Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Review the following article about a DDoS attack that leveraged webcams and DVRs

ID: 3748803 • Letter: R

Question

Review the following article about a DDoS attack that leveraged webcams and DVRs (Internet of Things [IoT]): http://www.pcworld.com/article/3134056/hacking/an-iot-botnet-is-partly-behind-fridays-massive-ddos-attack.html Think about why these attacks may have been successful (Hint: Are vendors concerned about security at this price point and target audience?) What can be done to prevent similar attacks using the same types of devices? Do you think government regulation or law could help prevent DDoS attacks? Defend your answer.

Explanation / Answer

1. why Is An IoT botnet partly behind Friday's massive DDOS attacks may have been successful?

According to researchers at security firm Flashpoint, today's attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

B. What can be done to prevent similar attacks using the same types of devices?

1. If You Need Remote Access, Implement Strong Device Authentication :

Mirai takes advantage of the worst aspects of device passwords – default passwords are rarely changed and are rarely unique, often reused across a batch of devices. OWASP has some great basic guidance on password policy IoT device manufacturers that could help prevent this type of attack in the future but we’d suggest looking beyond the password alone when considering strong authentication methods.

For example, PKI offers multiple benefits for strong device authentication. First, the technology is very difficult, if not technically in-feasible to spoof. Using it as part of the authentication process prevents dictionary based authentication attacks, such as those used by Mirai.

PKI also gives you have the ability to use unique authentication credentials for the authenticating entities (both device and service). At a time of device build, it is better to include unique device authentication credentials per device, rather than using shared or common authentication credentials for a range of devices. Even better is to leverage hardware security elements to protect the private keys on devices and prevent the credentials from being stolen or migrated off of the devices themselves.

2. Consider Strong Authentication for Administrative Users and Services :

If you are going to enable login to the device itself for administrative purposes - either for a user or a service, you need to use stronger authentication methods there as well. One approach also involves using a PKI-based trust model. This is where the devices are built or provisioned with the trust anchor of a Certificate Authority, which enables the devices to leverage a stronger authentication method than just username and password for services to run.

3. Ensuring Only Authorized Software and Firmware Updates :

As an additional layer of security, devices also should be configured with the logic to verify any software updates that are pushed from a service. This can help prevent untrusted software, like the malware in the Dyn attack, from being installed on the devices. This validation logic will be based on a trust anchor or root, which can be provisioned onto the device during the manufacturing process and will determine which software to trust prior to execution or installation.

C. Do you think government regulation or law could help prevent DDoS attacks?

The role of government in protecting consumers against these should not tilt toward new legal mandates, a coalition of tech-focused companies, lobbying groups and think tanks contend. Instead, they argue, the government should work with the private sector and across borders to push standards and model best practices.

So, government regulation or law could help on some level but not provide a permanent solution for this. Consumer them self-take care of the security to prevent their own private information.

Related Questions

Review the biographical sketches of your classmates in this course and select an
Question #240895
Review the biopsychosocial model. Answer the following questions: Why is it impo
Question #3446045
Review the budget below and answer the questions following the budget. FINANCIAL
Question #2670134
Review the budget below and answer the questions following the budget. FINANCIAL
Question #2670335
Review the case \" The Quiet Meeting \". In a 2-3 page paper, discuss the follow
Question #413978
Review the case \" The Quiet Meeting \". In a 2-3 page paper, discuss the follow
Question #415438
Review the case below and answer the question avaibale at the end in your own wo
Question #424708
Review the case below and answer the questions avaibale at the end. Note: Do not
Question #424791
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Review the following and then analyze the conditions listed below and present ho
Next
Review the following bar chart. The chart outlines the prevalence of depression

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.