Draft U.S. government recommendations on ways to reduce the threat of automated botnets launching denial of service attacks and spreading malware are too weak, says a cyber security expert.
The report from the departments of Homeland Security and Commerce issued last week, “definitely did not go far enough,” John Pescatore, director of emerging security trends at the SANS Institute, said in an interview.
While praising the report’s urging that manufacturers and end users follow best practices in cyber hygiene, much of it came down to “let’s do the same thing we’ve been doing, but more – more information sharing, government standards,” Pescatore complained.
Instead, he said the U.S. – and all governments around the world – should use their existing buying and regulatory power to force organizations to better use current technology and force makers of Internet of Things devices to tighten their security.
For example, Pescatore said, the report suggests Washington develop profiles for denial of service protection, then go to the private sector and say it should be providing denial of protection services. “We (already) have denial of service protection services out there,” Pescatore said. “If the government were simply to say every government Web site that touches data or provides information to the public must use denial of service protection services, that would help drive the entire market to ensure they use those types of services.
“And if it said everyone who does business with the (U.S.) government over the Internet must also be using denial of service protection services that also would help. Instead what this report did is say, ‘OK, once we can write documents that would have a government definition of denial of service protection services, then we can talk about doing something.’”
As for IoT manufacturers, Pescatore said there’s no reason for more study. Most governments already have regulatory agencies covering a wide range of products from food to medical devices to transportation that have safety mandates. They should issue cyber security regulations as well, tailored for those industries.
Instead, he said, the report suggests an ecosystem-wide solution is needed. But “making a self-driving car as secure as a medical implant is impossible.”
Pescatore isn’t the first to say regulators have to do more to control IoT devices. U.S. digital security expert Bruce Schneier said much the same thing at last November’s SecTor conference in Toronto. It was also hotly debated at the RSA Conference.
The U.S. government will accept comments on the draft report until Feb. 12. It will then hold a two-day workshop starting Feb. 28 on honing the final report, which is expected to be handed to the President May 11.
Asked if Public Safety Canada has similar recommendations for fighting botnets, a spokesperson said in an email that the Communications Security Establishment (CSE), responsible for security government networks, encourages federal departments and citizens CSE’s Top 10 IT security actions. “This advice and guidance will help Canadians build a strong IT infrastructure and protect their networks.”
The U.S. report on promoting action against botnets and other automated threats comes was ordered May 11,2017 by from President Donald Trump, who asked the departments to come up with a strategy to “dramatically” reduce the threats posed by automated and distributed denial of service attacks (DDoS) from botnets.
“With new botnets that capitalize on the sheer number of “Internet of Things” (IoT) devices, DDoS attacks have grown in size to more than one terabit per second, outstripping expectations.
There is “an urgent need for coordination and collaboration across a diverse set of stakeholders,” says the report. There have been a number of largely U.S. industry initiatives – including the Industry Botnet Group and the Communications Security, Reliability and Interoperability Council’s (CSRIC) Anti-Bot Code of Conduct – but “the impacts have been incremental and significant challenges remain.”
The report came up with six conclusions:
— Automated, distributed attacks are a global problem. Increasing the resilience of the Internet and communications ecosystem against these threats will require coordinated action with international partners;
– Effective tools exist but are not widely used;
– Products should be secured during all stages of their lifecycle. Instead, many can’t be patched;
– Education and awareness are needed for consumers, manufacturers, enterprises and service providers;
– Market incentives are misaligned. Market incentives motivate product developers, manufacturers, and vendors to minimize cost and time to market, rather than to build in security or offer efficient security updates;
– Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.
One of the most interesting recommendations is the creation of a “customer-friendly” program to help brand more secure devices, like the Energy Star program for electronic gear.
The report notes there are many tools available – ingress and egress filtering, DdoS mitigation – but adds that “best practices are at times expensive, difficult to manage, and require skilled staff.”
