It’s Not Just Twitter’s Problem: What Insurers Need to Know about DDoS and the Snake in the IoT Garden of Eden
On Friday October 21 a massive Distributed Denial of Service (DDoS) made over 1,000 websites unreachable, including, Twitter, Netflix and PayPal. Two cloud providers, Amazon Web Services and Herokureportedly also experienced periods of unavailability.
The attack was directed against a key part of the internet’s infrastructure, a domain name system provider, Dynamic Network Services aka Dyn. When a person enters a web address into a browser, such as google.com, the browser in turn needs an IP address (a string of numbers and periods) to actually connect with that web address. Domain name system providers are a critical source of IP addresses.
On Friday Dyn was the target of perhaps the largest ever DDoS, when its site was overcome by tens of million of requests for IP addresses. Because Dyn could not provide the correct IP addresses for Twitter and the other affected sites, those sites became unreachable for much of the day.
It also appears that the DDoS was mounted using a widely available malware program called Mirai. Mirai searches the web for IoT connected devices (such as digital video recorders and IP cameras) whose admin systems which can be captured using simple default user names and passwords, such as ADMIN and 12345. Mirai can then mobilize those devices into a botnet which executes a directed DDoS attack.
There are a number of potentially serious implications for insurers:
- An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholder and the insurer providing the discounts to a variety of potential losses.
- If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses.
- As insurers continue to migrate their front-end and back-office systems to the cloud, the availability of those systems to customers, producers, and internal staff may drop below acceptable levels for certain periods of time.
The Internet of Things will change insurance and society in many positive ways. But the means used to mount the October 21 attack highlights vulnerabilities that insurers must recognize as they build their IoT plans and initiatives.
Thanks for the insights, Donald. I have been thinking that we may have become too casual with the connected applications (I posted on risks to autonomous vehicles recently http://insurance-canada.ca/blog/2016/10/16/following-closely-cyberrisk-and-self-driving-cars/), and your thoughts help to reinforce the importance of understanding the risks throughout the chain .
In your post, you made mention that the availbility of systems "may drop below acceptable levels". Do you know if there are standards for these levels and how they might be measured in the IoT world?