By: Henry Rademacher
The Council to Secure the Digital Economy, in collaboration with USTelecom and the Consumer Technology Association, has released its 2020 International Botnet and IoT Security Guide. The purpose of the guide is to “facilitate the mitigation of botnets and other automated, distributed threats through voluntary participation and collaboration among disparate stakeholders throughout the global internet and communications ecosystem.”
A botnet is “a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge.” Botnets can be used for a variety of malevolent objectives, including, distributed denial of service attacks (DDoS), theft of data, and the distribution of spam, malware, and spyware.
Botnets have become increasingly common in the past few years and represent a substantial threat to corporations and entities involved in the internet and communications ecosystems. Devices involved with Internet of Things (IoT) are frequently targeted by botnets, as attackers perceive these devices to be less secure than other potential targets.
In 2016, the notorious Mirai botnet shut down Twitter, Reddit, Netflix, and the entire country of Liberia. The Mirai botnet “took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route internet traffic,” causing havoc and disruption across the internet. Since then, malicious actors have repeatedly used botnet attacks against a variety of targets, including schools, hospitals, businesses, and government agencies.
Businesses and other targeted entitles have struggled to address the threat posed by botnets because they are constantly evolving and are generally aimed at the least secure sectors of the internet and communications economy. According to Diane Rinaldo, Acting Assistant Secretary of the National Telecommunications and Information Administration, “When it comes to securing infrastructure, our strategies need to evolve as our networks evolve.”
The CSDE International Botnet and IoT Security Guide 2020 provides a comprehensive set of guidelines to help entities involved in IoT mitigate their exposure to botnets and other threats. The section of the guide that deals with IoT devices is broken down into three sections, with a total of 16 subsections. The three main sections are titled Secure Development, Secure Capabilities, and Product Lifecycle Management.
The first section, Secure Development, features subsections dedicated to Secure Development Lifecycle Process and Security Focused Toolchain Use. They stress that development practices crucial to IoT device security are “not typically observable outside the organization” responsible for production.
Regarding the implementation of a Secure Development Lifecycle Process (SDL), the guide recommends that such a process include “threat identification and disposition; coding standards; 3rd party software requirements; software security controls and capabilities test and validation; and new vulnerability identification and handling.”
Regarding Security-Focused Toolchains, “collections of software or hardware that not only enable development, production, and management of products, but also have been designed to enhance the security of the end product,” the guide recommends that developers utilize programs capable of determining if secure coding guidelines are being followed in the development stage. These programs should be able to search for “Common Vulnerabilities and Exposures (CVEs)” in order to get ahead of potential security issues.
The second section, Secure Capabilities, deals with “device capabilities that are typically observable properties of a device after shipping and installation.” This section is the most extensive, featuring subsections dedicated to: Device Identifiers, Secured Access, Protection of Data, Industry-Accepted Protocols, Data Validation, Event Logging,Cryptogeography, Patchability, Reprovisioning, Device Intent Signaling, and Device Network Onboarding.
The big takeaways from the second section relate to data, identification, and accessibility. The guide stresses that in some cases “important device properties may be found not in the device itself, but in a gateway or hub that is part of the overall structure.” In these cases, the gateway or hub is likely to be necessary for the device to interface with the internet. It is possible for the features described in the subsections listed in the previous paragraph to be located within the hub or gateway rather than the device itself.
The third section, Product Lifecycle Management, addresses “actively managing a product from conception through design, manufacturing, support and end-of-life.” Section 3 features subsections regarding Vulnerability Handling, EoL/EoS Updates and Disclosures, and Device Intent and Documentation.
The key takeaway from Section 3 is that, for security to be maximized, entities involved in IoT must remain vigilant throughout the entire process from “conception through design, manufacturing, support and end-of-life.” Entities involved in IoT are encouraged to have active processes designed to identify threats and vulnerabilities. Clearly defined processes should be in place to address any vulnerability concerns in the event they come up. Finally, the “designed and intended network usage” of a device should be clearly defined by its developer. This includes “ports, protocols, sites to be visited, expected data traffic levels, and communications with other devices.”
The 2020 International Botnet and IoT Security Guide features information valuable to all entities involved in the internet and communications industries. It is especially valuable for entities dealing with IoT, as they have been a frequent target of botnet attacks in recent years. The implementation of 5G is likely to result in increased botnet activity, at least in the early stages. Therefore, information regarding security and threat mitigation related to IoT devices will be in high demand in the near future.
Photo Credit: Tecnomovida Caracas (flickr)