“Still, the worst thing about Mirai is that it leverages the horrible security decisions made by a handful of manufacturers of Internet-connected devices.”
This sentence is really an understatement by the author Sean Gallagher in an article published on Arstechnica. It speaks to the global problem in attitude manufacturers have toward security and making secure products. Now a days one would think everyone would have the realization that if something connects to the internet, it is now open game for attack. That’s the world we live in. Let me be really clear—if a device connects to the internet, or is internet aware, it is open for attack. The Mirai IoT botnet attack that occurred last week did nothing more than put a period on that sentence.
Recall the Mirai attack managed to control millions, yes millions, of devices that connect to the internet. Now to be fair, traditional thinking probably permitted that.
You may be asking right now, “What the heck is the Internet of Things?” IoT, as it is also called, is what we call all of our gadgets that are internet aware. These are gadgets that can talk to each other, and to us humans, across the internet. Things like smart TVs, refrigerators, those smart doorbells, surveillance video cameras, sensors, DVRs, some routers, and other devices. When we buy these devices many of us take them home, or to the office, plug them in and they just work.
There are tons of articles out there now talking about the security breach at the OPM. One such article from the Wall Street Journal points out an attack vector coming in from a third party vendor. Wow.
I think in this day and age of computing there really is no excuse for when breaches occur. It’s one thing to have the latest and greatest tools in place and the right mix of human analysts looking the data over. It’s quite another to leave the doors open with old or outdated technology.
How does a government organization, or even a regular commercial business, get these things fixed? The answer is very simple. Criminalize the data loss and hold CEO’s or top government brass accountable; meaning they will be prosecuted for some kind of criminal liability.
Wouldn’t that change the focus on how information security is implemented? If you, as top boss, knew you could go to jail because you didn’t put enough of a priority on securing the data you work with, don’t you think you would make different decisions?
Here’s an example of borderless, worldwide crime. Remember the TJ Maxx data breach? More details are coming out. A couple details it brings to the top:
1. Location, location, location. Meaningless with digital crime. A worldwide reach is possible right to your backyard.
2. Wireless is a threat. Configure it properly. When done right it can work. Haphazardly…watch out.
Be smart people…from the Mom and Pop shops all the way up to the huge corporations. It doesn’t matter. Secure it.
I found this article on darkReading today. I just shake my head when I read about these kinds of things. Basically, a school in Pennsylvania had another data breach from a student at a life experienced age of 15. He thought it would be fun to sneak into the network and steal 55,000 PII information.
The interesting points in the story, as reported, are this: