For Dale Drew, Chief Security Officer of Level 3 Communications, the frontline in the war against cybercrime is getting wider and wider. The Internet of Things is opening up many new avenues of attack for Drew’s adversaries while bringing in a whole new set of actors who often aren’t aware of their vulnerabilities.
Millions of recently connected devices could be hijacked by botnets for denial of service (DOS) attacks, which look to overwhelm the target’s infrastructure with traffic. Such attacks “represent the most refined example of the type of attack that can tear down the infrastructure of an Internet service provider,” said Denver-based Drew, who has 27 years experience in cyber security, in a recent interview. “You combine that with the power of the Internet of Things, and we now have one of the largest threat landscapes, from an attack perspective, on the planet.”
Drew warned that much of the consumer and business equipment being connected to the Internet of Things (IoT) lack the kind of protection that now comes as standard on PCs and increasingly smartphones. “The IoT is sort of starting from scratch from a security perspective,” he said. “They really have not learnt the lessons from all the other cyber security ecosystems that exist, so there is no anti-malware protection on IoT devices, there is no log correlation and analysis for IoT devices [and] they are all configured in exactly the same way, so if you break in via one IoT vendor, you have access to that entire platform.”
When analyzing ways of protecting the Internet of Things, Drew estimated that once a botnet has hijacked an IoT device it could be enslaved for 12-18 months, compared with an average of four months for a conventional connected device. “The amount of investment in getting access to more IoT devices is astounding,” he said. “We have seen 1 million, 1.5 million node botnets using IoT where only 50,000 of those devices are actually being used to bring down pretty large pieces of infrastructure.” That makes life difficult for the Internet service provider (ISP) – if it blocks the 50,000 devices being used for the attack, the adversary can simply switch to an alternative 50,000 devices already within the botnet. “We can’t block millions of devices, we can only block tens of thousands or hundreds of thousands of devices at once,” Drew explained. “So being able to dynamically block those botnets is a huge challenge for ISPs.”
Getting on the front foot
At the same time, the IoT also open ups new innovative ways of combating crime. “I am also seeing some great emerging capabilities with IoT,” Drew said. “There is an IoT tile device when you report a device that has been stolen that is connected to a tile, all the other tile devices will be on the look out for it. When they see that tile device walk by, they can all report on that tile device… the ability for IoT devices to sort of collaborate together for the purposes of security is something amazing to me.”
Under Drew, Level 3’s security philosophy is to be as proactive as possible. “We are sorting of leaning into this problem a little bit with our customers’ cooperation,” Drew explained. “We look for behavior analytics to see what looks like a bad guy, what looks like a compromised computer, so not only did we build a victim notification system, that notifies 178 million victims that have been compromised… but we are also blocking those guys off the backbone.” While this kind of proactive analytical approach is unusual among Internet service providers, Drew says it is having a “pretty significant impact on how protecting the Internet of Thngs.”
As the IoT expands and grows, other challenges apart from protecting the Internet of Things are beginning to emerge. One is how to authenticate connected devices and equipment, given the number of components that can be involved in an industrial or consumer solution. “A lot of IoT devices are controlled by cloud vendor infrastructure where the IoT device and the consumer don’t talk directly, they talk through a cloud provider, so authentication protocols for that sort of ecosystem are really critical,” noted Drew in the interview. But “a lot of the bad guys are getting access to these IoT devices by breaking into the operating system …most of them are Unix or Linux based operating systems with all the default passwords deployed and the application vendor isn’t spending any time on that layer, only his layer…it really needs to be a full ecosystem approach.”
Balancing business and security
At Level 3, Drew’s team has responsibility for security in the broadest sense, securing the telco’s own infrastructure, while also working with its customers to protect their assets. His team understands that security can’t be an obstacle to doing business. “Our objective is to make the company protected, but also make the company adaptable and flexible to meeting the needs of our customers,” Drew said. “We are not just an academic, sort of policy-based organization, we … evaluate the level of risk we think is acceptable for the business when doing the following sort of activity. We tend to take a little bit more risk than most usually do when providing solutions to customers.”
However, Level 3 may have to adapt its security practices in line with new laws, notably the General Data Protection Regulation in the EU, which stipulates that companies will need consumers’ consent to move their data out of the region. “So you are now beholden on the education level, or the knowledge level, or the paranoia level of the consumer of what you end up doing with your own data, and that really does end up destroying the economies of scale where you can deploy that data, whether it is securely deployed or not,” said Drew.
Protecting the Internet of Things against new threats
Looking ahead, Drew believes so-called ransomware, which disables a machine and then demands a fee to restore it, is going to become an increasingly significant threat. In the wake of the WannaCry and Petya attacks, which followed signs of growing interest in ransom-ware in the criminal community, Drew is expecting more disruption. “A nation state that wants to cripple information infrastructure by encrypting Internet devices by random and throwing away the key, those are huge concerns of ours, as we progress into this year and next year,” he said. There has been speculation that Russia may have been behind the Petya attack, which began by disabling the power grid, banks, government offices, and airports in neighboring Ukraine, with which Russia has a tense relationship following its annexation of Crimea.
To counter the growing battery of threats, Drew is calling on the digital ecosystem to step up its efforts to share timely information more widely, so that a network provider, for example, has the same information as the anti-virus vendors. “Sharing across ecosystems is still something that we have not accomplished,” he said. “The bad guys are sharing more information faster than we are.”
More specifically, Drew believes a standardized information feed could be a critical weapon in countering the speed at which cyber criminals now operate. Such a feed would ensure that all the relevant security vendors receive live attacks information simultaneously then “all of your security apparatus will be protected at exactly the same time using the exact same knowledge base,” he explained. “That will be a game changer for how more expensive we make it for the bad guys to operate.”