In mid-October of last year, a distributed denial-of-service attack took down some of the world’s most popular websites. Twitter, Netflix, Reddit and CNN went dark as a botnet targeted the underlying infrastructure of the internet. The DDoS attack—the largest ever—targeted Dyn, a company that provides DNS services for over 3,500 enterprise customers.
While the attack only brought those websites down for a couple hours, it was a stark reminder of just how sophisticated online criminals have become. “It’s tough for a company to protect itself when a DDoS attack is against the underlying infrastructure,” Roger Grimes, a principal security architect with Microsoft’s information security and risk management practice told IT World Canada.
The price of DDoS
For businesses, the effects of a DDoS attack are pretty clear—a Kaspersky Lab report published last year estimated that enterprises targeted by a DDoS attack lose, on average, CAD$552,147. But there can be something even more insidious lurking under the surface: DDoS attacks can also be used as a sort of “digital smokescreen,” masking parallel attacks intended to steal information. Twenty-six percent of companies that suffered DDoS attacks lost sensitive information as a result, according to the Kaspersky report.
Enterprises don’t just have to protect against DDoS attacks—they also have to prevent themselves from inadvertently being part of one. The DDoS attack in October was carried out by what’s called the Mirai botnet—it’s a piece of malware that turns Linux systems into bots that can then be used to attack other computers. The systems it targets are mostly IoT devices, particularly webcams and DVR players. The problem is so serious that there have been reports of home security cameras being infected with Mirai and similar malware within two minutes of being turned on for the first time.
The IoT element
As the number of IoT devices in the home and office grow, this vulnerability will only get bigger. While network security is a priority at most offices, those efforts can easily overlook devices that most people don’t normally think of as “computers.” That includes new IoT devices as well as more traditional devices, like printers.
The majority of companies just aren’t taking printer security seriously. In fact, printer security is so overlooked that thousands of unsecured printers are indexed directly on Google. It wouldn’t take much effort—of sophisticated hacking skills—for anyone on the internet to print anything they want on any of those printers. While that might sound innocuous, it’s a waste of resources and, if a shared printer is tied up printing nonsense, it can be a waste of everyone in the office’s time.
That’s just the beginning. An unsecured printer could allow a hacker to access documents that are being printed and, on multi-function devices, that hacker could also gain access to documents that have been scanned or copied on the device. “A particular embedded device might have limited capabilities itself, but an attacker who compromises it can gain valuable insight into your network. It’s like they are inside the mouse hole looking into your house,” writes eSecurity Planet’s Aaron Weis. That could allow attackers to start “sniffing intranet traffic or performing other types of surveillance that give them tools for new avenues of attacks against your network.”