Last week’s distributed denial-of-service attack that temporarily crippled managed DNS provider Dyn. Inc., customers including Twitter has prompted a security expert to repeat his call for a two-tier Internet, with one level being more secure than the other.
“The underlying problem of all the badness on Internet is mostly the ability of the attacker to be anonymous,” Roger Grimes, principal security architect in Microsoft’s, information security and risk management practice, said in an interview.
“I’m against pervasive anonymity, which is what the Internet is built on. I’m for pervasive identity, and then people and services that want to maintain anonymity would be shunted to kind of a second-tier internet, where people would accept those risks. But where you have pervasive identity – at a device and user level – it’s easier to track back the culprits.”
Grimes, who had just returned to his home in Florida after speaking at last week’s SecTor cyber security conference in Toronto, noted there are identity services available now on the Internet that could be leveraged. He made a detailed explanation in a 2014 whitepaper, but put simply an organization could say that unless a person has a verifiable ID – perhaps using two-factor or biometric authentication – they can’t access the firm’s server. Or, your packet can’t come to my company’s site unless you’ve been verified as coming from a trustworthy place. Or, if packets come from a suspicious place they can be blocked.
To prevent Internet of Things devices from being exploited, routers, switches, surveillance cameras would need TPM (Trusted Platform Module) chips.
The goal is create a two-tier Internet, which users might be willing to pay a little more for to get better security.
In his whitepaper Grimes suggested every participating Internet component, hardware and software, be modified to provide increased identity and integrity assurance. All participating network traffic would be cryptographically tagged with a “trust level”, which could be evaluated and acted upon accordingly. Each participating security domain would be responsible for assuring the trust and labeling of its egress traffic and responsible for acting upon tagged ingress traffic (and be held accountable for its attestations).
A security domain gateway device (called a “ trust gateway”) would perform the necessary trust labeling and evaluation. Every component (e.g. hardware, OS, network devices and pathway, identity, etc.) would end up being evaluated and assigned a numerical trust rating.
Levels of trust, and how to obtain them, might take two years to create by a consortium of computer security experts, but would be published in an open, transparent way.
A global Internet security infrastructure service might also need to be created, with fault-tolerant, distributed “root” servers dedicated to directing querying clients to the appropriate security service server(s),he also wrote.
“It’s tough for a company to protect itself when a DDoS attack is against the underlying infrastructure,” Grimes said in the interview. “It points to weakness in the Internet that need to be corrected because the Internet is mission-critical for everything. “Denial of service (attack) people have gone far too long without being shut down. We need to come up with some infrastructure that shuts down these attacks faster.”
The idea has some merit, said Jeff Pollard, principal security analyst at Forrester Research. “I think he’s got a good point,” Pollard said in an interview. “We are reaching a situation where the volume of attacks they can throw at a site is so high that I’m not sure enterprise defenders are going to be able to marshal all of bandwidth (for protection) and DDoS mitigation providers to battle them. So it’s absolutely a potential approach where you’re only allowing some version of an authenticated device to get to a Web site. The problem is if a Web site or service exists and it’s publicly accessible, that could be overwhelmed.”
In the meantime CISOs should ensure they have a backup DNS provider, he said, and ensure there isn’t a single point of failure on the network. That includes quizzing vendors and third party providers – especially cloud providers –to ensure they don’t have a single point of value.
Paul Hanley, KPMG Canada’s national lead for cyber security, also warned in an interview today that DDoS attacks can be used to distract defenders and mask another attack, like a spear phish. DDoS mitigation techniques or managed services are important, he said.
CIOs/CISOs should also be aware that any organization can be the target of a DDoS attack, he added.
“It’s a real challenge because if someone is determined and has enough firepower behind them to make it happen the effectively there’s a good chance they may be able to take you off air.”
In a blog this morning Toronto-based DNS provider easyDNS argued that while paying for DDoS mitigation or external scrubbing services is essential for some organizations, it isn’t a complete defence, using multiple DNS providers or solutions helps. If you go this route have a coherent methodology for syndicating your zones across those solutions; be able to track the health of each component of your DNS array and have the ability to switch / enable or disable components as required.
Increasingly DDoS attacks are leveraging insecure devices attached to the Internet, including enterprise and consumer devices. Sophos urges owners of smart TVs, lights, thermostats, routers, home surveillance cameras and other internet connected devices keep the software on their devices up to date and immediately change the default passwords to something unique.
CISOs need to be vigilant about securing devices on their networks.
The attacks on New Hampshire-based Dyn started around 7 a.m. Oct. 21 and according to news reports greatly slowed Twitter, Reddit, Airbnb, the New York Times among others in the U.S., and some sites in Canada. It took two hours for Dyn to mitigate that attack, which was followed by a second wave against Dyn and others just before noon. A third attack was successfully mitigated, Dyn said.
In a statement Sunday Dyn chief strategy officer Kyle York called the episodes a “sophisticated, highly distributed attack” involving tens of millions of IP addresses. “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet.”
That botnet, largely composed of insecure Internet-connected video surveillance cameras. was used in a massive attack in September against security reporter Brian Krebs.