by enabling and scaling sustainable supply chain operations using AI and cloud.”
Yusuf said Pandora’s success was indicative of how to remain competitive by “finding new ways to create differentiated customer experiences that protect their enterprises from disruptions to help mitigate risk and accelerate growth”.