IoT Spells Trouble for Data Center Security, Networks

Even the largest servers, across the widest networks, with the best cybersecurity software in place can fall victim when attacks are done on the largest of scales.

Karen Riccio

March 14, 2017

6 Min Read
IoT Spells Trouble for Data Center Security, Networks
(Photo by Oli Scarff/Getty Images)

The Internet of Things has gone from a concept not many people grasped clearly to a tangible, living and breathing phenomenon on the verge of changing the way we live—and the way data centers strategize for the future.

At the very least, data center managers better develop new strategies for handling the IoT and all the data that could overwhelm current systems.

What does that volume of data look like? In the past five years, traffic volume has already increased five-fold; and according to a 2015 study by Cisco, annual global IP traffic will pass a zettabyte and surpass 1.6 zettabytes by 2018. Non-PC devices—expected to double the global population by that year—will generate more than half that traffic.

That spells trouble with a capital “T”. The global growth of data is creating the need for wider information networks and tightened security controls. Each new IoT device potentially creates a new point of vulnerability.

crosby.jpgNext month, in a session at Data Center World, titled Data Centers and IoT: There's No Such Thing as a Free Lunch, Chris Crosby, CEO of Compass Datacenters, will identify and discuss the problems associated with current networks in relation to the IoT. He will also present the framework for planning for IoT implementation from a security perspective, as well as discussing the new emerging security model that can enable IT to maintain network security while increasing the scope of IT implementations.

From a data center operations perspective, IoT translates into billions of tiny packets from billions of devices. Just a few short years ago, we would have referred to these as Denial of Service attacks, and now data center professionals must develop infrastructures that are able to process this information in real time or it loses its value, Crosby explained.

For example, he referred to how a company’s IoT-based, just-in-time inventory system would suffer serious consequences if there were very long delays in its ability to track the location and volume of component parts.

In order to prevent such delays, Crosby sees growth in more stratified structures in which data, and its processing component, are moving as close to user groups as possible in terms of edge and (small but growing) micro data centers.

“IoT is outstripping the capability of many in-place data centers and driving the evolution to more stratified architectures,” he said.

You might recall a recent and very real-world illustration of a cyberattack that harnessed the massive scale of IoT back on Oct. 21, 2016, when many of the 3 billion internet-addicted people across the globe weren't able to  access social networks, download movies or do much of anything thanks to a DDoS attack. This attack was unlike others.

A DDoS, or Distributed Denial of Service attack, is usually achieved when a hacker(s) bombards a server with so many requests in such a short amount of time that it simply crashes. It’s no different than when a site crashes from too little bandwidth and too much traffic, only this is done intentionally. Even the largest servers, across the widest networks, with the best cybersecurity software in place can fall victim when done on the largest of scales.

One reason the hackers were able to affect so many websites is because they targeted an actual DNS provider (domain name server), in this case a company called Dyn—otherwise it would be impossible to coordinate such a wide-scale attack.

That’s not the first time a DNS provider has been targeted and it probably won’t be the last.

And, while DDoS attacks have been around for quite some time, this latest one that brought down the likes of Amazon, Spotify, Netflix, PayPal, Twitter, and many others, had a new and very troubling nuance. Experts believe hackers tapped into all those intelligent devices connected to the Internet (IoT) to help pull off the massive outage.

The attack on Dyn was unique in that IoT devices – including Internet facing cameras, home routers, baby monitors, and more – were used as part of tens of millions of IP addresses that were infected, connected to a malware-based botnet called Mirai, and then used to attack Dyn’s network of servers. Mirai  used IoT devices in order to break into the millions of devices on the Internet, which are poorly guarded, rarely patched, and easy to commandeer with their default or easy-to-guess passwords. And there are a lot of IoT devices out there, and a lot of companies working on creating even more IoT devices.

But, the real story isn’t about the titans of the industry who were taken down in this attack – it’s about everyone else. Millions of other smaller domains were in this tsunami-sized path of digital destruction and businesses got crushed. Despite the associated risks, almost every CIO reading about the attack likely figures that these hackers "only go after the big guys" or "our company isn’t famous enough to get on a hacker’s radar" – think again.

A mid-year 2015 study by HP reported that of the 10 home-based devices it tested (including door locks, thermostats and TVs), 80 percent didn’t require strong passwords and 70 percent had security holes. In fact, the devices—some of which will be used in industrial settings—averaged 25 security flaws each.

Keep in mind, too, that this group of hackers wasn’t going specifically after money, or ransom, or personal identifications; they simply did it to upset the proverbial apple cart—and that they did. Internet outages still disrupt business and can be very costly.

According to Kaspersky’s “Global IT Security Risks Survey 2015 – DDoS Attacks” report, an average damage range of $52,000 to $444,000, depending on company size.  Less quantifiable injuries include reputational damage and temporary loss of access to critical business information. Nearly 40 percent of those affected couldn’t perform their core functions.  Additionally, one-third of the companies surveyed told Kaspersky they lost contracts and opportunities because of the attacks. Almost as many saw their credit rating decline, and 26 percent reported increased insurance premiums.

So, we’ve got nothing short of a crisis on our hands, one even bigger than originally suspected, and absolutely no budget constraints for what companies across every industry and private and public sectors can spend on securing our businesses, personal lives and national security.

In 2015, companies spent $75 billion on cybersecurity and lost $300 billion. According to Markets and Markets, IT security spending will soar to $101 billion in 2018 and hit $170 billion by 2020.

Data Center World - Global 2017 runs from April 3-6 at the Los Angeles Convention Center. For more information on the event and a detailed look at the educational sessions, visit datacenterworld.com.

A version of this article originally appeared on AFCOM.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like