Infrastructure providers across the board must develop a broad understanding of the benefits of shared defense approaches, it adds, and communities should work together to drive best practice adoption. “This work includes ubiquitous adoption of filtering at the interface with customer networks, including multi-tenant infrastructures such as cloud providers. Ideally, infrastructure providers should understand the current levels of attacks, maintain sufficient capacity to absorb realistically expected levels of malicious traffic, and communicate those capabilities to their customers.”
But it also says enterprises could do better. “Resources associated with enterprise networks have also been a significant factor in executing automated, distributed threats. Devices at enterprises, ranging from IoT devices to data center servers, have been compromised and incorporated into botnets. Poorly administered enterprise resources, such as open DNS resolvers, are often leveraged to amplify attacks. Enterprise-operated routers that do not enforce ingress and egress filtering have facilitated attacks that featured address spoofing, allowing botnet participants to hide their true locations. In the special case of cloud providers, enterprise resources have been rented (usually with stolen credit cards) to quickly assemble significant botnets.”
“While enterprises typically have professional information technology (IT) operations staff, cybersecurity-specific expertise is often lacking. This challenge is often compounded by a similar lack of awareness among organizations’ decision makers, who are responsible for resourcing IT operations within their organizations or for overseeing the IT operations. IT operations teams are often unaware of the risks of open resolvers and other sources of attack amplification, or the importance of ingress and egress filtering. When ISPs report potential compromise to customers, they often find that the enterprise cannot identify or locate the compromised devices, and even if the enterprise can identify the devices, it may not have the tools or expertise to recover to a secure state. Enterprises may struggle to work collaboratively with service providers when under attack. Failure to implement basic backup procedures places enterprises at greater risk from ransomware attacks.
Enterprises can contribute to a more resilient ecosystem through a mix of current and emerging technologies, operational and procurement policies, and education and awareness for IT staff and decision makers.”
A step in the right direction would be for enterprises to adopt the NIST (National Instittue of Standards and Technology) Cybersecurity Framework (CSF), says the draft report.
As for edge devices, the draft report says broad technical advances are both possible and essential. “To be effective, these advances must be global, since the majority of Internet devices are located outside the United States. This global action will require globally accepted security standards and practices to be robust, widely understood, and applied ubiquitously. Those standards should be flexible, appropriately timed, open, voluntary, industry-driven, and global in nature.
“Devices must be able to resist attacks throughout their deployment lifecycles—at the time of shipment, during use, and through to end-of-life. For this to occur, security must become a primary design goal. Vendors must not ship products with known serious security flaws, must include a secure update mechanism, and must follow best current practices (e.g., no hard-coded passwords, disabling software features that are not critical to operation) for system configuration and administration. The expected period of use and duration of support must be clearly communicated to customers, and device manufacturers should maintain secure update services for the promised duration.”
In the future, says the report “purchasers, whether end consumers or sophisticated enterprises, should be better able to understand the basic security properties of connected devices.”
Both the U.S. government and international partners should conduct their technology and device procurement actions to create market incentives for more secure products, it adds, while recognizing the advantages of open, voluntary, industry-driven standards.
In conclusion it offers five goals:
–Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace. That includes establishing broadly accepted baseline security profiles for IoT devices in home and industrial applications, and promote international adoption through bilateral arrangements and the use of international standards. The federal government should accelerate this process by adopting baseline security profiles for IoT devices in U.S. government environments.
At the same time stakeholders and subject matter experts, in consultation with NIST, should lead the development of a CSF Profile for Enterprise DDoS Prevention and Mitigation;
–Promote innovation in the infrastructure for dynamic adaptation to evolving threats. Internet service providers and their peering partners should expand current information sharing to achieve more timely and effective sharing of actionable threat information both domestically and globally;
–Promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior;
–Build coalitions between the security, infrastructure, and operational technology communities domestically and around the world;
–Increase awareness and education across the IoT ecosystem.