We’ve all seen more than our share of the Cybersecurity Hall of Shame list of dumb passwords. Getting smart about password hygiene is critical, and security gurus have offered countless tips about preventing password and other IT security faux pas. Now, the California government has entered the war against botnet attacks and lax security practices. In doing so, the State of California has shined a rather unflattering light on internet-connected devices and their role in cybercrimes.
Drawing a (faint) line in the sand
In October 2018, California governor, Jerry Brown, signed a law forbidding the sale of specific IoT devices in the state. The bill focuses on devices with preprogrammed passwords that are easy to guess or crack. These devices have little or no security out of the box. Easy-to-guess passwords make IoT devices vulnerable to malicious hackers. In 2020, all IoT devices made or sold in California must have a unique password or a way to require owners to set their unique password. Baby monitors, thermostats, smart refrigerators, you name it. If the device or appliance connects to and can be controlled on the internet, the law applies.
However, even this simple solution might not have the desired effect on cybercrime. Weak passwords are not the only back door to cyber-attacks. Other vulnerabilities exist, and cybercriminals know what they are and where to find them. In the California law, companies don’t have to add preventive software updates (patches) that can neutralize these vulnerabilities.
The first step in a long, complex journey
The California law is the first attempt in the United States to set cybersecurity standards. It focuses attention on the problem of poor password security and its role in cybercrime. However, the spotlight is also on IoT device users. People who take IoT devices out of the box but don’t change the easy-to-guess password, are also at fault. Hackers are experts in cracking simple passwords and finding software flaws. They can break into a network or even turn hundreds of thousands of connected devices into a destructive botnet.
Some analysts see the California law as a weak attempt to establish security standards. Others view it as the first step in a long process of addressing security weaknesses in IoT devices. The law might be a simple step. However, it shines a light on the problems that policymakers and manufacturers face when it comes to improving the security of connected devices.
Botnets on the hunt for IoT devices
A botnet, or robot network, is a group of malware-infected computers or devices, which operate under remote control. Botnets can carry out complex tasks such as a multi-stage distributed denial-of-service (DDoS) attack to block access to a site or service. In these attacks, botnets are versatile. They can infect servers, smartphones, laptops, or tablets as well as devices.
Cybercriminals can recruit computers for their botnets with a wide choice of methods. Malicious email links, phishing attempts, drive-by downloads, and vulnerable IoT devices are the usual modus operandi of botmasters. The infamous Mirai botnet used a table of more than 60 common factory default usernames and passwords. With it, botmasters could log on to vulnerable IoT devices and infect them with the Mirai malware.
Keeping botnets at bay
In the 1800s, a “belts and suspenders” approach to finance described conservative lending practices, which used several methods to keep repayment risk low. In the 21st century, IT security pros can reduce the risk of botnet attacks with the same spirit of multi-level protection. Organizations can combine in-house, anti-botnet best practices and third-party DDoS mitigation services.
In-house protection against botnets
When it comes to on-premises, anti-botnet best practices, experts provide all-too-familiar advice: change default device passwords at installation and change them often. Don’t click on suspicious-looking links. Keep your antivirus software current, ideally with automated updates. Make sure that wireless connections to your Internet-connected devices are encrypted. Also, make sure that passwords are long and complicated enough to put off cyber crooks from messing with your network.
Bot management services
The second part of the belt-and-suspenders approach might not be so familiar. Bot management is a new feature of application security software. It identifies the source of a service request as a human or a machine. The goal of bot management is to discover bots and neutralize their malware before it can damage networks or IT assets.
Big data analytics and machine learning create the logic that decides whether a request comes from a human. These legitimate signals pass through mitigation software without incident. The algorithms also identify and block non-human and other suspicious requests and pass these signals through a data scrubbing process.
A database of millions of browser and bot signatures is an essential part of bot management. When security specialists discover a new bot variant, they create its profile. Each profile contains descriptive information such as header content and IP address, network behavior patterns, and a technology fingerprint. If a new bot displays suspicious behavior, bot management software challenges the intruder in ways that won’t interrupt services to legitimate users.
Make multi-level botnet protection work for your network
IT security specialists continually expand signature databases with proactive research. However, the bad guys are getting smarter, too.Botnets are real and are getting more adept at creating chaos. There’s no time for organizations to lapse into denial. There are no silver bullets against botnet attacks, but DDoS mitigation services provide the next best thing: the foundation of a multi-stage approach that can keep the botnets at bay