Nearly two weeks ago, a new type of attack was unleashed on the interwebs. Hackers breached hundreds of thousands of webcams and other devices across the globe with the intent to overload U.S.-based internet infrastructure provider Dyn, one of the most popular in the country. The attackers succeeded in flooding Dyn with so much traffic that it sputtered and faltered, causing major service interruptions to major websites including PayPal, Amazon, Spotify and Twitter. In a statement on the morning of the attack, Dyn officially told the world that it had it suffered a global distributed denial of service (DDoS) attack on its DNS infrastructure. Hackers had overwhelmed Dyn's servers with useless data and repeated load requests, preventing useful data, such as Twitter IP addresses, from getting through. To put it simply, they took out chunks of the internet.
"The purpose of this attack is to overload the service in any way possible and make it stop working or be unreachable,” said Adam Surak, site reliability engineer at Algolia.com to Business Insider at the time of the attacks. “In this case it was not Twitter or Github that got overloaded, those services work totally fine, but a service allowing you to reach them got overloaded.”
As part of the aftermath of the breaches, it was announced by Chinese manufacturer Hangzhou Xiongmai Technology that approximately 10,000 targeted surveillance cameras sold in the United States will be recalled - specifically "all the circuit boards and components made by Hangzhou Xiongmai that go into webcams," according to a report on the BBC. In an article by Reuters, Liu Yuexin, Xiongmai’s marketing director, stated that the first focus of the company will be to recall surveillance cameras made in 2014 that monitor rooms or shops for personal use.
At this point, it’s not apparent which exact products or components the recall impacts, but experts have a few guesses. According to Business Insider, some of the company's older products don't require users to change the default password, making them “inherently susceptible to being hacked.” The U.S. Department of Homeland Security (DHS) is working with major communications service providers to develop a new set of “strategic principles” for securing internet-connected devices. The company may take further steps to beef up security by migrating to safer operating systems and adding further encryption, claims Fortune.
Experts and authorities have yet to identify the culprits of the attack, but the Director of U.S. National Intelligence, James Clapper, has ruled out foreign government involvement. Other intelligence and expert analyses points to the same conclusion. “The evidence that we have strongly suggests it is amateur, attention-motivated hackers,” said Allison Nixon, director of security research at Flashpoint.
As we mentioned in last week’s article covering the incident, the attack illustrates an opportunity for the channel to make a strong case to customers for building in the proper protection into their systems. As more and more of the world becomes connected and the Internet of Things grows and grows, there are valuable upsell opportunities to provide security services for your customers. Now more than ever, it is vital to educate them on these types of attacks and safeguard their systems.
In other news this week, the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) announced on Tuesday the availability of CyberSeek™, a free, interactive online tool available to anyone interested in the nation’s cybersecurity workforce: job seekers, employers, policy makers and those in the education and training communities.
CompTIA and partner Burning Glass created CyberSeek and a companion Career Pathway under a grant from the U.S. Department of Commerce. The interactive heat map displays supply and demand information on the cybersecurity workforce at the national, state and city levels. The career pathway details various scenarios on how a cybersecurity career may progress, from entry level to mid level to advanced positions.
Using Kansas City as an example, CyberSeek shows that in the past year there were 2,134 job openings and 6,829 employed workers. Those numbers represent a higher-than-average cybersecurity workforce supply compared to the rest of the country, but a lower concentration of cybersecurity job demand when stacked up against the national average. That’s where the CyberSeek tool comes in.
For employers seeking to move or expand operations, the CyberSeek “heat” map can help find locations with a large base of cybersecurity employees, and job seekers can hunt for job openings by the size of a metropolitan area. The interactive map is accompanied by the Career Pathway, a component that features valuable information on careers in cybersecurity, such as job titles, salaries, online job openings, in-demand skills, education and certifications.
“This interactive tool will assist its users—students, employees, employers, policy makers, training providers and guidance counselors—to explore opportunities they may have never considered,” said Rodney Petersen, director of the National Initiative for Cybersecurity Education (NICE), which funded development of the tool. “It can also help us to meet NICE’s goal of fostering a larger workforce to narrow the cybersecurity employment gap.”
Nice to know that there’s a tool out there helping connect qualified cybersecurity professionals with the ready and waiting and much needed positions out there. With a shortage of these types of professionals and the growing need and demand for them, this tool could be a game-changer.
To finish up the week, we take a look at findings from a recently-released survey conducted by Accenture Plc. According to the survey of 2,000 security officers representing large enterprises worldwide, as reported by Bloomberg, “approximately one-third of targeted attempts to breach corporations’ cyber defenses succeed but three-quarters of executives remain unaccountably confident in their security strategies.” Wait, what?
This scarily high failure rate in successfully warding off and defending against attacks has a lot to do with the “sheer volume” of them, states the report, titled Building Confidence: Facing the Cybersecurity Conundrum. “On average, an organization will face more than a hundred focused and targeted breach attempts every year, and respondents say one in three of these will result in a successful security breach,” the report’s authors write. “That’s two to three effective attacks per month.” Yikes.
According to a forecast earlier this year by Omar Abbosh, Accenture’s chief strategy officer, businesses spend an absurd amount of money each year in this area - an estimated $84 billion to defend against data theft that costs them about $2 trillion. TRILLION. The report also states that if current trends continue, this number could rise to $90 trillion a year by 2030.
In the face of such staggering predictions, companies, even big ones, clearly cannot afford to turn a blind eye or be uninformed any longer. It’s time for a massive perception overhaul. “To survive in this contradictory and increasingly risky landscape, organizations need to reboot their approaches to cybersecurity,” state the authors of the report. “Ultimately, many remain unsure of their ability to manage the internal threats with the greatest cybersecurity impact even as they continue to prioritize external initiatives that produce the lowest return on investment.”
The report authors emphasize that there is still way too much emphasis on just compliance. How many times have experts in the field harped on holistic, all-around solutions? “Just as adhering to generally accepted accounting principles does not ensure protection against financial fraud, cybersecurity compliance alone will not protect a company from successful incursions.” Time for this to sink in, folks. The consequences are too costly.