Improving device security, better coordination between infrastructure companies, and smarter procurement by businesses are all part of tackling the botnet menace, according to a US government report.
The snappily titled Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats report is the result of an executive order signed by President Donald Trump last May aimed at strengthening the cyber security of federal networks and critical infrastructure.
Botnets and the distributed denial of service (DDoS) attacks they deliver are a growing menace.
Traditional ways of dealing with DDoS effectively involved network providers building in excess capacity to absorb the impact of an attack. However, these incidents have grown in size to more than one terabit per second, far outstripping expected size and excess capacity.
On top of this, standard ways of dealing with DDoS are unable to stop other uses of botnets, such as spreading ransomware. And as botnets add insecure Internet of Things (IoT) devices to magnify their attacks, future incidents can only increase in scale and complexity.
The report from the Department of Homeland Security and the Department of Commerce highlights a number of changes that need to be made.
Infrastructure providers should share more data about evolving threats — especially with smaller, less well-funded, or niche players — and see what benefits come from a move to IPv6, the report said.
Enterprises need to isolate legacy devices and other devices that cannot be secured, deploy on- and off-premise DDoS mitigation services and rethink their network architectures.
Industry and law enforcement should work to find ways to coordinate more often and earlier to detect and prevent threat activity, and to manage incidents that take place.
Devices: the biggest threat
But the biggest section of the report deals with the threat from devices — PCs, smartphones and IoT devices which, it said, have often been designed without security in mind.
“Developers are either unaware of good security design practices, assume that the device will be inaccessible (e.g., on a local network inaccessible from the Internet), or want to avoid security solutions that impose additional cost, increase time to market, or make a device harder for consumers to use. The resulting design choices, such as hard-coded administrative passwords, create inherently insecure devices. In other cases, appropriate security controls are present but usability and user interfaces result in less-secure configurations.”
The report noted that software development result in — optimistically — a flaw every 2,000 lines of code, and many of these flaws create exploitable security vulnerabilities. Although modern servers, desktops, laptops, and smartphones offer significantly fewer opportunities for compromise, this is not the case with new classes of device.
“IoT devices are often sorely lacking in security-focused features. These systems now offer the most attractive target to malicious actors, and are an increasingly large percentage of the devices in the ecosystem,” the report warned.
Another problem is that modern devices are not the only ones connected to the internet: many legacy servers, desktops, laptops, and mobile phones in use today are no longer supported by their manufacturers, so their vulnerabilities cannot be easily addressed. Software piracy can run as high as 70 percent in China, and manufacturers typically restrict the distribution of security patches to systems running legally purchased software, so these systems cannot be secured against known vulnerabilities.
All of this needs to change, the report said.
“Devices must be able to resist attacks throughout their deployment lifecycles — at the time of shipment, during use, and through to end-of-life. For this to occur, security must become a primary design requirement. Vendors must not ship devices with known serious security flaws, must include a secure update mechanism, and must follow best current practices (e.g., no hard-coded passwords, disabling software features that are not critical to operation) for system configuration and administration. Vendors should disclose the minimum duration of support to customers, and device manufacturers should maintain secure update services for the promised duration.”
However, the report acknowledged that at the moment the economics of tech work against security: “Market incentives appear to exacerbate the problem. Product developers prioritize time to market and innovative functionality over security and resilience. Security features are not easily understood or communicated to the consumer, which makes it difficult to generate demand.”
The report said that change could start with the enterprise buyer, and — perhaps optimistically — argued: “The value proposition for better security will likely start in the enterprise environment due to its economies of scale; once there is a generally accepted security posture in a given product class, few manufacturers would be likely to ignore it.”