Whether or not you work in IT security, distributed denial of service (DDoS) attacks are becoming more visible by the day. In the last three months of 2016 alone, DDoS attacks greater than 100Gbps increased by 140% year-on-year, according to a recent report. And this growth isn’t expected to decelerate any time soon.
The damage inflicted by DDoS attacks has become increasingly mainstream and while we often hear of news outlets, political campaigns and retailers being taken offline by hacks, attackers are turning their attention to more mission critical operations in hospitals, banks and universities.
>See also: Cyber security is a ‘people problem’
IoT and the DDoS dilemma
Seven out of 12 DDoS attacks in Q4 2016 were down to the Mirai botnet, and the most significant example of this is the attack against Domain Name Service (DNS) provider Dyn, in October 2016. It was estimated that the attack involved 100,000 malicious endpoints, sending one terabyte of traffic per second to the company’s servers.
These endpoints were a host of connected devices – not just laptops and PCs but the routers, printers, baby monitors and webcams – that all make up the Internet of Things (IoT). By using known passwords, Mirai is able to search for susceptible IoT devices before infecting them with the malware. Susceptible device becomes part of a botnet that is capable of launching DDoS attacks from all of its infected devices.
Some blame the users for not changing the default passwords once they were connected. Others feel more responsibility falls on manufacturers, because in some instances, products were distributed with well-known default passwords “built-in” with no option to change it.
Standards: the silver bullet?
DDoS attacks are becoming far more sophisticated so it’s essential that hardware and software manufacturers start to seriously consider standards to address the potential security risks in the growing Internet of Things.
One key standard is the Open Trusted Technology Provider Standard, or O-TTPS, which addresses these issues around supply chain security and product integrity. Recently approved as ISO/IEC 20243, this set of best practices can be applied from design to disposal, throughout the supply chain and the entire product life cycle.
Standards like the O-TTPS aim to reduce the risk of tainted (e.g., malware-enabled and malware-capable) and counterfeit hardware and software components from entering the supply chains and making their way into products that connect to the Internet. This specific standard also has a conformance programme that identifies Open Trusted Technology Providers who conform.
The vendors involved in the Dyn incident could have followed the O-TTPS’ requirements for vulnerability analysis and notification of newly discovered and exploitable product weaknesses. If they had done so from the outset, the vulnerability that allowed the Mirai botnet to grow would likely have been caught early. The attack vector could have subsequently been blocked and the impact on businesses and consumers significantly reduced.
Securing information and communication technology (ICT) on which our business enterprises and critical infrastructures depend is a serious problem that becomes even more daunting and complex as we extend those environments to IoT devices. ICT and IoT devices are developed, manufactured, and assembled in multiple countries around the world. They are then distributed and connected globally.
Standards can’t categorically prevent the inception of DDoS attacks, but what they can do is mitigate their effectiveness and limit their economic damage.
Providing international standards like the O-TTPS (ISO/IEC 20243) that all IT providers and their technology partners (e.g., component suppliers, manufacturers, value-add resellers) in their supply chains can adopt, regardless of locale, is one significant way to increase cyber and supply chain security.
The adoption of a universal product integrity and supply chain security standard is a major first step in the continued battle to secure ICT products and IoT devices and their associated end users.
>See also: Cyber security from a hacker’s perspective
Further steps need to be taken in the form of collaboration, whereby we reach a point where we can recognise which technology and technology providers can be trusted and which cannot. But adhering to global standards provides a powerful tool for technology providers and component suppliers around the world to combat current and future DDoS attacks.
Guidelines for implementation of ISO/IEC 20243 (O-TTPS)
This Standard along with its certification programme specifies measurable conformance criteria for both product integrity and supply chain security in ICT. The standard is freely available from The Open Group on the O-TTPS Certification website and for a fee from the ISO site.
The conformance criteria are captured in the Assessment Procedures, also freely available from the certification website. The Open Group has requested that ISO/IEC also adopt/approve the assessment procedures as Part-2 of 20243, in order to foster even greater global adoption, which is critical given the global nature of ICT.
The Open Group O-TTPS Certification Program offers certificates for conformance to both the O-TTPS and ISO/IEC 20243:2015, as the two standards are the same, and identifies successful applicants on a public registry so customers and business partners can readily identify an Open Trusted Technology Provider.
The programme is available to all providers in the ICT product’s supply chain, including: Original Equipment Manufacturers (OEMs), hardware and software component suppliers, integrators, Value Add Resellers (VARS), and distributors.
Thus, it offers a holistic approach that not only allows customers to identify trusted business partners like integrators or OEMs who are listed on the registry, but it also allows OEMs and integrators to identify trusted business partners like hardware and software component suppliers, VARS, and distributors from the public registry.
Sourced by Sally Long, director of The Open Group Trusted Technology Forum, The Open Group
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here