Can standards help prevent DDOS attacks or – is it beyond industry’s control?
We have seen the increase in DDOS attacks and witnessed the damage they inflict on Internet performance and server accessibility, negatively affecting our business enterprises and our mission critical operations. One example from 2016 that had a major and far reaching impact, was the DDoS attack against Domain Name Service (DNS) service provider, Dyn. How did that incident occur and could it have been prevented? Would conformance to existing standards have helped?
First, how did the Dyn incident cause such a large impact, preventing access to major internet services like Amazon, Netflix and others? The Dyn attack took advantage of a large number – some sources cite 10s of millions of devices connected to the Internet. In this case the devices were primarily consumer devices - the type that make up the ever expanding “Internet of Things”- devices such as printers, surveillance cameras, routers and even baby monitors that had been vulnerable to infection by the Mirai malware. This widespread infection was used to create a botnet that carried out the largest DDOS attack to date.
The Mirai malware, which had been published by hactivists as open source shortly before the attack, scans for and infects vulnerable IoT devices using known and readily available passwords. Once a vulnerable device is found, the device is infected and becomes part of a Mirai “botnet”, which can then be used to launch DDoS attacks from millions of devices. Once activated the botnet then sent an estimated 1 terabytes / second to the Dyn’s DNS servers. Many major companies use Dyn for that translation, so when the botnet flooded Dyn with requests from infected devices, the legitimate requests to reach those companies were denied.
Would standards have helped mitigate this? Ultimately this attack was primarily a consequence of users not changing the default passwords on their devices once they were connected to the Internet. One might call this operator error – but it can also be tied to poor practices on the provider side by manufacturers not communicating the importance of changing default passwords. In other cases, manufacturers were shipping those devices with the well-known default passwords hardcoded in the firmware of the product. Consequently the operators could not change the password without getting a new product. In both cases, the devices were left vulnerable.
Could either of these causes have been prevented by conformance to security standards?
One standard that addresses these product integrity and supply chain security issues is the Open Trusted Technology Provider Standard (O-TTPS), recently approved as ISO/IEC 20243. It is a set of best practices to be applied throughout the product’s life cycle (design to disposal) – including supply chains – in order to reduce the risk of tainted (e.g. malware enabled or malware capable) and counterfeit components (hardware and software) from making their way into products that are connected to the Internet. This particular standard also has a conformance program that identifies Open Trusted Technology Providers who conform to the standard.
In the case of the Dyn incident, if the vendors of the IoT devices had followed O-TTPS’ requirements for vulnerability analysis and notification of newly discovered and exploitable product vulnerabilities, the vulnerability which allowed this massive botnet to be assembled would have been caught and the attack vector blocked.
So, can standards prevent DDoS attacks? We can’t prevent these attacks, but following standards for widely accepted standards and best practices for secure development and delivery can mitigate their effectiveness and limit the economic damage they cause.
Sally Long, director of consortia services, The Open Group
Dave Lounsbury, CTO, The Open Group
The January issue of Supply Chain Digital is live!
Follow @SupplyChainD on Twitter.
The Ultimate Procurement & Supply Chain Event
From September 28th-30th, network with C-level executives, gain insight from industry pioneers and walk away with actionable insights that accelerate your career. By the end of the week, we promise you’ll have the skills to solve the world’s most pressing supply chain and procurement challenges.
The three-day show is an essential deep dive into the industry, with influential speakers sharing insights and strategies from their organisations, group roundtable discussions, and fireside chats. Whether you attend virtually or in person, you’ll strategise how to cope with global disruption, learn from industry leaders, and walk away with tips, tactics, and tangible connections.
How to Attend
In a COVID-disrupted era, we know that the majority of people would rather avoid travelling for events─why take the risk, right? In response to the continued disruption, BizClik Media Group has decided that Procurement & Supply Chain LIVE will offer the best of both worlds through hybrid accessibility.
That means you and your peers can attend the event in person or virtually ─ with no disadvantages for people who choose not to make the trip to the Tobacco Dock venue.
Procurement & Supply Chain LIVE will be held at the Tobacco Dock in London, an industry-leading venue that is renowned for delivering world-class events. For attendees’ peace of mind, the venue is working to the government-endorsed AEV All Secure Framework, alongside mia’s AIM Secure and ‘Good to Go’ accreditation, they will ensure that we achieve a COVID-secure environment to facilitate all of your networking needs.
Our physical venue is both historic and stunning, but it has no bearing on the information that you and your peers can gain from the event. You can still absorb it all, interact with other attendees, and enjoy the conference experience on your alternative, virtual platform.
The platform will feature live feeds from all of the stages, as well as virtual networking areas. So, if you want to avoid travel, it’s not a problem! You can still get involved and enjoy the entire experience from the comfort of your own home.
What’s on the agenda?
With keynote addresses from global leaders, dynamic roundtable discussions, and extensive networking opportunities, Procurement & Supply Chain 2021 will expand your network, deliver insight, and enhance your organisation’s reach.
Across the three-day event, a number of relevant topics and trends surrounding procurement and supply chain will be discussed.
- Tuesday 28 September - Digital supply chain
- Procurement strategy (11:30 am)
- Supply chain leaders forum (12:00 pm)
- Women in supply chain (14:00 pm)
- Procurement technology (14:30 pm)
- Wednesday 29 September - Procurement consulting
- Sustainability (11:30 am)
- Supply chain management (12:00 pm)
- Digitalisation (14:00 pm)
- Risk & Resilience (14:30 pm)
- Thursday 30 September - APAC sessions (04:00 am)
Influential executives from around the world will give their insights and professional experiences surrounding these topics, allowing you and your company to leave with valuable information.
The past year has shown how important supply chains are and the importance of managing them correctly. With increasing digitalisation across all industries, you won’t want to miss out on our great speakers and information surrounding this topic. Preparing your company for the future is key, and we are sure you will gain great insights at our three-day event.
Order now to make the most of our early-bird offer. Ticket prices increase over 50% soon! For tickets and information, head over to our event site.